Skip to content

Commit

Permalink
Merge pull request Azure#10150 from Azure/Fix-Fortinet-Fortigate-Filter
Browse files Browse the repository at this point in the history 
Fix Fortinet Fortigate Filter Issue
  • Loading branch information
@anki-narravula
anki-narravula authored Mar 14, 2024
2 parents ab3a987 + 2c970a2 commit 7d954e5
Show file tree
Hide file tree
Showing 14 changed files with 343 additions and 7 deletions.
2 changes: 1 addition & 1 deletion Parsers/ASimDns/ARM/ASimDns/ASimDns.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
"displayName": "DNS activity ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimDns",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeASimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty\n , ASimDnsCiscoUmbrella (imDnsBuiltInDisabled or ('ExcludeASimDnsCiscoUmbrella' in (DisabledParsers) ))\n , ASimDnsInfobloxNIOS (imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxNIOS' in (DisabledParsers) ))\n , ASimDnsMicrosoftOMS (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftOMS' in (DisabledParsers) ))\n , ASimDnsGcp (imDnsBuiltInDisabled or ('ExcludeASimDnsDnsGcp' in (DisabledParsers) ))\n , ASimDnsCorelightZeek (imDnsBuiltInDisabled or ('ExcludeASimDnsCorelightZeek' in (DisabledParsers) ))\n , ASimDnsMicrosoftSysmon (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmon' in (DisabledParsers) ))\n , ASimDnsAzureFirewall (imDnsBuiltInDisabled or ('ExcludeASimASimDnsAzureFirewall' in (DisabledParsers) ))\n , ASimDnsMicrosoftNXlog (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftNXlog' in (DisabledParsers) ))\n , ASimDnsZscalerZIA (imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA' in (DisabledParsers) ))\n , ASimDnsNative (imDnsBuiltInDisabled or ('ExcludeASimDnsNative' in (DisabledParsers) ))\n , ASimDnsVectraAI (imDnsBuiltInDisabled or ('ExcludeASimDnsVectraAI' in (DisabledParsers)))",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeASimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty,\n ASimDnsAzureFirewall (imDnsBuiltInDisabled or ('ExcludeASimASimDnsAzureFirewall' in (DisabledParsers) )),\n ASimDnsCiscoUmbrella (imDnsBuiltInDisabled or ('ExcludeASimDnsCiscoUmbrella' in (DisabledParsers) )),\n ASimDnsCorelightZeek (imDnsBuiltInDisabled or ('ExcludeASimDnsCorelightZeek' in (DisabledParsers) )),\n ASimDnsFortinetFortiGate (imDnsBuiltInDisabled or ('ExcludeASimDnsFortinetFortiGate' in (DisabledParsers) )),\n ASimDnsGcp (imDnsBuiltInDisabled or ('ExcludeASimDnsDnsGcp' in (DisabledParsers) )),\n ASimDnsInfobloxNIOS (imDnsBuiltInDisabled or ('ExcludeASimDnsInfobloxNIOS' in (DisabledParsers) )),\n ASimDnsMicrosoftNXlog (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftNXlog' in (DisabledParsers) )),\n ASimDnsMicrosoftOMS (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftOMS' in (DisabledParsers) )),\n ASimDnsMicrosoftSysmon (imDnsBuiltInDisabled or ('ExcludeASimDnsMicrosoftSysmon' in (DisabledParsers) )),\n ASimDnsNative (imDnsBuiltInDisabled or ('ExcludeASimDnsNative' in (DisabledParsers) )),\n ASimDnsSentinelOne (imDnsBuiltInDisabled or ('ExcludeASimDnsSentinelOne' in (DisabledParsers) )),\n ASimDnsVectraAI (imDnsBuiltInDisabled or ('ExcludeASimDnsVectraAI' in (DisabledParsers) )),\n ASimDnsZscalerZIA (imDnsBuiltInDisabled or ('ExcludeASimDnsZscalerZIA' in (DisabledParsers) ))",
"version": 1,
"functionParameters": "pack:bool=False"
}
Expand Down
46 changes: 46 additions & 0 deletions Parsers/ASimDns/ARM/ASimDnsFortinetFortigate/ASimDnsFortinetFortigate.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2017-03-15-preview",
"name": "[parameters('Workspace')]",
"location": "[parameters('WorkspaceRegion')]",
"resources": [
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "ASimDnsFortinetFortiGate",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "DNS activity ASIM parser for Fortinet FortiGate",
"category": "ASIM",
"FunctionAlias": "ASimDnsFortinetFortiGate",
"query": "let Parser = (disabled:bool=false) {\n let DeviceEventClassIDLookup = datatable(EventOriginalSubType:string,EventSubType:string, EventSeverity:string, DvcAction:string, ThreatCategory:string, ThreatField:string)[\n \"54000\", \"request\", \"Informational\", \"\", \"\", \"\",\n \"54200\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54400\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54401\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54600\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"DstIpAddr\",\n \"54601\", \"response\", \"Low\", \"Blocked\", \"Botnet\", \"Domain\",\n \"54800\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54801\", \"response\", \"Low\", \"\", \"\", \"\",\n \"54802\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54803\", \"response\", \"Low\", \"Blocked\", \"\", \"\",\n \"54804\", \"response\", \"Informational\", \"\", \"\", \"\",\n \"54805\", \"response\", \"Informational\", \"\", \"\", \"\",\n ];\n let EventOriginalResultDetailsLookup = datatable(EventOriginalResultDetails:string, EventResultDetails:string, EventResult:string)[\n \"\", \"NOERROR\", \"Success\",\n \"0\", \"NOERROR\", \"Success\",\n \"1\", \"FORMERR\", \"Failure\",\n \"2\", \"SERVFAIL\", \"Failure\",\n \"3\", \"NXDOMAIN\", \"Failure\",\n \"4\", \"NOTIMP\", \"Failure\",\n \"5\", \"REFUSED\", \"Failure\",\n \"6\", \"YXDOMAIN\", \"Failure\",\n \"7\", \"YXRRSET\", \"Failure\",\n \"8\", \"NXRRSET\", \"Failure\",\n \"9\", \"NOTAUTH\", \"Failure\",\n \"10\", \"NOTZONE\", \"Failure\",\n \"11\", \"DSOTYPENI\", \"Failure\",\n \"16\", \"BADVERS\", \"Failure\",\n \"16\", \"BADSIG\", \"Failure\",\n \"17\", \"BADKEY\", \"Failure\",\n \"18\", \"BADTIME\", \"Failure\",\n \"19\", \"BADMODE\", \"Failure\",\n \"20\", \"BADNAME\", \"Failure\",\n \"21\", \"BADALG\", \"Failure\",\n \"22\", \"BADTRUNC\", \"Failure\",\n \"23\", \"BADCOOKIE\", \"Failure\"\n ];\n let DnsQueryTypeLookup = datatable(DnsQueryType:int, DnsQueryTypeName:string)[\n 0, \"Reserved\",\n 1, \"A\",\n 2, \"NS\",\n 3, \"MD\",\n 4, \"MF\",\n 5, \"CNAME\",\n 6, \"SOA\",\n 7, \"MB\",\n 8, \"MG\",\n 9, \"MR\",\n 10, \"NULL\",\n 11, \"WKS\",\n 12, \"PTR\",\n 13, \"HINFO\",\n 14, \"MINFO\",\n 15, \"MX\",\n 16, \"TXT\",\n 17, \"RP\",\n 18, \"AFSDB\",\n 19, \"X25\",\n 20, \"ISDN\",\n 21, \"RT\",\n 22, \"NSAP\",\n 23, \"NSAP-PTR\",\n 24, \"SIG\",\n 25, \"KEY\",\n 26, \"PX\",\n 27, \"GPOS\",\n 28, \"AAAA\",\n 29, \"LOC\",\n 30, \"NXT\",\n 31, \"EID\",\n 32, \"NIMLOC\",\n 33, \"SRV\",\n 34, \"ATMA\",\n 35, \"NAPTR\",\n 36, \"KX\",\n 37, \"CERT\",\n 38, \"A6\",\n 39, \"DNAME\",\n 40, \"SINK\",\n 41, \"OPT\",\n 42, \"APL\",\n 43, \"DS\",\n 44, \"SSHFP\",\n 45, \"IPSECKEY\",\n 46, \"RRSIG\",\n 47, \"NSEC\",\n 48, \"DNSKEY\",\n 49, \"DHCID\",\n 50, \"NSEC3\",\n 51, \"NSEC3PARAM\",\n 52, \"TLSA\",\n 53, \"SMIMEA\",\n 55, \"HIP\",\n 56, \"NINFO\",\n 57, \"RKEY\",\n 58, \"TALINK\",\n 59, \"CDS\",\n 60, \"CDNSKEY\",\n 61, \"OPENPGPKEY\",\n 62, \"CSYNC\",\n 63, \"ZONEMD\",\n 64, \"SVCB\",\n 65, \"HTTPS\",\n 99, \"SPF\",\n 100, \"UINFO\",\n 101, \"UID\",\n 102, \"GID\",\n 103, \"UNSPEC\",\n 104, \"NID\",\n 105, \"L32\",\n 106, \"L64\",\n 107, \"LP\",\n 108, \"EUI48\",\n 109, \"EUI64\",\n 249, \"TKEY\",\n 250, \"TSIG\",\n 251, \"IXFR\",\n 252, \"AXFR\",\n 253, \"MAILB\",\n 254, \"MAILA\",\n 255, \"*\",\n 256, \"URI\",\n 257, \"CAA\",\n 258, \"AVC\",\n 259, \"DOA\",\n 32768, \"TA\",\n 32769, \"DLV\"\n ];\n CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and \n DeviceProduct == \"Fortigate\"\n | where DeviceEventClassID in(54000,54200,54400,54401,54600,54601,54800,54801,54802,54803,54804,54805)\n | project TimeGenerated, EventOriginalSubType = DeviceEventClassID, AdditionalExtensions, EventUid = _ItemId, EventOriginalSeverity = LogSeverity, EventProductVersion = DeviceVersion ,Computer, Type, SrcIpAddr = SourceIP, SrcPortNumber = SourcePort, DstIpAddr = DestinationIP, DstPortNumber = DestinationPort, EventMessage = Message, NetworkProtocolNumber = Protocol, DvcId = DeviceExternalID, DnsSessionId = ExtID\n | lookup DeviceEventClassIDLookup on EventOriginalSubType\n | parse-kv AdditionalExtensions as (FTNTFGTlogid:string, FTNTFGTsubtype:string, FTNTFGTsrccountry:string, FTNTFGTdstcountry:string,FTNTFGTsrcintfrole:string, FTNTFGTrcode:string, FTNTFGTqname:string, FTNTFGTqtype:string, FTNTFGTxid:string, FTNTFGTqtypeval:int, FTNTFGTqclass:string, FTNTFGTcatdesc:string, FTNTFGTipaddr:string, FTNTFGTunauthuser:string, FTNTFGTuser:string, FTNTFGTbotnetip:string, sessionid:int) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | project-rename \n EventOriginalResultDetails = FTNTFGTrcode,\n EventOriginalUid = FTNTFGTlogid,\n DvcZone = FTNTFGTsrcintfrole,\n EventOriginalType = FTNTFGTsubtype,\n SrcGeoCountry = FTNTFGTsrccountry,\n DstGeoCountry = FTNTFGTdstcountry,\n DnsQuery = FTNTFGTqname,\n DnsQueryTypeName = FTNTFGTqtype,\n TransactionIdHex = FTNTFGTxid,\n DnsQueryClass = FTNTFGTqtypeval,\n DnsQueryClassName = FTNTFGTqclass,\n UrlCategory = FTNTFGTcatdesc,\n DnsResponseName = FTNTFGTipaddr,\n ThreatIpAddr = FTNTFGTbotnetip\n | extend \n DnsQueryTypeName = case(\n DnsQueryTypeName == \"Unknown\",\"\",\n DnsQueryTypeName\n )\n | lookup EventOriginalResultDetailsLookup on EventOriginalResultDetails\n | lookup DnsQueryTypeLookup on DnsQueryTypeName\n | invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n | invoke _ASIM_ResolveNetworkProtocol(\"NetworkProtocolNumber\")\n | extend \n SrcUsername = coalesce(FTNTFGTuser, FTNTFGTunauthuser),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Dvc = DvcHostname,\n DnsResponseCodeName = EventResultDetails,\n EventType = \"Query\",\n EventSchemaVersion = \"0.1.7\",\n EventSchema = \"Dns\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventVendor = \"Fortinet\",\n EventProduct = \"FortiGate\",\n Domain = DnsQuery,\n DomainCategory = UrlCategory,\n SessionId = DnsSessionId\n | extend \n User = SrcUsername,\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n SrcUserType = _ASIM_GetUserType(SrcUsername, \"\")\n | project-away FTNTFGTuser, FTNTFGTunauthuser, AdditionalExtensions, Computer, NetworkProtocolNumber\n};\nParser(\n disabled = disabled\n)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
}
]
}
]
}
18 changes: 18 additions & 0 deletions Parsers/ASimDns/ARM/ASimDnsFortinetFortigate/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Fortinet FortiGate ASIM Dns Normalization Parser

ARM template for ASIM Dns schema parser for Fortinet FortiGate.

This ASIM parser supports normalizing Fortinet FortiGate logs ingested in 'CommonSecurityLogs' table produced by the Microsoft Sentinel Fortinet connector to the ASIM DNS normalized schema.


The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.

For more information, see:

- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
- [ASIM Dns normalization schema reference](https://aka.ms/ASimDnsDoc)

<br>

[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FASimDnsFortinetFortigate%2FASimDnsFortinetFortigate.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FASimDnsFortinetFortigate%2FASimDnsFortinetFortigate.json)
Loading

0 comments on commit 7d954e5

Please sign in to comment.