From fd53a78f3ec2d512e597df17b59d1602f792f682 Mon Sep 17 00:00:00 2001 From: Varun Kohli <97222872+vakohl@users.noreply.github.com> Date: Tue, 12 Nov 2024 15:21:11 +0530 Subject: [PATCH 1/3] Update ASimNetworkSession.yaml --- Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml index 176aafd3daf..339a961a9ff 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml @@ -12,7 +12,6 @@ References: Link: https://aka.ms/ASimNetworkSessionDoc - Title: ASIM Link: https://aka.ms/AboutASIM - Description: | This ASIM parser supports normalizing Network Session logs from all supported sources to the ASIM Network Session normalized schema. ParserName: ASimNetworkSession @@ -55,12 +54,10 @@ Parsers: - _ASim_NetworkSession_PaloAltoCortexDataLake - _ASim_NetworkSession_SonicWallFirewall - _ASim_NetworkSession_IllumioSaaSCore - ParserParams: - Name: pack Type: bool Default: false - ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); let ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); @@ -68,7 +65,6 @@ ParserQuery: | union isfuzzy=true vimNetworkSessionEmpty , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) )) - , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) )) , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) )) , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) )) From 0d4ff0038f147d182201d04135f031a2b0ea3167 Mon Sep 17 00:00:00 2001 From: Varun Kohli <97222872+vakohl@users.noreply.github.com> Date: Tue, 12 Nov 2024 15:23:30 +0530 Subject: [PATCH 2/3] Update ASimAuditEvent.yaml --- Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml index eac7faf071b..2abafc2be82 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml @@ -59,4 +59,3 @@ ParserQuery: | ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))), ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))), ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers))) - From dc072cf88351d2fbcd53b70e1075427de245bf4b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Tue, 12 Nov 2024 09:57:42 +0000 Subject: [PATCH 3/3] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ARM/ASimAuditEvent/ASimAuditEvent.json | 2 +- .../ASimAuditEventIllumioSaaSCore.json | 46 +++++++++++ .../ASimAuditEventIllumioSaaSCore/README.md | 18 +++++ .../ASimAuditEventInfobloxBloxOne.json | 46 +++++++++++ .../ASimAuditEventInfobloxBloxOne/README.md | 18 +++++ .../ARM/FullDeploymentAuditEvent.json | 80 +++++++++++++++++++ .../ARM/imAuditEvent/imAuditEvent.json | 2 +- .../vimAuditEventIllumioSaaSCore/README.md | 18 +++++ .../vimAuditEventIllumioSaaSCore.json | 46 +++++++++++ .../vimAuditEventInfobloxBloxOne/README.md | 18 +++++ .../vimAuditEventInfobloxBloxOne.json | 46 +++++++++++ .../ASimNetworkSession.json | 2 +- .../ASimNetworkSessionIllumioSaaSCore.json | 46 +++++++++++ .../README.md | 18 +++++ .../ARM/FullDeploymentNetworkSession.json | 40 ++++++++++ .../imNetworkSession/imNetworkSession.json | 2 +- .../README.md | 18 +++++ .../vimNetworkSessionIllumioSaaSCore.json | 46 +++++++++++ 18 files changed, 508 insertions(+), 4 deletions(-) create mode 100644 Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json create mode 100644 Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/README.md create mode 100644 Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json create mode 100644 Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/README.md create mode 100644 Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/README.md create mode 100644 Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json create mode 100644 Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/README.md create mode 100644 Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json create mode 100644 Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json create mode 100644 Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/README.md create mode 100644 Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/README.md create mode 100644 Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json index b56305d3f48..50427b95f48 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json @@ -35,7 +35,7 @@ "displayName": "Audit event ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuditEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftSecurityEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftSecurityEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftEvent (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventCiscoMerakiSyslog (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMerakiSyslog' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventBarracudaCEF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaCEF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))),\n ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))),\n ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftSecurityEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftSecurityEvents' in (DisabledParsers))),\n ASimAuditEventMicrosoftEvent (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventCiscoMerakiSyslog (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMerakiSyslog' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventBarracudaCEF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaCEF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))),\n ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))),\n ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))),\n ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))),\n ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers)))\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json new file mode 100644 index 00000000000..93300dbd674 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuditEventIllumioSaaSCore", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Illumio SaaS Core audit events", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventIllumioSaaSCore", + "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n Operation: string,\n ObjectType:string, // an enumerated list [ Configuration Atom, Policy Rule, Cloud Resource, Other],\n Object:string,\n EventType: string, // an enumerated list [ Set, Read, Create, Delete, Execute, Install, Clear, Enable, Disable, Other ] event type\n)\n[\n 'access_restriction.create', 'Access restriction created', 'Cloud Resource', 'Access_restriction', 'Create',\n 'access_restriction.delete', 'Access restriction deleted', 'Cloud Resource', 'Access_restriction', 'Delete',\n 'access_restriction.update', 'Access restriction updated', 'Cloud Resource', 'Access_restriction', 'Set',\n 'agent.activate', 'Agent paired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.activate_clone', 'Agent clone activated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.clone_detected', 'Agent clone detected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.deactivate', 'Agent unpaired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.generate_maintenance_token', 'Generate maintenance token for any agent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.goodbye', 'Agent disconnected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.machine_identifier', 'Agent machine identifiers updated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_token', 'Agent refreshed token', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_policy', 'Success or failure to apply policy on VEN', 'Cloud Resource', 'Agent', 'Other',\n 'agent.request_upgrade', 'VEN upgrade request sent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.service_not_available', 'Agent reported a service not running', 'Cloud Resource', 'Agent', 'Other',\n 'agent.suspend', 'Agent suspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.tampering', 'Agent firewall tampered', 'Cloud Resource', 'Agent', 'Other',\n 'agent.unsuspend', 'Agent unsuspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.update', 'Agent properties updated.', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_interactive_users', 'Agent interactive users updated', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_iptables_href', 'Agent updated existing iptables href', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_running_containers', 'Agent updated existing containers', 'Cloud Resource', 'Agent', 'Set',\n 'agent.upload_existing_ip_table_rules', 'Agent existing IP tables uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent.upload_support_report', 'Agent support report uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent_support_report_request.create', 'Agent support report request created', 'Cloud Resource', 'Agent_support_report_request', 'Create',\n 'agent_support_report_request.delete', 'Agent support report request deleted', 'Cloud Resource', 'Agent_support_report_request', 'Delete',\n 'agents.clear_conditions', 'Condition cleared from a list of VENs', 'Cloud Resource', 'Agents', 'Other',\n 'agents.unpair', 'Multiple agents unpaired', 'Cloud Resource', 'Agents', 'Other',\n 'api_key.create', 'API key created', 'Cloud Resource', 'Api_key', 'Create',\n 'api_key.delete', 'API key deleted', 'Cloud Resource', 'Api_key', 'Delete',\n 'api_key.update', 'API key updated', 'Cloud Resource', 'Api_key', 'Set',\n 'auth_security_principal.create', 'RBAC auth security principal created', 'Cloud Resource', 'Auth_security_principal', 'Create',\n 'auth_security_principal.delete', 'RBAC auth security principal deleted', 'Cloud Resource', 'Auth_security_principal', 'Delete',\n 'auth_security_principal.update', 'RBAC auth security principal updated', 'Cloud Resource', 'Auth_security_principal', 'Set',\n 'authentication_settings.update', 'Authentication settings updated', 'Other', 'Authentication_settings', 'Set',\n 'cluster.create', 'PCE cluster created', 'Cloud Resource', 'Cluster', 'Create',\n 'cluster.delete', 'PCE cluster deleted', 'Cloud Resource', 'Cluster', 'Delete',\n 'cluster.update', 'PCE cluster updated', 'Cloud Resource', 'Cluster', 'Set',\n 'container_workload.update', 'Container workload updated', 'Cloud Resource', 'Container_workload', 'Set',\n 'container_cluster.create', 'Container cluster created', 'Cloud Resource', 'Container_cluster', 'Create',\n 'container_cluster.delete', 'Container cluster deleted', 'Cloud Resource', 'Container_cluster', 'Delete',\n 'container_cluster.update', 'Container cluster updated', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_label_map', 'Container cluster label mappings updated all at once', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_services', 'Container cluster services updated, created, or deleted by Kubelink', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_workload_profile.create', 'Container workload profile created', 'Cloud Resource', 'Container_workload_profile', 'Create',\n 'container_workload_profile.delete', 'Container workload profile deleted', 'Cloud Resource', 'Container_workload_profile', 'Delete',\n 'container_workload_profile.update', 'Container workload profile updated', 'Cloud Resource', 'Container_workload_profile', 'Set',\n 'database.temp_table_autocleanup_started', 'DB temp table cleanup started', 'Other', 'Database', 'Other',\n 'database.temp_table_autocleanup_completed', 'DB temp table cleanup completed', 'Other', 'Database', 'Other',\n 'domain.create', 'Domain created', 'Other', 'Domain', 'Create',\n 'domain.delete', 'Domain deleted', 'Other', 'Domain', 'Delete',\n 'domain.update', 'Domain updated', 'Other', 'Domain', 'Set',\n 'enforcement_boundary.create', 'Enforcement boundary created', 'Cloud Resource', 'Enforcement_boundary', 'Create',\n 'enforcement_boundary.delete', 'Enforcement boundary deleted', 'Cloud Resource', 'Enforcement_boundary', 'Delete',\n 'enforcement_boundary.update', 'Enforcement boundary updated', 'Cloud Resource', 'Enforcement_boundary', 'Set',\n 'event_settings.update', 'Event settings updated', 'Other', 'Event_settings', 'Set',\n 'firewall_settings.update', 'Global policy settings updated', 'Other', 'Firewall_settings', 'Set',\n 'group.create', 'Group created', 'Other', 'Group', 'Create',\n 'group.update', 'Group updated', 'Other', 'Group', 'Set',\n 'ip_list.create', 'IP list created', 'Cloud Resource', 'Ip_list', 'Create',\n 'ip_list.delete', 'IP list deleted', 'Cloud Resource', 'Ip_list', 'Delete',\n 'ip_list.update', 'IP list updated', 'Cloud Resource', 'Ip_list', 'Set',\n 'ip_lists.delete', 'IP lists deleted', 'Cloud Resource', 'Ip_lists', 'Delete',\n 'ip_tables_rule.create', 'IP tables rules created', 'Cloud Resource', 'Ip_tables_rule', 'Create',\n 'ip_tables_rule.delete', 'IP tables rules deleted', 'Cloud Resource', 'Ip_tables_rule', 'Delete',\n 'ip_tables_rule.update', 'IP tables rules updated', 'Cloud Resource', 'Ip_tables_rule', 'Set',\n 'job.delete', 'Job deleted', 'Other', 'Job', 'Delete',\n 'label.create', 'Label created', 'Cloud Resource', 'Label', 'Create',\n 'label.delete', 'Label deleted', 'Cloud Resource', 'Label', 'Delete',\n 'label.update', 'Label updated', 'Cloud Resource', 'Label', 'Set',\n 'label_group.create', 'Label group created', 'Cloud Resource', 'Label_group', 'Create',\n 'label_group.delete', 'Label group deleted', 'Cloud Resource', 'Label_group', 'Delete',\n 'label_group.update', 'Label group updated', 'Cloud Resource', 'Label_group', 'Set',\n 'labels.delete', 'Labels deleted', 'Cloud Resource', 'Labels', 'Delete',\n 'ldap_config.create', 'LDAP configuration created', 'Other', 'Ldap_config', 'Create',\n 'ldap_config.delete', 'LDAP configuration deleted', 'Other', 'Ldap_config', 'Delete',\n 'ldap_config.update', 'LDAP configuration updated', 'Other', 'Ldap_config', 'Set',\n 'ldap_config.verify_connection', 'LDAP server connection verified', 'Other', 'Ldap_config', 'Other',\n 'license.delete', 'License deleted', 'Other', 'License', 'Delete',\n 'license.update', 'License updated', 'Other', 'License', 'Set',\n 'login_proxy_ldap_config.create', 'Interservice call to login service to create LDAP config', 'Other', 'Login_proxy_ldap_config', 'Create',\n 'login_proxy_ldap_config.delete', 'Interservice call to login service to delete LDAP config', 'Other', 'Login_proxy_ldap_config', 'Delete',\n 'login_proxy_ldap_config.update', 'Interservice call to login service to update LDAP config', 'Other', 'Login_proxy_ldap_config', 'Set',\n 'login_proxy_ldap_config.verify_connection', 'Interservice call to login service to verify connection to the LDAP server', 'Other', 'Login_proxy_ldap_config', 'Other',\n 'login_proxy_msp_tenants.create', 'New MSP tenant created', 'Other', 'Login_proxy_msp_tenants', 'Create',\n 'login_proxy_msp_tenants.delete', 'MSP tenant deleted', 'Other', 'Login_proxy_msp_tenants', 'Delete',\n 'login_proxy_msp_tenants.update', 'MSP tenant updated', 'Other', 'Login_proxy_msp_tenants', 'Set',\n 'login_proxy_orgs.create', 'New managed organization created', 'Other', 'Login_proxy_orgs', 'Create',\n 'login_proxy_orgs.delete', 'Managed organization deleted', 'Other', 'Login_proxy_orgs', 'Delete',\n 'login_proxy_orgs.update', 'Managed organization updated', 'Other', 'Login_proxy_orgs', 'Set',\n 'lost_agent.found', 'Lost agent found', 'Cloud Resource', 'Lost_agent', 'Other',\n 'network.create', 'Network created', 'Cloud Resource', 'Network', 'Create',\n 'network.delete', 'Network deleted', 'Cloud Resource', 'Network', 'Delete',\n 'network.update', 'Network updated', 'Cloud Resource', 'Network', 'Set',\n 'network_device.ack_enforcement_instructions_applied', 'Enforcement instruction applied to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.assign_workload', 'Existing or new unmanaged workload assigned to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.create', 'Network device created', 'Cloud Resource', 'Network_device', 'Create',\n 'network_device.delete', 'Network device deleted', 'Cloud Resource', 'Network_device', 'Delete',\n 'network_device.update', 'Network device updated', 'Cloud Resource', 'Network_device', 'Set',\n 'network_devices.ack_multi_enforcement_instructions_applied', 'Enforcement instructions applied to multiple network devices', 'Cloud Resource', 'Network_devices', 'Other',\n 'network_endpoint.create', 'Network endpoint created', 'Cloud Resource', 'Network_endpoint', 'Create',\n 'network_endpoint.delete', 'Network endpoint deleted', 'Cloud Resource', 'Network_endpoint', 'Delete',\n 'network_endpoint.update', 'Network endpoint updated', 'Cloud Resource', 'Network_endpoint', 'Set',\n 'network_enforcement_node.activate', 'Network enforcement node activated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.clear_conditions', 'Network enforcement node conditions cleared', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.deactivate', 'Network enforcement node deactivated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.degraded', 'Network enforcement node failed or primary lost connectivity to secondary', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats', 'Network enforcement node did not heartbeat for more than 15 minutes', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats_check', 'Network enforcement node missed heartbeats check', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.network_devices_network_endpoints_workloads', 'Workload added to network endpoint', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.policy_ack', 'Network enforcement node acknowledgment of policy', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.request_policy', 'Network enforcement node policy requested', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.update_status', 'Network enforcement node reports when switches are not reachable', 'Cloud Resource', 'Network_enforcement_node', 'Set',\n 'network_enforcement_nodes.clear_conditions', 'A condition was cleared from a list of network enforcement nodes', 'Cloud Resource', 'Network_enforcement_nodes', 'Other',\n 'nfc.activate', 'Network function controller created', 'Other', 'Nfc', 'Other',\n 'nfc.delete', 'Network function controller deleted', 'Other', 'Nfc', 'Delete',\n 'nfc.update_discovered_virtual_servers', 'Network function controller virtual servers discovered', 'Cloud Resource', 'Nfc', 'Set',\n 'nfc.update_policy_status', 'Network function controller policy status', 'Other', 'Nfc', 'Set',\n 'nfc.update_slb_state', 'Network function controller SLB state updated', 'Other', 'Nfc', 'Set',\n 'org.create', 'Organization created', 'Other', 'Org', 'Create',\n 'org.recalc_rules', 'Rules for organization recalculated', 'Other', 'Org', 'Other',\n 'org.update', 'Organization information updated', 'Other', 'Org', 'Set',\n 'pairing_profile.create', 'Pairing profile created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.create_pairing_key', 'Pairing profile pairing key created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.delete', 'Pairing profile deleted', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profile.update', 'Pairing profile updated', 'Cloud Resource', 'Pairing_profile', 'Set',\n 'pairing_profile.delete_all_pairing_keys', 'Pairing keys deleted from pairing profile', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profiles.delete', 'Pairing profiles deleted', 'Cloud Resource', 'Pairing_profiles', 'Delete',\n 'password_policy.create', 'Password policy created', 'Cloud Resource', 'Password_policy', 'Create',\n 'password_policy.delete', 'Password policy deleted', 'Cloud Resource', 'Password_policy', 'Delete',\n 'password_policy.update', 'Password policy updated', 'Cloud Resource', 'Password_policy', 'Set',\n 'permission.create', 'RBAC permission created', 'Cloud Resource', 'Permission', 'Create',\n 'permission.delete', 'RBAC permission deleted', 'Cloud Resource', 'Permission', 'Delete',\n 'permission.update', 'RBAC permission updated', 'Cloud Resource', 'Permission', 'Set',\n 'radius_config.create', 'Create domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Create',\n 'radius_config.delete', 'Delete domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Delete',\n 'radius_config.update', 'Update domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Set',\n 'radius_config.verify_shared_secret', 'Verify RADIUS shared secret', 'Cloud Resource', 'Radius_config', 'Other',\n 'request.authentication_failed', 'API request authentication failed', 'Other', 'Request', 'Other',\n 'request.authorization_failed', 'API request authorization failed', 'Other', 'Request', 'Other',\n 'request.internal_server_error', 'API request failed due to internal server error', 'Other', 'Request', 'Other',\n 'request.service_unavailable', 'API request failed due to unavailable service', 'Other', 'Request', 'Other',\n 'request.unknown_server_error', 'API request failed due to unknown server error', 'Other', 'Request', 'Other',\n 'resource.create', 'Login resource created', 'Other', 'Resource', 'Create',\n 'resource.delete', 'Login resource deleted', 'Other', 'Resource', 'Delete',\n 'resource.update', 'Login resource updated', 'Other', 'Resource', 'Set',\n 'rule_set.create', 'Rule set created', 'Policy Rule', 'Rule_set', 'Create',\n 'rule_set.delete', 'Rule set deleted', 'Policy Rule', 'Rule_set', 'Delete',\n 'rule_set.update', 'Rule set updated', 'Policy Rule', 'Rule_set', 'Set',\n 'rule_sets.delete', 'Rule sets deleted', 'Policy Rule', 'Rule_sets', 'Delete',\n 'saml_acs.update', 'SAML assertion consumer services updated', 'Other', 'Saml_acs', 'Set',\n 'saml_config.create', 'SAML configuration created', 'Cloud Resource', 'Saml_config', 'Create',\n 'saml_config.delete', 'SAML configuration deleted', 'Cloud Resource', 'Saml_config', 'Delete',\n 'saml_config.pce_signing_cert', 'Generate a new cert for signing SAML AuthN requests', 'Cloud Resource', 'Saml_config', 'Other',\n 'saml_config.update', 'SAML configuration updated', 'Cloud Resource', 'Saml_config', 'Set',\n 'saml_sp_config.create', 'SAML Service Provider created', 'Cloud Resource', 'Saml_sp_config', 'Create',\n 'saml_sp_config.delete', 'SAML Service Provider deleted', 'Cloud Resource', 'Saml_sp_config', 'Delete',\n 'saml_sp_config.update', 'SAML Service Provider updated', 'Cloud Resource', 'Saml_sp_config', 'Set',\n 'sec_policy.create', 'Security policy created', 'Other', 'Sec_policy', 'Create',\n 'sec_policy_pending.delete', 'Pending security policy deleted', 'Other', 'Sec_policy_pending', 'Delete',\n 'sec_policy.restore', 'Security policy restored', 'Other', 'Sec_policy', 'Other',\n 'sec_rule.create', 'Security policy rules created', 'Policy Rule', 'Sec_rule', 'Create',\n 'sec_rule.delete', 'Security policy rules deleted', 'Policy Rule', 'Sec_rule', 'Delete',\n 'sec_rule.update', 'Security policy rules updated', 'Policy Rule', 'Sec_rule', 'Set',\n 'secure_connect_gateway.create', 'SecureConnect gateway created', 'Other', 'Secure_connect_gateway', 'Create',\n 'secure_connect_gateway.delete', 'SecureConnect gateway deleted', 'Other', 'Secure_connect_gateway', 'Delete',\n 'secure_connect_gateway.update', 'SecureConnect gateway updated', 'Other', 'Secure_connect_gateway', 'Set',\n 'security_principal.create', 'RBAC security principal created', 'Other', 'Security_principal', 'Create',\n 'security_principal.delete', 'RBAC security principal bulk deleted', 'Other', 'Security_principal', 'Delete',\n 'security_principal.update', 'RBAC security principal bulk updated', 'Other', 'Security_principal', 'Set',\n 'security_principals.bulk_create', 'RBAC security principals bulk created', 'Other', 'Security_principals', 'Other',\n 'service.create', 'Service created', 'Other', 'Service', 'Create',\n 'service.delete', 'Service deleted', 'Other', 'Service', 'Delete',\n 'service.update', 'Service updated', 'Other', 'Service', 'Set',\n 'service_account.create', 'Service account created', 'Other', 'Service_account', 'Create',\n 'service_account.delete', 'Service account deleted', 'Other', 'Service_account', 'Delete',\n 'service_account.update', 'Service account updated', 'Other', 'Service_account', 'Set',\n 'service_binding.create', 'Service binding created', 'Other', 'Service_binding', 'Create',\n 'service_binding.delete', 'Service binding created', 'Other', 'Service_binding', 'Delete',\n 'service_bindings.delete', 'Service bindings deleted', 'Other', 'Service_bindings', 'Delete',\n 'service_bindings.delete', 'Service binding deleted', 'Other', 'Service_bindings', 'Delete',\n 'services.delete', 'Services deleted', 'Other', 'Services', 'Delete',\n 'settings.update', 'Explorer settings updated', 'Other', 'Settings', 'Set',\n 'slb.create', 'Server load balancer created', 'Other', 'Slb', 'Create',\n 'slb.delete', 'Server load balancer deleted', 'Other', 'Slb', 'Delete',\n 'slb.update', 'Server load balancer updated', 'Other', 'Slb', 'Set',\n 'support_report.upload', 'Support report uploaded', 'Other', 'Support_report', 'Other',\n 'syslog_destination.create', 'syslog remote destination created', 'Other', 'Syslog_destination', 'Create',\n 'syslog_destination.delete', 'syslog remote destination deleted', 'Other', 'Syslog_destination', 'Delete',\n 'syslog_destination.update', 'syslog remote destination updated', 'Other', 'Syslog_destination', 'Set',\n 'system_task.agent_missed_heartbeats_check', 'Agent missed heartbeats', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_missing_heartbeats_after_upgrade', 'VEN missing heartbeat after upgrade', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_offline_check', 'Agents marked offline', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_self_signed_certs_check', 'VEN self signed certificate housekeeping check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_settings_invalidation_error_state_check', 'VEN settings invalidation error state check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_uninstall_timeout', 'VEN uninstall timeout', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.clear_auth_recover_condition', 'Clear VEN authentication recovery condition', 'Other', 'System_task', 'Other',\n 'system_task.compute_policy_for_unmanaged_workloads', 'Compute policy for unmanaged workloads', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.delete_expired_service_account_api_keys', 'An expired service account api_key was successfully deleted', 'Cloud Resource', 'System_task', 'Delete',\n 'system_task.delete_old_cached_perspectives', 'Delete old cached perspectives', 'Other', 'System_task', 'Delete',\n 'system_task.endpoint_offline_check', 'Endpoint marked offline', 'Other', 'System_task', 'Other',\n 'system_task.provision_container_cluster_services', 'Container cluster services provisioned', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.prune_old_log_events', 'Event pruning completed', 'Other', 'System_task', 'Other',\n 'system_task.remove_stale_zone_subsets', 'Stale zone subnets removed', 'Other', 'System_task', 'Other',\n 'system_task.set_server_sync_check', 'Set server synced', 'Other', 'System_task', 'Other',\n 'system_task.vacuum_deactivated_agent_and_deleted_workloads', 'Deactivated and deleted workloads have been vacuumed', 'Cloud Resource', 'System_task', 'Other',\n 'traffic_collector_setting.create', 'Traffic collector setting created', 'Other', 'Traffic_collector_setting', 'Create',\n 'traffic_collector_setting.delete', 'Traffic collector setting deleted', 'Other', 'Traffic_collector_setting', 'Delete',\n 'traffic_collector_setting.update', 'Traffic collector setting updated', 'Other', 'Traffic_collector_setting', 'Set',\n 'trusted_proxy_ips.update', 'Trusted proxy IPs created or updated', 'Other', 'Trusted_proxy_ips', 'Set',\n 'user.accept_invitation', 'User invitation accepted', 'Cloud Resource', 'User', 'Other',\n 'user.authenticate', 'User authenticated', 'Cloud Resource', 'User', 'Other',\n 'user.create', 'User created', 'Cloud Resource', 'User', 'Create',\n 'user.delete', 'User deleted', 'Cloud Resource', 'User', 'Delete',\n 'user.invite', 'User invited', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', \n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.pce_session_terminated', 'User session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.login_session_terminated', 'User login session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set',\n 'user.update_password', 'User password updated', 'Cloud Resource', 'User', 'Set',\n 'user.use_expired_password', 'User entered expired password', 'Cloud Resource', 'User', 'Other',\n 'user.verify_mfa', 'User verified MFA', 'Cloud Resource', 'User', 'Other',\n 'users.auth_token', 'Auth token returned for user authentication on PCE', 'Other', 'Users', 'Other',\n 'user_local_profile.create', 'User local profile created', 'Other', 'User_local_profile', 'Create',\n 'user_local_profile.delete', 'User local profile deleted', 'Other', 'User_local_profile', 'Delete',\n 'user_local_profile.reinvite', 'User local profile reinvited', 'Other', 'User_local_profile', 'Other',\n 'user_local_profile.update_password', 'User local password updated', 'Other', 'User_local_profile', 'Set',\n 'ven_settings.update', 'VEN settings updated', 'Other', 'Ven_settings', 'Set',\n 'ven_software.upgrade', 'VEN software release upgraded', 'Other', 'Ven_software', 'Set',\n 'ven_software_release.create', 'VEN software release created', 'Other', 'Ven_software_release', 'Create',\n 'ven_software_release.delete', 'VEN software release deleted', 'Other', 'Ven_software_release', 'Delete',\n 'ven_software_release.deploy', 'VEN software release deployed', 'Other', 'Ven_software_release', 'Other',\n 'ven_software_release.update', 'VEN software release updated', 'Other', 'Ven_software_release', 'Set',\n 'ven_software_releases.set_default_version', 'Default VEN software version set', 'Other', 'Ven_software_releases', 'Other',\n 'virtual_server.create', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Create',\n 'virtual_server.delete', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Delete',\n 'virtual_server.update', 'Virtual server updated', 'Cloud Resource', 'Virtual_server', 'Set',\n 'virtual_service.create', 'Virtual service created', 'Cloud Resource', 'Virtual_service', 'Create',\n 'virtual_service.delete', 'Virtual service deleted', 'Cloud Resource', 'Virtual_service', 'Delete',\n 'virtual_service.update', 'Virtual service updated', 'Cloud Resource', 'Virtual_service', 'Set',\n 'virtual_services.bulk_create', 'Virtual services created in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'virtual_services.bulk_update', 'Virtual services updated in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'vulnerability.create', 'Vulnerability record created', 'Other', 'Vulnerability', 'Create',\n 'vulnerability.delete', 'Vulnerability record deleted', 'Other', 'Vulnerability', 'Delete',\n 'vulnerability.update', 'Vulnerability record updated', 'Other', 'Vulnerability', 'Set',\n 'vulnerability_report.delete', 'Vulnerability report deleted', 'Other', 'Vulnerability_report', 'Delete',\n 'vulnerability_report.update', 'Vulnerability report updated', 'Other', 'Vulnerability_report', 'Set',\n 'workload.create', 'Workload created', 'Cloud Resource', 'Workload', 'Create',\n 'workload.delete', 'Workload deleted', 'Cloud Resource', 'Workload', 'Delete',\n 'workload.online', 'Workload online', 'Cloud Resource', 'Workload', 'Other',\n 'workload.recalc_rules', 'Workload policy recalculated', 'Cloud Resource', 'Workload', 'Other',\n 'workload.redetect_network', 'Workload network redetected', 'Cloud Resource', 'Workload', 'Other',\n 'workload.undelete', 'Workload undeleted', 'Cloud Resource', 'Workload', 'Other',\n 'workload.update', 'Workload settings updated', 'Cloud Resource', 'Workload', 'Set',\n 'workload.upgrade', 'Workload upgraded', 'Cloud Resource', 'Workload', 'Set',\n 'workload_interface.create', 'Workload interface created', 'Cloud Resource', 'Workload_interface', 'Create',\n 'workload_interface.delete', 'Workload interface deleted', 'Cloud Resource', 'Workload_interface', 'Delete',\n 'workload_interface.update', 'Workload interface updated', 'Cloud Resource', 'Workload_interface', 'Set',\n 'workload_interfaces.update', 'Workload interfaces updated', 'Cloud Resource', 'Workload_interfaces', 'Set',\n '', 'For example, IP address changes, new interface added, and interface shut down.', 'Other', '', 'Other',\n 'workload_service_report.update', 'Workload service report updated', 'Cloud Resource', 'Workload_service_report', 'Set',\n 'workload_settings.update', 'Workload settings updated', 'Cloud Resource', 'Workload_settings', 'Set',\n 'workloads.apply_policy', 'Workloads policies applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_create', 'Workloads created in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_delete', 'Workloads deleted in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_update', 'Workloads updated in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.remove_labels', 'Workloads labels removed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_flow_reporting_frequency', 'Workload flow reporting frequency changed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_labels', 'Workload labels applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.unpair', 'Workloads unpaired', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.update', 'Workloads updated', 'Cloud Resource', 'Workloads', 'Set'\n];\nlet EventSeverityLookup = datatable(\n severity: string,\n EventSeverity: string\n)\n [\n \"err\", \"High\",\n \"info\", \"Informational\",\n \"warning\", \"Medium\"\n];\nlet EventResultLookup = datatable(\n status: string,\n EventResult: string\n)\n [\n \"success\", \"Success\",\n \"failure\", \"Failure\",\n \"\", \"NA\"\n];\nlet parser = (disabled: bool = false) {\n Illumio_Auditable_Events_CL\n | where not(disabled) and event_type !startswith \"user\" // filter out user auth events \n | lookup EventTypeLookup on event_type // fetch Object, ObjectType,EventType, Operation from lookup\n | lookup EventSeverityLookup on severity // fetch EventSeverity from lookup\n | lookup EventResultLookup on status // fetch EventResult from lookup\n | extend\n ActorUsername = case(\n isnotnull(created_by.system), \"System\",\n isnotnull(created_by.user), created_by.user.username,\n isnotnull(created_by.agent), created_by.agent.hostname,\n \"Unknown\"\n )\n | extend ActorUsernameType = \"Simple\",\n temp_resource_changes = parse_json(resource_changes), \n temp_notifications = parse_json(notifications)\n | extend\n NewValue = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].changes, ''),\n EventMessage = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].resource, ''), \n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip),\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime= TimeGenerated,\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n Dvc = pce_fqdn,\n EventType = iff(isnull(EventType), event_type, EventType),\n EventOriginalUid = href,\n EventUid = _ItemId\n //aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Value = NewValue\n | project-away\n temp_*,\n event_type, // used by EventType\n severity, // used by EventSeverity\n resource_changes, // used by NewValue and EventMessage\n notifications,\n version, // simply drop version, no need to translate\n action, //used by src_ip\n status, // used by EventResult\n created_by, // used by ActorUsername and ActorType\n pce_fqdn, // used by Dvc\n href, // used by EventOriginalUid\n TenantId\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/README.md new file mode 100644 index 00000000000..251c9c9ac47 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio Core ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Illumio Core. + +This ASIM parser supports normalizing Illumio Core audit events logs ingested in 'Illumio_Auditable_Events_CL' table to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventIllumioSaaSCore%2FASimAuditEventIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventIllumioSaaSCore%2FASimAuditEventIllumioSaaSCore.json) diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json new file mode 100644 index 00000000000..33b5e68cb39 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuditEventInfobloxBloxOne", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "AuditEvent ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventInfobloxBloxOne", + "query": "let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string) [ \"0\", \"Low\", \"1\", \"Low\", \"2\", \"Low\", \"3\", \"Low\", \"4\", \"Medium\", \"5\", \"Medium\", \"6\", \"Medium\", \"7\", \"High\", \"8\", \"High\", \"9\", \"High\", \"10\", \"High\" ]; let OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string) [ \"CreateSecurityPolicy\", \"Security Policy\", \"Policy Role\", \"UpdateSecurityPolicy\", \"Security Policy\", \"Policy\", \"Create\", \"Network Resource\", \"Service\", \"Update\", \"Network Resource\", \"Service\", \"Restore\", \"Infoblox Resource\", \"Service\", \"CreateOrGetDoHFQDN\", \"DOHFQDN\", \"Service\", \"CreateOrUpdateDfpService\", \"Dfp Service\", \"Service\", \"MoveToRecyclebin\", \"Recyclebin\", \"Other\", \"CreateCategoryFilter\", \"Category Filter\", \"Other\", \"GetLookalikeThreatCounts\", \"Lookalike Threat Counts\", \"Other\", \"GetLookalikeDomainCounts\", \"Lookalike Domain Counts\", \"Other\", \"CreateRoamingDeviceGroup\", \"Roaming Device Group\", \"Configuration Atom\", \"UpdatePartialRoamingDeviceGroup\", \"Partial Roaming Device Group\", \"Configuration Atom\" ]; let parser = (disabled:bool=false) { CommonSecurityLog | where not(disabled) and DeviceVendor == \"Infoblox\" and DeviceEventClassID has \"AUDIT\" | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=\";\", kv_delimiter=\"=\") | lookup EventSeverityLookup on LogSeverity | lookup OperationLookup on DeviceAction | invoke _ASIM_ResolveDvcFQDN('CollectorHostName') | project-rename EventResult = EventOutcome, Operation = DeviceAction, ActorUsername = SourceUserName, SrcIpAddr = SourceIP, EventOriginalSeverity = LogSeverity, EventMessage = Message, EventOriginalType = DeviceEventClassID, EventUid = _ItemId | extend Dvc = DvcHostname, EventEndTime = TimeGenerated, EventStartTime = TimeGenerated, EventType = case( Operation has_any (\"update\", \"upsert\"), \"Set\", Operation has \"create\", \"Create\", Operation has \"delete\", \"Delete\", \"Other\" ), Object = iff(isempty(Object), \"Infoblox Network Resource\", Object), ObjectType = iff(isempty(ObjectType), \"Service\", ObjectType), Src = SrcIpAddr, ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"), AdditionalFields = bag_pack( \"InfobloxHTTPReqBody\", InfobloxHTTPReqBody, \"InfobloxHTTPRespBody\", InfobloxHTTPRespBody ), User = ActorUsername, IpAddr = SrcIpAddr, ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) | extend EventCount = toint(1), EventProduct = \"BloxOne\", EventVendor = \"Infoblox\", EventSchema = \"AuditEvent\", EventSchemaVersion = \"0.1\" | project-away Source*, Destination*, Device*, AdditionalExtensions, CommunicationDirection, Protocol, SimplifiedDeviceAction, ExternalID, EndTime, FieldDevice*, Flex*, File*, Old*, MaliciousIP*, OriginalLogSeverity, Process*, ReceivedBytes, SentBytes, Remote*, Request*, StartTime, TenantId, ReportReferenceLink, ReceiptTime, Indicator*, _ResourceId, ThreatConfidence, ThreatDescription, ThreatSeverity, Computer, ApplicationProtocol, ExtID, Reason, Activity, Infoblox* }; parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/README.md new file mode 100644 index 00000000000..677be52108b --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing AuditEvent logs from Infoblox BloxOne to the ASIM AuditEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventInfobloxBloxOne%2FASimAuditEventInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventInfobloxBloxOne%2FASimAuditEventInfobloxBloxOne.json) diff --git a/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json b/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json index 312bc6857ec..68deeacbfbb 100644 --- a/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json @@ -178,6 +178,46 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuditEventIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventIllumioSaaSCore/ASimAuditEventIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuditEventInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventInfobloxBloxOne/ASimAuditEventInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -498,6 +538,46 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuditEventIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuditEventInfobloxBloxOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json b/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json index 25f572416b7..90060b7e3bd 100644 --- a/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json @@ -35,7 +35,7 @@ "displayName": "Audit event ASIM filtering parser.", "category": "ASIM", "FunctionAlias": "imAuditEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimAuditEvent')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty,\n vimAuditEventMicrosoftExchangeAdmin365 (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers)))),\n vimAuditEventMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftEvent (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftEvents' in (DisabledParsers)))),\n vimAuditEventAzureActivity (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))),\n vimAuditEventCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers)))),\n vimAuditEventCiscoMerakiSyslog (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMerakiSyslog' in (DisabledParsers)))),\n vimAuditEventBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers)))),\n vimAuditEventBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaCEF' in (DisabledParsers)))),\n vimAuditEventCiscoISE (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoISE' in (DisabledParsers)))),\n vimAuditEventVectraXDRAudit (starttime=starttime, endtime=endtime, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVectraXDRAudit' in (DisabledParsers)))),\n vimAuditEventSentinelOne (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))),\n vimAuditEventCrowdStrikeFalconHost(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCrowdStrikeFalconHost' in (DisabledParsers)))),\n vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimAuditEvent')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty,\n vimAuditEventMicrosoftExchangeAdmin365 (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers)))),\n vimAuditEventMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftSecurityEvents (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimAuditEventMicrosoftEvent (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventMicrosoftEvents' in (DisabledParsers)))),\n vimAuditEventAzureActivity (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))),\n vimAuditEventCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers)))),\n vimAuditEventCiscoMerakiSyslog (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoMerakiSyslog' in (DisabledParsers)))),\n vimAuditEventBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers)))),\n vimAuditEventBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, operation_has_any=operation_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventBarracudaCEF' in (DisabledParsers)))),\n vimAuditEventCiscoISE (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCiscoISE' in (DisabledParsers)))),\n vimAuditEventVectraXDRAudit (starttime=starttime, endtime=endtime, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVectraXDRAudit' in (DisabledParsers)))),\n vimAuditEventSentinelOne (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))),\n vimAuditEventCrowdStrikeFalconHost(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventCrowdStrikeFalconHost' in (DisabledParsers)))),\n vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))),\n vimAuditEventInfbloxBloxOne(starttime=starttime, endtime=endtime, eventresult=eventresult,operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventInfbloxBloxOne' in (DisabledParsers)))),\n vimAuditEventIllumioSaaSCore(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventIllumioSaaSCore' in (DisabledParsers))))\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),pack:bool=False" } diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/README.md new file mode 100644 index 00000000000..3ba1867f7d5 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio Core ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Illumio Core. + +This ASIM parser supports normalizing Illumio Core audit events logs ingested in 'Illumio_Auditable_Events_CL' table to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventIllumioSaaSCore%2FvimAuditEventIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventIllumioSaaSCore%2FvimAuditEventIllumioSaaSCore.json) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json new file mode 100644 index 00000000000..e3390bd9352 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventIllumioSaaSCore/vimAuditEventIllumioSaaSCore.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuditEventIllumioSaaSCore", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Illumio SaaS Core audit events", + "category": "ASIM", + "FunctionAlias": "vimAuditEventIllumioSaaSCore", + "query": "let EventTypeLookup = datatable(\n event_type: string, // what Illumio sends\n Operation: string,\n ObjectType:string, // an enumerated list [ Configuration Atom, Policy Rule, Cloud Resource, Other],\n Object:string,\n EventType: string, // an enumerated list [ Set, Read, Create, Delete, Execute, Install, Clear, Enable, Disable, Other ] event type\n) \n[\n 'access_restriction.create', 'Access restriction created', 'Cloud Resource', 'Access_restriction', 'Create',\n 'access_restriction.delete', 'Access restriction deleted', 'Cloud Resource', 'Access_restriction', 'Delete',\n 'access_restriction.update', 'Access restriction updated', 'Cloud Resource', 'Access_restriction', 'Set',\n 'agent.activate', 'Agent paired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.activate_clone', 'Agent clone activated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.clone_detected', 'Agent clone detected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.deactivate', 'Agent unpaired', 'Cloud Resource', 'Agent', 'Other',\n 'agent.generate_maintenance_token', 'Generate maintenance token for any agent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.goodbye', 'Agent disconnected', 'Cloud Resource', 'Agent', 'Other',\n 'agent.machine_identifier', 'Agent machine identifiers updated', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_token', 'Agent refreshed token', 'Cloud Resource', 'Agent', 'Other',\n 'agent.refresh_policy', 'Success or failure to apply policy on VEN', 'Cloud Resource', 'Agent', 'Other',\n 'agent.request_upgrade', 'VEN upgrade request sent', 'Cloud Resource', 'Agent', 'Other',\n 'agent.service_not_available', 'Agent reported a service not running', 'Cloud Resource', 'Agent', 'Other',\n 'agent.suspend', 'Agent suspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.tampering', 'Agent firewall tampered', 'Cloud Resource', 'Agent', 'Other',\n 'agent.unsuspend', 'Agent unsuspended', 'Cloud Resource', 'Agent', 'Other',\n 'agent.update', 'Agent properties updated.', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_interactive_users', 'Agent interactive users updated', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_iptables_href', 'Agent updated existing iptables href', 'Cloud Resource', 'Agent', 'Set',\n 'agent.update_running_containers', 'Agent updated existing containers', 'Cloud Resource', 'Agent', 'Set',\n 'agent.upload_existing_ip_table_rules', 'Agent existing IP tables uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent.upload_support_report', 'Agent support report uploaded', 'Cloud Resource', 'Agent', 'Other',\n 'agent_support_report_request.create', 'Agent support report request created', 'Cloud Resource', 'Agent_support_report_request', 'Create',\n 'agent_support_report_request.delete', 'Agent support report request deleted', 'Cloud Resource', 'Agent_support_report_request', 'Delete',\n 'agents.clear_conditions', 'Condition cleared from a list of VENs', 'Cloud Resource', 'Agents', 'Other',\n 'agents.unpair', 'Multiple agents unpaired', 'Cloud Resource', 'Agents', 'Other',\n 'api_key.create', 'API key created', 'Cloud Resource', 'Api_key', 'Create',\n 'api_key.delete', 'API key deleted', 'Cloud Resource', 'Api_key', 'Delete',\n 'api_key.update', 'API key updated', 'Cloud Resource', 'Api_key', 'Set',\n 'auth_security_principal.create', 'RBAC auth security principal created', 'Cloud Resource', 'Auth_security_principal', 'Create',\n 'auth_security_principal.delete', 'RBAC auth security principal deleted', 'Cloud Resource', 'Auth_security_principal', 'Delete',\n 'auth_security_principal.update', 'RBAC auth security principal updated', 'Cloud Resource', 'Auth_security_principal', 'Set',\n 'authentication_settings.update', 'Authentication settings updated', 'Other', 'Authentication_settings', 'Set',\n 'cluster.create', 'PCE cluster created', 'Cloud Resource', 'Cluster', 'Create',\n 'cluster.delete', 'PCE cluster deleted', 'Cloud Resource', 'Cluster', 'Delete',\n 'cluster.update', 'PCE cluster updated', 'Cloud Resource', 'Cluster', 'Set',\n 'container_workload.update', 'Container workload updated', 'Cloud Resource', 'Container_workload', 'Set',\n 'container_cluster.create', 'Container cluster created', 'Cloud Resource', 'Container_cluster', 'Create',\n 'container_cluster.delete', 'Container cluster deleted', 'Cloud Resource', 'Container_cluster', 'Delete',\n 'container_cluster.update', 'Container cluster updated', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_label_map', 'Container cluster label mappings updated all at once', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_cluster.update_services', 'Container cluster services updated, created, or deleted by Kubelink', 'Cloud Resource', 'Container_cluster', 'Set',\n 'container_workload_profile.create', 'Container workload profile created', 'Cloud Resource', 'Container_workload_profile', 'Create',\n 'container_workload_profile.delete', 'Container workload profile deleted', 'Cloud Resource', 'Container_workload_profile', 'Delete',\n 'container_workload_profile.update', 'Container workload profile updated', 'Cloud Resource', 'Container_workload_profile', 'Set',\n 'database.temp_table_autocleanup_started', 'DB temp table cleanup started', 'Other', 'Database', 'Other',\n 'database.temp_table_autocleanup_completed', 'DB temp table cleanup completed', 'Other', 'Database', 'Other',\n 'domain.create', 'Domain created', 'Other', 'Domain', 'Create',\n 'domain.delete', 'Domain deleted', 'Other', 'Domain', 'Delete',\n 'domain.update', 'Domain updated', 'Other', 'Domain', 'Set',\n 'enforcement_boundary.create', 'Enforcement boundary created', 'Cloud Resource', 'Enforcement_boundary', 'Create',\n 'enforcement_boundary.delete', 'Enforcement boundary deleted', 'Cloud Resource', 'Enforcement_boundary', 'Delete',\n 'enforcement_boundary.update', 'Enforcement boundary updated', 'Cloud Resource', 'Enforcement_boundary', 'Set',\n 'event_settings.update', 'Event settings updated', 'Other', 'Event_settings', 'Set',\n 'firewall_settings.update', 'Global policy settings updated', 'Other', 'Firewall_settings', 'Set',\n 'group.create', 'Group created', 'Other', 'Group', 'Create',\n 'group.update', 'Group updated', 'Other', 'Group', 'Set',\n 'ip_list.create', 'IP list created', 'Cloud Resource', 'Ip_list', 'Create',\n 'ip_list.delete', 'IP list deleted', 'Cloud Resource', 'Ip_list', 'Delete',\n 'ip_list.update', 'IP list updated', 'Cloud Resource', 'Ip_list', 'Set',\n 'ip_lists.delete', 'IP lists deleted', 'Cloud Resource', 'Ip_lists', 'Delete',\n 'ip_tables_rule.create', 'IP tables rules created', 'Cloud Resource', 'Ip_tables_rule', 'Create',\n 'ip_tables_rule.delete', 'IP tables rules deleted', 'Cloud Resource', 'Ip_tables_rule', 'Delete',\n 'ip_tables_rule.update', 'IP tables rules updated', 'Cloud Resource', 'Ip_tables_rule', 'Set',\n 'job.delete', 'Job deleted', 'Other', 'Job', 'Delete',\n 'label.create', 'Label created', 'Cloud Resource', 'Label', 'Create',\n 'label.delete', 'Label deleted', 'Cloud Resource', 'Label', 'Delete',\n 'label.update', 'Label updated', 'Cloud Resource', 'Label', 'Set',\n 'label_group.create', 'Label group created', 'Cloud Resource', 'Label_group', 'Create',\n 'label_group.delete', 'Label group deleted', 'Cloud Resource', 'Label_group', 'Delete',\n 'label_group.update', 'Label group updated', 'Cloud Resource', 'Label_group', 'Set',\n 'labels.delete', 'Labels deleted', 'Cloud Resource', 'Labels', 'Delete',\n 'ldap_config.create', 'LDAP configuration created', 'Other', 'Ldap_config', 'Create',\n 'ldap_config.delete', 'LDAP configuration deleted', 'Other', 'Ldap_config', 'Delete',\n 'ldap_config.update', 'LDAP configuration updated', 'Other', 'Ldap_config', 'Set',\n 'ldap_config.verify_connection', 'LDAP server connection verified', 'Other', 'Ldap_config', 'Other',\n 'license.delete', 'License deleted', 'Other', 'License', 'Delete',\n 'license.update', 'License updated', 'Other', 'License', 'Set',\n 'login_proxy_ldap_config.create', 'Interservice call to login service to create LDAP config', 'Other', 'Login_proxy_ldap_config', 'Create',\n 'login_proxy_ldap_config.delete', 'Interservice call to login service to delete LDAP config', 'Other', 'Login_proxy_ldap_config', 'Delete',\n 'login_proxy_ldap_config.update', 'Interservice call to login service to update LDAP config', 'Other', 'Login_proxy_ldap_config', 'Set',\n 'login_proxy_ldap_config.verify_connection', 'Interservice call to login service to verify connection to the LDAP server', 'Other', 'Login_proxy_ldap_config', 'Other',\n 'login_proxy_msp_tenants.create', 'New MSP tenant created', 'Other', 'Login_proxy_msp_tenants', 'Create',\n 'login_proxy_msp_tenants.delete', 'MSP tenant deleted', 'Other', 'Login_proxy_msp_tenants', 'Delete',\n 'login_proxy_msp_tenants.update', 'MSP tenant updated', 'Other', 'Login_proxy_msp_tenants', 'Set',\n 'login_proxy_orgs.create', 'New managed organization created', 'Other', 'Login_proxy_orgs', 'Create',\n 'login_proxy_orgs.delete', 'Managed organization deleted', 'Other', 'Login_proxy_orgs', 'Delete',\n 'login_proxy_orgs.update', 'Managed organization updated', 'Other', 'Login_proxy_orgs', 'Set',\n 'lost_agent.found', 'Lost agent found', 'Cloud Resource', 'Lost_agent', 'Other',\n 'network.create', 'Network created', 'Cloud Resource', 'Network', 'Create',\n 'network.delete', 'Network deleted', 'Cloud Resource', 'Network', 'Delete',\n 'network.update', 'Network updated', 'Cloud Resource', 'Network', 'Set',\n 'network_device.ack_enforcement_instructions_applied', 'Enforcement instruction applied to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.assign_workload', 'Existing or new unmanaged workload assigned to a network device', 'Cloud Resource', 'Network_device', 'Other',\n 'network_device.create', 'Network device created', 'Cloud Resource', 'Network_device', 'Create',\n 'network_device.delete', 'Network device deleted', 'Cloud Resource', 'Network_device', 'Delete',\n 'network_device.update', 'Network device updated', 'Cloud Resource', 'Network_device', 'Set',\n 'network_devices.ack_multi_enforcement_instructions_applied', 'Enforcement instructions applied to multiple network devices', 'Cloud Resource', 'Network_devices', 'Other',\n 'network_endpoint.create', 'Network endpoint created', 'Cloud Resource', 'Network_endpoint', 'Create',\n 'network_endpoint.delete', 'Network endpoint deleted', 'Cloud Resource', 'Network_endpoint', 'Delete',\n 'network_endpoint.update', 'Network endpoint updated', 'Cloud Resource', 'Network_endpoint', 'Set',\n 'network_enforcement_node.activate', 'Network enforcement node activated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.clear_conditions', 'Network enforcement node conditions cleared', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.deactivate', 'Network enforcement node deactivated', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.degraded', 'Network enforcement node failed or primary lost connectivity to secondary', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats', 'Network enforcement node did not heartbeat for more than 15 minutes', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.missed_heartbeats_check', 'Network enforcement node missed heartbeats check', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.network_devices_network_endpoints_workloads', 'Workload added to network endpoint', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.policy_ack', 'Network enforcement node acknowledgment of policy', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.request_policy', 'Network enforcement node policy requested', 'Cloud Resource', 'Network_enforcement_node', 'Other',\n 'network_enforcement_node.update_status', 'Network enforcement node reports when switches are not reachable', 'Cloud Resource', 'Network_enforcement_node', 'Set',\n 'network_enforcement_nodes.clear_conditions', 'A condition was cleared from a list of network enforcement nodes', 'Cloud Resource', 'Network_enforcement_nodes', 'Other',\n 'nfc.activate', 'Network function controller created', 'Other', 'Nfc', 'Other',\n 'nfc.delete', 'Network function controller deleted', 'Other', 'Nfc', 'Delete',\n 'nfc.update_discovered_virtual_servers', 'Network function controller virtual servers discovered', 'Cloud Resource', 'Nfc', 'Set',\n 'nfc.update_policy_status', 'Network function controller policy status', 'Other', 'Nfc', 'Set',\n 'nfc.update_slb_state', 'Network function controller SLB state updated', 'Other', 'Nfc', 'Set',\n 'org.create', 'Organization created', 'Other', 'Org', 'Create',\n 'org.recalc_rules', 'Rules for organization recalculated', 'Other', 'Org', 'Other',\n 'org.update', 'Organization information updated', 'Other', 'Org', 'Set',\n 'pairing_profile.create', 'Pairing profile created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.create_pairing_key', 'Pairing profile pairing key created', 'Cloud Resource', 'Pairing_profile', 'Create',\n 'pairing_profile.delete', 'Pairing profile deleted', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profile.update', 'Pairing profile updated', 'Cloud Resource', 'Pairing_profile', 'Set',\n 'pairing_profile.delete_all_pairing_keys', 'Pairing keys deleted from pairing profile', 'Cloud Resource', 'Pairing_profile', 'Delete',\n 'pairing_profiles.delete', 'Pairing profiles deleted', 'Cloud Resource', 'Pairing_profiles', 'Delete',\n 'password_policy.create', 'Password policy created', 'Cloud Resource', 'Password_policy', 'Create',\n 'password_policy.delete', 'Password policy deleted', 'Cloud Resource', 'Password_policy', 'Delete',\n 'password_policy.update', 'Password policy updated', 'Cloud Resource', 'Password_policy', 'Set',\n 'permission.create', 'RBAC permission created', 'Cloud Resource', 'Permission', 'Create',\n 'permission.delete', 'RBAC permission deleted', 'Cloud Resource', 'Permission', 'Delete',\n 'permission.update', 'RBAC permission updated', 'Cloud Resource', 'Permission', 'Set',\n 'radius_config.create', 'Create domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Create',\n 'radius_config.delete', 'Delete domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Delete',\n 'radius_config.update', 'Update domain RADIUS configuration', 'Cloud Resource', 'Radius_config', 'Set',\n 'radius_config.verify_shared_secret', 'Verify RADIUS shared secret', 'Cloud Resource', 'Radius_config', 'Other',\n 'request.authentication_failed', 'API request authentication failed', 'Other', 'Request', 'Other',\n 'request.authorization_failed', 'API request authorization failed', 'Other', 'Request', 'Other',\n 'request.internal_server_error', 'API request failed due to internal server error', 'Other', 'Request', 'Other',\n 'request.service_unavailable', 'API request failed due to unavailable service', 'Other', 'Request', 'Other',\n 'request.unknown_server_error', 'API request failed due to unknown server error', 'Other', 'Request', 'Other',\n 'resource.create', 'Login resource created', 'Other', 'Resource', 'Create',\n 'resource.delete', 'Login resource deleted', 'Other', 'Resource', 'Delete',\n 'resource.update', 'Login resource updated', 'Other', 'Resource', 'Set',\n 'rule_set.create', 'Rule set created', 'Policy Rule', 'Rule_set', 'Create',\n 'rule_set.delete', 'Rule set deleted', 'Policy Rule', 'Rule_set', 'Delete',\n 'rule_set.update', 'Rule set updated', 'Policy Rule', 'Rule_set', 'Set',\n 'rule_sets.delete', 'Rule sets deleted', 'Policy Rule', 'Rule_sets', 'Delete',\n 'saml_acs.update', 'SAML assertion consumer services updated', 'Other', 'Saml_acs', 'Set',\n 'saml_config.create', 'SAML configuration created', 'Cloud Resource', 'Saml_config', 'Create',\n 'saml_config.delete', 'SAML configuration deleted', 'Cloud Resource', 'Saml_config', 'Delete',\n 'saml_config.pce_signing_cert', 'Generate a new cert for signing SAML AuthN requests', 'Cloud Resource', 'Saml_config', 'Other',\n 'saml_config.update', 'SAML configuration updated', 'Cloud Resource', 'Saml_config', 'Set',\n 'saml_sp_config.create', 'SAML Service Provider created', 'Cloud Resource', 'Saml_sp_config', 'Create',\n 'saml_sp_config.delete', 'SAML Service Provider deleted', 'Cloud Resource', 'Saml_sp_config', 'Delete',\n 'saml_sp_config.update', 'SAML Service Provider updated', 'Cloud Resource', 'Saml_sp_config', 'Set',\n 'sec_policy.create', 'Security policy created', 'Other', 'Sec_policy', 'Create',\n 'sec_policy_pending.delete', 'Pending security policy deleted', 'Other', 'Sec_policy_pending', 'Delete',\n 'sec_policy.restore', 'Security policy restored', 'Other', 'Sec_policy', 'Other',\n 'sec_rule.create', 'Security policy rules created', 'Policy Rule', 'Sec_rule', 'Create',\n 'sec_rule.delete', 'Security policy rules deleted', 'Policy Rule', 'Sec_rule', 'Delete',\n 'sec_rule.update', 'Security policy rules updated', 'Policy Rule', 'Sec_rule', 'Set',\n 'secure_connect_gateway.create', 'SecureConnect gateway created', 'Other', 'Secure_connect_gateway', 'Create',\n 'secure_connect_gateway.delete', 'SecureConnect gateway deleted', 'Other', 'Secure_connect_gateway', 'Delete',\n 'secure_connect_gateway.update', 'SecureConnect gateway updated', 'Other', 'Secure_connect_gateway', 'Set',\n 'security_principal.create', 'RBAC security principal created', 'Other', 'Security_principal', 'Create',\n 'security_principal.delete', 'RBAC security principal bulk deleted', 'Other', 'Security_principal', 'Delete',\n 'security_principal.update', 'RBAC security principal bulk updated', 'Other', 'Security_principal', 'Set',\n 'security_principals.bulk_create', 'RBAC security principals bulk created', 'Other', 'Security_principals', 'Other',\n 'service.create', 'Service created', 'Other', 'Service', 'Create',\n 'service.delete', 'Service deleted', 'Other', 'Service', 'Delete',\n 'service.update', 'Service updated', 'Other', 'Service', 'Set',\n 'service_account.create', 'Service account created', 'Other', 'Service_account', 'Create',\n 'service_account.delete', 'Service account deleted', 'Other', 'Service_account', 'Delete',\n 'service_account.update', 'Service account updated', 'Other', 'Service_account', 'Set',\n 'service_binding.create', 'Service binding created', 'Other', 'Service_binding', 'Create',\n 'service_binding.delete', 'Service binding created', 'Other', 'Service_binding', 'Delete',\n 'service_bindings.delete', 'Service bindings deleted', 'Other', 'Service_bindings', 'Delete',\n 'service_bindings.delete', 'Service binding deleted', 'Other', 'Service_bindings', 'Delete',\n 'services.delete', 'Services deleted', 'Other', 'Services', 'Delete',\n 'settings.update', 'Explorer settings updated', 'Other', 'Settings', 'Set',\n 'slb.create', 'Server load balancer created', 'Other', 'Slb', 'Create',\n 'slb.delete', 'Server load balancer deleted', 'Other', 'Slb', 'Delete',\n 'slb.update', 'Server load balancer updated', 'Other', 'Slb', 'Set',\n 'support_report.upload', 'Support report uploaded', 'Other', 'Support_report', 'Other',\n 'syslog_destination.create', 'syslog remote destination created', 'Other', 'Syslog_destination', 'Create',\n 'syslog_destination.delete', 'syslog remote destination deleted', 'Other', 'Syslog_destination', 'Delete',\n 'syslog_destination.update', 'syslog remote destination updated', 'Other', 'Syslog_destination', 'Set',\n 'system_task.agent_missed_heartbeats_check', 'Agent missed heartbeats', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_missing_heartbeats_after_upgrade', 'VEN missing heartbeat after upgrade', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_offline_check', 'Agents marked offline', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_self_signed_certs_check', 'VEN self signed certificate housekeeping check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_settings_invalidation_error_state_check', 'VEN settings invalidation error state check', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.agent_uninstall_timeout', 'VEN uninstall timeout', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.clear_auth_recover_condition', 'Clear VEN authentication recovery condition', 'Other', 'System_task', 'Other',\n 'system_task.compute_policy_for_unmanaged_workloads', 'Compute policy for unmanaged workloads', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.delete_expired_service_account_api_keys', 'An expired service account api_key was successfully deleted', 'Cloud Resource', 'System_task', 'Delete',\n 'system_task.delete_old_cached_perspectives', 'Delete old cached perspectives', 'Other', 'System_task', 'Delete',\n 'system_task.endpoint_offline_check', 'Endpoint marked offline', 'Other', 'System_task', 'Other',\n 'system_task.provision_container_cluster_services', 'Container cluster services provisioned', 'Cloud Resource', 'System_task', 'Other',\n 'system_task.prune_old_log_events', 'Event pruning completed', 'Other', 'System_task', 'Other',\n 'system_task.remove_stale_zone_subsets', 'Stale zone subnets removed', 'Other', 'System_task', 'Other',\n 'system_task.set_server_sync_check', 'Set server synced', 'Other', 'System_task', 'Other',\n 'system_task.vacuum_deactivated_agent_and_deleted_workloads', 'Deactivated and deleted workloads have been vacuumed', 'Cloud Resource', 'System_task', 'Other',\n 'traffic_collector_setting.create', 'Traffic collector setting created', 'Other', 'Traffic_collector_setting', 'Create',\n 'traffic_collector_setting.delete', 'Traffic collector setting deleted', 'Other', 'Traffic_collector_setting', 'Delete',\n 'traffic_collector_setting.update', 'Traffic collector setting updated', 'Other', 'Traffic_collector_setting', 'Set',\n 'trusted_proxy_ips.update', 'Trusted proxy IPs created or updated', 'Other', 'Trusted_proxy_ips', 'Set',\n 'user.accept_invitation', 'User invitation accepted', 'Cloud Resource', 'User', 'Other',\n 'user.authenticate', 'User authenticated', 'Cloud Resource', 'User', 'Other',\n 'user.create', 'User created', 'Cloud Resource', 'User', 'Create',\n 'user.delete', 'User deleted', 'Cloud Resource', 'User', 'Delete',\n 'user.invite', 'User invited', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set', \n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.pce_session_terminated', 'User session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.login_session_terminated', 'User login session terminated', 'Cloud Resource', 'User', 'Other',\n 'user.reset_password', 'User password reset', 'Cloud Resource', 'User', 'Other',\n 'user.update', 'User information updated', 'Cloud Resource', 'User', 'Set',\n 'user.update_password', 'User password updated', 'Cloud Resource', 'User', 'Set',\n 'user.use_expired_password', 'User entered expired password', 'Cloud Resource', 'User', 'Other',\n 'user.verify_mfa', 'User verified MFA', 'Cloud Resource', 'User', 'Other',\n 'users.auth_token', 'Auth token returned for user authentication on PCE', 'Other', 'Users', 'Other',\n 'user_local_profile.create', 'User local profile created', 'Other', 'User_local_profile', 'Create',\n 'user_local_profile.delete', 'User local profile deleted', 'Other', 'User_local_profile', 'Delete',\n 'user_local_profile.reinvite', 'User local profile reinvited', 'Other', 'User_local_profile', 'Other',\n 'user_local_profile.update_password', 'User local password updated', 'Other', 'User_local_profile', 'Set',\n 'ven_settings.update', 'VEN settings updated', 'Other', 'Ven_settings', 'Set',\n 'ven_software.upgrade', 'VEN software release upgraded', 'Other', 'Ven_software', 'Set',\n 'ven_software_release.create', 'VEN software release created', 'Other', 'Ven_software_release', 'Create',\n 'ven_software_release.delete', 'VEN software release deleted', 'Other', 'Ven_software_release', 'Delete',\n 'ven_software_release.deploy', 'VEN software release deployed', 'Other', 'Ven_software_release', 'Other',\n 'ven_software_release.update', 'VEN software release updated', 'Other', 'Ven_software_release', 'Set',\n 'ven_software_releases.set_default_version', 'Default VEN software version set', 'Other', 'Ven_software_releases', 'Other',\n 'virtual_server.create', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Create',\n 'virtual_server.delete', 'Virtual server created', 'Cloud Resource', 'Virtual_server', 'Delete',\n 'virtual_server.update', 'Virtual server updated', 'Cloud Resource', 'Virtual_server', 'Set',\n 'virtual_service.create', 'Virtual service created', 'Cloud Resource', 'Virtual_service', 'Create',\n 'virtual_service.delete', 'Virtual service deleted', 'Cloud Resource', 'Virtual_service', 'Delete',\n 'virtual_service.update', 'Virtual service updated', 'Cloud Resource', 'Virtual_service', 'Set',\n 'virtual_services.bulk_create', 'Virtual services created in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'virtual_services.bulk_update', 'Virtual services updated in bulk', 'Cloud Resource', 'Virtual_services', 'Other',\n 'vulnerability.create', 'Vulnerability record created', 'Other', 'Vulnerability', 'Create',\n 'vulnerability.delete', 'Vulnerability record deleted', 'Other', 'Vulnerability', 'Delete',\n 'vulnerability.update', 'Vulnerability record updated', 'Other', 'Vulnerability', 'Set',\n 'vulnerability_report.delete', 'Vulnerability report deleted', 'Other', 'Vulnerability_report', 'Delete',\n 'vulnerability_report.update', 'Vulnerability report updated', 'Other', 'Vulnerability_report', 'Set',\n 'workload.create', 'Workload created', 'Cloud Resource', 'Workload', 'Create',\n 'workload.delete', 'Workload deleted', 'Cloud Resource', 'Workload', 'Delete',\n 'workload.online', 'Workload online', 'Cloud Resource', 'Workload', 'Other',\n 'workload.recalc_rules', 'Workload policy recalculated', 'Cloud Resource', 'Workload', 'Other',\n 'workload.redetect_network', 'Workload network redetected', 'Cloud Resource', 'Workload', 'Other',\n 'workload.undelete', 'Workload undeleted', 'Cloud Resource', 'Workload', 'Other',\n 'workload.update', 'Workload settings updated', 'Cloud Resource', 'Workload', 'Set',\n 'workload.upgrade', 'Workload upgraded', 'Cloud Resource', 'Workload', 'Set',\n 'workload_interface.create', 'Workload interface created', 'Cloud Resource', 'Workload_interface', 'Create',\n 'workload_interface.delete', 'Workload interface deleted', 'Cloud Resource', 'Workload_interface', 'Delete',\n 'workload_interface.update', 'Workload interface updated', 'Cloud Resource', 'Workload_interface', 'Set',\n 'workload_interfaces.update', 'Workload interfaces updated', 'Cloud Resource', 'Workload_interfaces', 'Set',\n '', 'For example, IP address changes, new interface added, and interface shut down.', 'Other', '', 'Other',\n 'workload_service_report.update', 'Workload service report updated', 'Cloud Resource', 'Workload_service_report', 'Set',\n 'workload_settings.update', 'Workload settings updated', 'Cloud Resource', 'Workload_settings', 'Set',\n 'workloads.apply_policy', 'Workloads policies applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_create', 'Workloads created in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_delete', 'Workloads deleted in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.bulk_update', 'Workloads updated in bulk', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.remove_labels', 'Workloads labels removed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_flow_reporting_frequency', 'Workload flow reporting frequency changed', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.set_labels', 'Workload labels applied', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.unpair', 'Workloads unpaired', 'Cloud Resource', 'Workloads', 'Other',\n 'workloads.update', 'Workloads updated', 'Cloud Resource', 'Workloads', 'Set'\n];\nlet EventSeverityLookup = datatable(\n severity: string,\n EventSeverity: string\n)\n [\n \"err\", \"High\",\n \"info\", \"Informational\",\n \"warning\", \"Medium\"\n];\nlet EventResultLookup = datatable(\n status: string,\n EventResult: string\n)\n [\n \"success\", \"Success\",\n \"failure\", \"Failure\",\n \"\", \"NA\"\n];\nlet parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]), // not sure if this is required\n object_has_any:dynamic=dynamic([]), // not sure if this is required\n newvalue_has_any:dynamic=dynamic([]), // not mapped yet\n disabled:bool = false\n ){\n Illumio_Auditable_Events_CL \n | where not(disabled) and (event_type !startswith \"user\") // filter out user auth events\n and ((isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(action.src_ip, srcipaddr_has_any_prefix))\n | lookup EventTypeLookup on event_type // fetch Object, ObjectType,EventType, Operation from lookup\n | lookup EventSeverityLookup on severity // fetch EventSeverity from lookup\n | lookup EventResultLookup on status // fetch EventResult from lookup\n | extend temp_resource_changes = parse_json(resource_changes) \n | extend temp_notifications = parse_json(notifications)\n | extend\n NewValue = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].changes, ''),\n EventMessage = iff(isnotnull(temp_resource_changes), temp_resource_changes[0].resource, ''), \n SrcIpAddr = iff(action.src_ip == 'FILTERED', \"\", action.src_ip)\n | extend \n ActorUsername = case(\n isnotnull(created_by.system), \"System\",\n isnotnull(created_by.user), created_by.user.username,\n isnotnull(created_by.agent), created_by.agent.hostname,\n \"Unknown\"\n ) \n | extend ActorUsernameType = \"Simple\" \n // ***** parser filter params *****\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in)) \n and (eventresult == \"*\" or EventResult =~ eventresult) and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n and (array_length(newvalue_has_any) == 0)\n // ***** parser filter params *****\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n Dvc = pce_fqdn,\n EventType = iff(isnull(EventType), event_type, EventType),\n EventOriginalUid = href,\n EventUid = _ItemId\n //aliases\n | extend \n IpAddr = SrcIpAddr,\n User = ActorUsername,\n Value = NewValue \n | project-away \n event_type, // used by EventType \n severity, // used by EventSeverity \n temp_*, \n resource_changes, // used by NewValue and EventMessage\n notifications,\n version, // simply drop version, no need to translate\n action, //used by src_ip\n status, // used by EventResult\n created_by, // used by ActorUsername and ActorType\n pce_fqdn, // used by Dvc\n href, // used by EventOriginalUid\n TenantId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/README.md new file mode 100644 index 00000000000..47dd35ce110 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/README.md @@ -0,0 +1,18 @@ +# Infoblox BloxOne ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Infoblox BloxOne. + +This ASIM parser supports normalizing AuditEvent logs from Infoblox BloxOne to the ASIM AuditEvent normalized schema. These events are captured through the Azure Monitor Agent (AMA) which are sent by the Data Connector Service of Infoblox BloxOne. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventInfobloxBloxOne%2FvimAuditEventInfobloxBloxOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventInfobloxBloxOne%2FvimAuditEventInfobloxBloxOne.json) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json new file mode 100644 index 00000000000..99eefeac890 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventInfobloxBloxOne/vimAuditEventInfobloxBloxOne.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuditEventInfbloxBloxOne", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "AuditEvent ASIM parser for Infoblox BloxOne", + "category": "ASIM", + "FunctionAlias": "vimAuditEventInfbloxBloxOne", + "query": "let EventSeverityLookup = datatable (LogSeverity:string, EventSeverity:string)\n [\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Medium\",\n \"5\", \"Medium\",\n \"6\", \"Medium\",\n \"7\", \"High\",\n \"8\", \"High\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet OperationLookup = datatable (DeviceAction:string, Object:string, ObjectType:string)\n[\n \"CreateSecurityPolicy\", \"Security Policy\", \"Policy Role\",\n \"UpdateSecurityPolicy\", \"Security Policy\", \"Policy\",\n \"Create\", \"Network Resource\", \"Service\",\n \"Update\", \"Network Resource\", \"Service\",\n \"Restore\", \"Infoblox Resource\", \"Service\",\n \"CreateOrGetDoHFQDN\", \"DOHFQDN\", \"Service\",\n \"CreateOrUpdateDfpService\", \"Dfp Service\", \"Service\",\n \"MoveToRecyclebin\", \"Recyclebin\", \"Other\",\n \"CreateCategoryFilter\", \"Category Filter\", \"Other\",\n \"GetLookalikeThreatCounts\", \"Lookalike Threat Counts\", \"Other\",\n \"GetLookalikeDomainCounts\", \"Lookalike Domain Counts\", \"Other\",\n \"CreateRoamingDeviceGroup\", \"Roaming Device Group\", \"Configuration Atom\",\n \"UpdatePartialRoamingDeviceGroup\", \"Partial Roaming Device Group\", \"Configuration Atom\"\n];\nlet parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\n CommonSecurityLog\n | where not(disabled) \n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and DeviceVendor == \"Infoblox\"\n and DeviceEventClassID has \"AUDIT\"\n and (eventresult == \"*\" or EventOutcome =~ eventresult)\n and (array_length(operation_has_any) == 0 or DeviceAction has_any (operation_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SourceUserName has_any (actorusername_has_any))\n and array_length(newvalue_has_any) == 0\n | parse-kv AdditionalExtensions as (InfobloxHTTPReqBody:string, InfobloxHTTPRespBody:string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend EventType = case(\n DeviceAction has_any (\"update\", \"upsert\"),\n \"Set\", \n DeviceAction has \"create\",\n \"Create\",\n DeviceAction has \"delete\",\n \"Delete\",\n \"Other\"\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSeverityLookup on LogSeverity\n | lookup OperationLookup on DeviceAction\n | extend Object = iff(isempty(Object), \"Infoblox Network Resource\", Object),\n ObjectType = iff(isempty(ObjectType), \"Service\", ObjectType)\n | where (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | invoke _ASIM_ResolveDvcFQDN('CollectorHostName')\n | project-rename\n EventResult = EventOutcome,\n Operation = DeviceAction,\n ActorUsername = SourceUserName,\n SrcIpAddr = SourceIP,\n EventOriginalSeverity = LogSeverity,\n EventMessage = Message,\n EventOriginalType = DeviceEventClassID,\n EventUid = _ItemId\n | extend\n Dvc = DvcHostname,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n Src = SrcIpAddr,\n ActorUserType = _ASIM_GetUserType(ActorUsername, \"\"),\n AdditionalFields = bag_pack(\n \"InfobloxHTTPReqBody\",\n InfobloxHTTPReqBody,\n \"InfobloxHTTPRespBody\",\n InfobloxHTTPRespBody\n ),\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | extend\n EventCount = toint(1),\n EventProduct = \"BloxOne\",\n EventVendor = \"Infoblox\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Protocol,\n SimplifiedDeviceAction,\n ExternalID,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n StartTime,\n TenantId,\n ReportReferenceLink,\n ReceiptTime,\n Indicator*,\n _ResourceId,\n ThreatConfidence,\n ThreatDescription,\n ThreatSeverity,\n Computer,\n ApplicationProtocol,\n ExtID,\n Reason,\n Activity,\n Infoblox*\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)\n", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json index 2fd7557df8e..5ca427cdfe4 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM parser", "category": "ASIM", "FunctionAlias": "ASimNetworkSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n \n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSecurityEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMerakiSyslog (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmonWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , ASimNetworkSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(pack:bool=false){\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , ASimNetworkSessionLinuxSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoft365Defender (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTSensor (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTSSensor' in (DisabledParsers) ))\n , ASimNetworkSessionMD4IoTAgent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftWindowsEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSecurityEventFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , ASimNetworkSessionVMConnection (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMConnection' in (DisabledParsers) ))\n , ASimNetworkSessionAWSVPC (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , ASimNetworkSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionAzureNSG (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , ASimNetworkSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVectraAI' in (DisabledParsers) )))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMerakiSyslog (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , ASimNetworkSessionAppGateSDP (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , ASimNetworkSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , ASimNetworkSessionCorelightZeek (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , ASimNetworkSessionCheckPointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoASA (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , ASimNetworkSessionWatchGuardFirewareOS (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmon (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , ASimNetworkSessionMicrosoftSysmonWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n , ASimNetworkSessionForcePointFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionNative (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionNative' in (DisabledParsers) ))\n , ASimNetworkSessionSentinelOne (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoISE (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , ASimNetworkSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , ASimNetworkSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , ASimNetworkSessionCrowdStrikeFalconHost (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , ASimNetworkSessionVMwareCarbonBlackCloud (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , ASimNetworkSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , ASimNetworkSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n , ASimNetworkSessionIllumioSaaSCore (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionIllumioSaaSCore' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric (pack=pack)\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json new file mode 100644 index 00000000000..747a69f4118 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimNetworkSessionIllumioSaaSCore", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for Illumio SaaS Core", + "category": "ASIM", + "FunctionAlias": "ASimNetworkSessionIllumioSaaSCore", + "query": "let ProtocolLookup = datatable(proto:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\nlet NetworkProtocolVersionLookup = datatable(version: int, NetworkProtocolVersion: string)\n[\n 4,\"IPv4\",\n 6,\"IPv6\"\n];\nlet EventResultLookup = datatable(DvcAction: string, EventResult: string)\n[\n \"Deny\", \"Failure\",\n \"Allow\", \"Success\"\n];\nlet DvcActionLookup = datatable(pd: int, DvcAction: string)\n[\n// - Allow\n// - Deny\n// - Drop\n// - Drop ICMP\n// - Reset\n// - Reset Source\n// - Reset Destination\n// - Encrypt\n// - Decrypt\n// - VPNroute\n 2, \"Deny\",\n 1, \"Allow\",\n 0, \"Allow\"\n];\nlet ClassLookup = datatable(class: string, ClassDetail: string)\n[\n \"M\", \"Multicast\",\n \"B\", \"Broadcast\",\n \"U\", \"Unicast\"\n];\nlet parser=(disabled:bool=false){\n Illumio_Flow_Events_CL \n | where not(disabled)\n | lookup ProtocolLookup on proto\n | lookup NetworkProtocolVersionLookup on version\n | lookup DvcActionLookup on pd //set DvcAction\n | extend EventResult = iff(DvcAction == \"Deny\", \"Failure\", \"Success\")\n | lookup ClassLookup on class\n | extend\n EventCount = flow_count,\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventType = 'Flow',\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'NetworkSession',\n Dvc = pce_fqdn \n | extend NetworkDirection = case(\n dir=='I', 'Inbound',\n dir=='O', 'Outbound',\n 'Unknown'\n ),\n NetworkDuration = interval_sec,\n DstBytes = tolong(dst_dbo),\n SrcBytes = tolong(dst_dbi),\n DstIpAddr = dst_ip,\n SrcIpAddr = src_ip,\n DstPortNumber = dst_port,\n DstHostname = dst_hostname,\n SrcHostname = src_hostname,\n EventSeverity = case( \n DvcAction=='Deny', 'Low',\n 'Informational' \n )\n | extend \n SrcProcessName = iif(dir=='O', pn, ''),\n DstProcessName = iif(dir=='I', pn, ''),\n SrcUsername = iif(dir=='O', un, ''),\n DstUsername = iif(dir=='I', un, '')\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername)\n //Aliases\n | extend \n DvcIpAddr = SrcIpAddr,\n DvcHostname = SrcHostname\n | extend\n AdditionalFields = bag_pack(\"Class\", ClassDetail,\n \"Network\",network,\n \"Source_Labels\", src_labels,\n \"Dest_Labels\", dst_labels,\n \"Src_href\", src_href, // can this be stored in SrcId instead?\n \"Dst_href\", dst_href // can this be stored in DvcId instead?\n // need to add SN here\n )\n // aliases \n | extend\n Duration = NetworkDuration,\n User = DstUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n EventUid = _ItemId\n | project-away \n code,\n icmp_type,\n dst_dbi,\n dst_dbo,\n dst_tbi,\n dst_tbo,\n pce_fqdn,\n proto,\n dst_port,\n src_ip,\n dst_ip,\n dst_hostname,\n src_hostname,\n dir,\n flow_count,\n src_href,\n dst_href,\n src_labels,\n dst_labels,\n network,\n class,\n org_id,\n state, // decide how to use this\n pd_qualifier, //decide how to use this\n interval_sec,\n version,\n ddms, // not needed\n tdms, // not needed\n pn, \n un,\n pd,\n ClassDetail,\n TenantId\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/README.md b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/README.md new file mode 100644 index 00000000000..444d4e5f443 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio SaaS Core ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for Illumio SaaS Core. + +This ASIM parser supports normalizing Illumio SaaS Core logs to the ASIM Network Session normalized schema. These events are captured through Illumio Sentinel Integration data connector. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionIllumioSaaSCore%2FASimNetworkSessionIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionIllumioSaaSCore%2FASimNetworkSessionIllumioSaaSCore.json) diff --git a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json index 66b122ce568..16d740103d0 100644 --- a/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json @@ -358,6 +358,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimNetworkSessionIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionIllumioSaaSCore/ASimNetworkSessionIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -1078,6 +1098,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimNetworkSessionIllumioSaaSCore", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json index da1ce681b1d..89fc9bf6b79 100644 --- a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json @@ -35,7 +35,7 @@ "displayName": "Network Session ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imNetworkSession", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSecurityEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) )))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMerakiSyslog (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))\n , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , vimNetworkSessionCiscoFirepower (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , vimNetworkSessionCrowdStrikeFalconHost (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , vimNetworkSessionVMwareCarbonBlackCloud (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCortexDataLake (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , vimNetworkSessionSonicWallFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmonWindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n dstipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null),\n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimNetworkSessionEmpty\n , vimNetworkSessionLinuxSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionLinuxSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoft365Defender (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoft365Defender' in (DisabledParsers) ))\n , vimNetworkSessionMD4IoTAgent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMD4IoTAgent' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftWindowsEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftWindowsEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSecurityEventFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSecurityEventFirewall' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCEF' in (DisabledParsers) ))\n , vimNetworkSessionVMConnection (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMConnection' in (DisabledParsers) ))\n , vimNetworkSessionAWSVPC (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAWSVPC' in (DisabledParsers) ))\n , vimNetworkSessionAzureFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureFirewall' in (DisabledParsers) ))\n , vimNetworkSessionAzureNSG (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAzureNSG' in (DisabledParsers) ))\n , vimNetworkSessionVectraAI (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludevimNetworkSessionVectraAI' in (DisabledParsers) )))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMerakiSyslog (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMerakiSyslog' in (DisabledParsers) ))\n , vimNetworkSessionAppGateSDP (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionAppGateSDP' in (DisabledParsers) ))\n , vimNetworkSessionFortinetFortiGate (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionFortinetFortiGate' in (DisabledParsers) ))\n , vimNetworkSessionCorelightZeek (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCorelightZeek' in (DisabledParsers) ))\n , vimNetworkSessionCheckPointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCheckPointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionWatchGuardFirewareOS (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionWatchGuardFirewareOS' in (DisabledParsers) ))\n , vimNetworkSessionCiscoASA (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoASA' in (DisabledParsers) ))\n , vimNetworkSessionForcePointFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionForcePointFirewall' in (DisabledParsers) ))\n , vimNetworkSessionNative (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionNative' in (DisabledParsers) ))\n , vimNetworkSessionSentinelOne (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSentinelOne' in (DisabledParsers) ))\n , vimNetworkSessionCiscoMeraki (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoMeraki' in (DisabledParsers) ))\n , vimNetworkSessionCiscoISE (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoISE' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaWAF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaWAF' in (DisabledParsers) ))\n , vimNetworkSessionBarracudaCEF (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionBarracudaCEF' in (DisabledParsers) ))\n , vimNetworkSessionCiscoFirepower (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCiscoFirepower' in (DisabledParsers) ))\n , vimNetworkSessionCrowdStrikeFalconHost (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionCrowdStrikeFalconHost' in (DisabledParsers) ))\n , vimNetworkSessionVMwareCarbonBlackCloud (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionVMwareCarbonBlackCloud' in (DisabledParsers) ))\n , vimNetworkSessionPaloAltoCortexDataLake (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionPaloAltoCortexDataLake' in (DisabledParsers) ))\n , vimNetworkSessionSonicWallFirewall (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionSonicWallFirewall' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmon (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmon' in (DisabledParsers) ))\n , vimNetworkSessionMicrosoftSysmonWindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))\n , vimNetworkSessionIllumioSaaSCore (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, ipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ExcludevimNetworkSessionIllumioSaaSCore' in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, pack=pack)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/README.md b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/README.md new file mode 100644 index 00000000000..874cb484eb3 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/README.md @@ -0,0 +1,18 @@ +# Illumio SaaS Core ASIM NetworkSession Normalization Parser + +ARM template for ASIM NetworkSession schema parser for Illumio SaaS Core. + +This ASIM parser supports normalizing Illumio SaaS Core logs to the ASIM Network Session normalized schema. These events are captured through Illumio Sentinel Integration data connector. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionIllumioSaaSCore%2FvimNetworkSessionIllumioSaaSCore.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionIllumioSaaSCore%2FvimNetworkSessionIllumioSaaSCore.json) diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json new file mode 100644 index 00000000000..ce401421a40 --- /dev/null +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionIllumioSaaSCore/vimNetworkSessionIllumioSaaSCore.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimNetworkSessionIllumioSaaSCore", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "NetworkSession ASIM Parser for Illumio SaaS Core", + "category": "ASIM", + "FunctionAlias": "vimNetworkSessionIllumioSaaSCore", + "query": "let ProtocolLookup = datatable(proto:int, NetworkProtocol:string) [\n 0,\"HOPOPT\",\n 1,\"ICMP\",\n 2,\"IGMP\",\n 3,\"GGP\",\n 4,\"IPv4\",\n 5,\"ST\",\n 6,\"TCP\",\n 7,\"CBT\",\n 8,\"EGP\",\n 9,\"IGP\",\n 10,\"BBN-RCC-MON\",\n 11,\"NVP-II\",\n 12,\"PUP\",\n 13,\"ARGUS (deprecated)\",\n 14,\"EMCON\",\n 15,\"XNET\",\n 16,\"CHAOS\",\n 17,\"UDP\",\n 18,\"MUX\",\n 19,\"DCN-MEAS\",\n 20,\"HMP\",\n 21,\"PRM\",\n 22,\"XNS-IDP\",\n 23,\"TRUNK-1\",\n 24,\"TRUNK-2\",\n 25,\"LEAF-1\",\n 26,\"LEAF-2\",\n 27,\"RDP\",\n 28,\"IRTP\",\n 29,\"ISO-TP4\",\n 30,\"NETBLT\",\n 31,\"MFE-NSP\",\n 32,\"MERIT-INP\",\n 33,\"DCCP\",\n 34,\"3PC\",\n 35,\"IDPR\",\n 36,\"XTP\",\n 37,\"DDP\",\n 38,\"IDPR-CMTP\",\n 39,\"TP++\",\n 40,\"IL\",\n 41,\"IPv6\",\n 42,\"SDRP\",\n 43,\"IPv6-Route\",\n 44,\"IPv6-Frag\",\n 45,\"IDRP\",\n 46,\"RSVP\",\n 47,\"GRE\",\n 48,\"DSR\",\n 49,\"BNA\",\n 50,\"ESP\",\n 51,\"AH\",\n 52,\"I-NLSP\",\n 53,\"SWIPE (deprecated)\",\n 54,\"NARP\",\n 55,\"MOBILE\",\n 56,\"TLSP\",\n 57,\"SKIP\",\n 58,\"IPv6-ICMP\",\n 59,\"IPv6-NoNxt\",\n 60,\"IPv6-Opts\",\n 61,\"\",\n 62,\"CFTP\",\n 63,\"\",\n 64,\"SAT-EXPAK\",\n 65,\"KRYPTOLAN\",\n 66,\"RVD\",\n 67,\"IPPC\",\n 68,\"\",\n 69,\"SAT-MON\",\n 70,\"VISA\",\n 71,\"IPCV\",\n 72,\"CPNX\",\n 73,\"CPHB\",\n 74,\"WSN\",\n 75,\"PVP\",\n 76,\"BR-SAT-MON\",\n 77,\"SUN-ND\",\n 78,\"WB-MON\",\n 79,\"WB-EXPAK\",\n 80,\"ISO-IP\",\n 81,\"VMTP\",\n 82,\"SECURE-VMTP\",\n 83,\"VINES\",\n 84,\"TTP\",\n 84,\"IPTM\",\n 85,\"NSFNET-IGP\",\n 86,\"DGP\",\n 87,\"TCF\",\n 88,\"EIGRP\",\n 89,\"OSPFIGP\",\n 90,\"Sprite-RPC\",\n 91,\"LARP\",\n 92,\"MTP\",\n 93,\"AX.25\",\n 94,\"IPIP\",\n 95,\"MICP (deprecated)\",\n 96,\"SCC-SP\",\n 97,\"ETHERIP\",\n 98,\"ENCAP\",\n 99,\"\",\n 100,\"GMTP\",\n 101,\"IFMP\",\n 102,\"PNNI\",\n 103,\"PIM\",\n 104,\"ARIS\",\n 105,\"SCPS\",\n 106,\"QNX\",\n 107,\"A/N\",\n 108,\"IPComp\",\n 109,\"SNP\",\n 110,\"Compaq-Peer\",\n 111,\"IPX-in-IP\",\n 112,\"VRRP\",\n 113,\"PGM\",\n 114,\"\",\n 115,\"L2TP\",\n 116,\"DDX\",\n 117,\"IATP\",\n 118,\"STP\",\n 119,\"SRP\",\n 120,\"UTI\",\n 121,\"SMP\",\n 122,\"SM (deprecated)\",\n 123,\"PTP\",\n 124,\"ISIS over IPv4\",\n 125,\"FIRE\",\n 126,\"CRTP\",\n 127,\"CRUDP\",\n 128,\"SSCOPMCE\",\n 129,\"IPLT\",\n 130,\"SPS\",\n 131,\"PIPE\",\n 132,\"SCTP\",\n 133,\"FC\",\n 134,\"RSVP-E2E-IGNORE\",\n 135,\"Mobility Header\",\n 136,\"UDPLite\",\n 137,\"MPLS-in-IP\",\n 138,\"manet\",\n 139,\"HIP\",\n 140,\"Shim6\",\n 141,\"WESP\",\n 142,\"ROHC\",\n 143,\"Ethernet\",\n 253,\"\",\n 254,\"\",\n 255,\"Reserved\"\n ];\nlet NetworkProtocolVersionLookup = datatable(version: int, NetworkProtocolVersion: string)\n[\n 4,\"IPv4\",\n 6,\"IPv6\"\n];\nlet EventResultLookup = datatable(DvcAction: string, EventResult: string)\n[\n \"Deny\", \"Failure\",\n \"Allow\", \"Success\"\n];\nlet DvcActionLookup = datatable(pd: int, DvcAction: string)\n[\n// - Allow\n// - Deny\n// - Drop\n// - Drop ICMP\n// - Reset\n// - Reset Source\n// - Reset Destination\n// - Encrypt\n// - Decrypt\n// - VPNroute\n 2, \"Deny\",\n 1, \"Allow\",\n 0, \"Allow\"\n];\nlet ClassLookup = datatable(class: string, ClassDetail: string)\n[\n\"M\", \"Multicast\",\n\"B\", \"Broadcast\",\n\"U\", \"Unicast\"\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n{\n let src_or_any=set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any=set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix); \n Illumio_Flow_Events_CL \n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated>=starttime) \n and (isnull(endtime) or TimeGenerated<=endtime)\n // ***** parser filter params *****\n | where\n (isnull(dstportnumber) or (dst_port == dstportnumber)) \n | extend temp_isSrcMatch=has_any_ipv4_prefix(src_ip,src_or_any)\n , temp_isDstMatch=has_any_ipv4_prefix(dst_ip,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\" // match not requested: probably most common case\n , (temp_isSrcMatch and temp_isDstMatch), \"Both\" // has to be checked before the individual \n , temp_isSrcMatch, \"SrcIpAddr\"\n , temp_isDstMatch, \"DstIpAddr\"\n , \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | extend temp_is_MatchSrcHostname = src_hostname has_any (hostname_has_any)\n , temp_is_MatchDstHostname = dst_hostname has_any (hostname_has_any)\n | extend ASimMatchingHostname = case(array_length(hostname_has_any) == 0 ,\"-\",\n temp_is_MatchSrcHostname and temp_is_MatchDstHostname, \"Both\",\n temp_is_MatchSrcHostname, \"SrcHostname\",\n temp_is_MatchDstHostname, \"DstHostname\",\n \"No match\"\n )\n | where ASimMatchingHostname != \"No match\" \n | project-away temp_*\n // ***** parser filter params *****\n | lookup ProtocolLookup on proto\n | lookup NetworkProtocolVersionLookup on version\n | lookup DvcActionLookup on pd //set DvcAction\n | extend EventResult = iff(DvcAction == \"Deny\", \"Failure\", \"Success\")\n | lookup ClassLookup on class\n // ***** parser filter params *****\n | where (array_length(dvcaction) == 0 or DvcAction in (dvcaction)) \n and eventresult=='*' or (eventresult == EventResult) \n and (array_length(hostname_has_any)==0 or dst_hostname has_any (hostname_has_any) or src_hostname has_any(hostname_has_any))\n // ***** parser filter params ***** \n | extend\n EventCount = flow_count,\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventType = 'Flow',\n EventProduct = 'Core',\n EventVendor = 'Illumio',\n EventSchemaVersion = '0.2.6',\n EventSchema = 'NetworkSession',\n Dvc = pce_fqdn \n | extend NetworkDirection = case(\n dir=='I', 'Inbound',\n dir=='O', 'Outbound',\n 'Unknown'\n ),\n NetworkDuration = interval_sec,\n DstBytes = tolong(dst_dbo),\n SrcBytes = tolong(dst_dbi),\n DstIpAddr = dst_ip,\n SrcIpAddr = src_ip,\n DstPortNumber = dst_port,\n DstHostname = dst_hostname,\n SrcHostname = src_hostname,\n EventSeverity = case( \n DvcAction=='Deny', 'Low',\n 'Informational' \n )\n | extend \n SrcProcessName = iif(dir=='O', pn, ''),\n DstProcessName = iif(dir=='I', pn, ''),\n SrcUsername = iif(dir=='O', un, ''),\n DstUsername = iif(dir=='I', un, '')\n | extend\n SrcUsernameType = _ASIM_GetUsernameType(SrcUsername),\n DstUsernameType = _ASIM_GetUsernameType(DstUsername) \n //Aliases\n | extend \n DvcIpAddr = SrcIpAddr,\n DvcHostname = SrcHostname\n | extend\n AdditionalFields = bag_pack(\"Class\", ClassDetail,\n \"Network\",network,\n \"Source_Labels\", src_labels,\n \"Dest_Labels\", dst_labels,\n \"Src_href\", src_href, // can this be stored in SrcId instead?\n \"Dst_href\", dst_href // can this be stored in DvcId instead?\n )\n // aliases \n | extend\n Duration = NetworkDuration,\n User = DstUsername,\n Hostname = DstHostname,\n IpAddr = SrcIpAddr,\n EventUid = _ItemId\n | project-away \n pce_fqdn,\n icmp_type,\n TenantId,\n proto,\n dst_port,\n src_ip,\n dst_ip,\n code,\n dst_dbi,\n dst_dbo,\n dst_tbi,\n dst_tbo, \n dst_hostname,\n src_hostname,\n dir,\n flow_count,\n src_href,\n dst_href,\n src_labels,\n dst_labels,\n network,\n class,\n org_id,\n state, // decide how to use this\n pd_qualifier, //decide how to use this\n interval_sec,\n version,\n ddms, // not needed\n tdms, // not needed\n pn, \n un,\n pd,\n ClassDetail\n}; \nparser(starttime=starttime, \nendtime=endtime, \nsrcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \ndstipaddr_has_any_prefix=dstipaddr_has_any_prefix, \nipaddr_has_any_prefix=ipaddr_has_any_prefix,\ndstportnumber=dstportnumber,\nhostname_has_any=hostname_has_any, \ndvcaction=dvcaction,\neventresult=eventresult, \ndisabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file