Skip to content

Commit f797f37

Browse files
hunngu-mshunngu-ms
committed
Merge branch 'hunngu/ASIMPaloAltoGlobalProtect' of https://github.com/Azure/Azure-Sentinel into hunngu/ASIMPaloAltoGlobalProtect
2 parents 785fc60 + b86cd35 commit f797f37

File tree

3 files changed

+34
-14
lines changed

3 files changed

+34
-14
lines changed

.script/tests/KqlvalidationsTests/FunctionSchemasLoaders/ParsersDatabase.cs

Lines changed: 32 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -14,15 +14,40 @@ public static class ParsersDatabase
1414
{
1515
public static List<ParserConfiguration> Parsers => new List<ParserConfiguration>()
1616
{
17+
new ParserConfiguration()
18+
{
19+
Schema= "ASimAlertEvent",
20+
SampleFunctionName= "_Im_AlertEvent",
21+
},
22+
new ParserConfiguration()
23+
{
24+
Schema= "ASimAssetEntity",
25+
SampleFunctionName= "_Im_AssetEntity",
26+
},
27+
new ParserConfiguration()
28+
{
29+
Schema= "ASimAuditEvent",
30+
SampleFunctionName= "_Im_AuditEvent",
31+
},
32+
new ParserConfiguration()
33+
{
34+
Schema= "ASimAuthentication",
35+
SampleFunctionName= "_Im_Authentication",
36+
},
37+
new ParserConfiguration()
38+
{
39+
Schema= "ASimDhcpEvent",
40+
SampleFunctionName= "_Im_DhcpEvent",
41+
},
1742
new ParserConfiguration()
1843
{
1944
Schema= "ASimDns",
2045
SampleFunctionName= "_Im_Dns",
2146
},
2247
new ParserConfiguration()
2348
{
24-
Schema= "ASimWebSession",
25-
SampleFunctionName= "_Im_WebSession",
49+
Schema= "ASimFileEvent",
50+
SampleFunctionName= "_Im_FileEvent",
2651
},
2752
new ParserConfiguration()
2853
{
@@ -35,25 +60,20 @@ public static class ParsersDatabase
3560
SampleFunctionName= "_Im_ProcessEvent",
3661
},
3762
new ParserConfiguration()
38-
{
39-
Schema= "ASimAuditEvent",
40-
SampleFunctionName= "_Im_AuditEvent",
41-
},
42-
new ParserConfiguration()
4363
{
4464
Schema= "ASimRegistryEvent",
4565
SampleFunctionName= "_Im_RegistryEvent",
4666
},
4767
new ParserConfiguration()
4868
{
49-
Schema= "ASimFileEvent",
50-
SampleFunctionName= "_Im_FileEvent",
69+
Schema= "ASimUserManagement",
70+
SampleFunctionName= "_Im_UserManagement",
5171
},
5272
new ParserConfiguration()
5373
{
54-
Schema= "ASimAuthentication",
55-
SampleFunctionName= "_Im_Authentication",
56-
},
74+
Schema= "ASimWebSession",
75+
SampleFunctionName= "_Im_WebSession",
76+
}
5777
};
5878
}
5979

Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoGlobalProtect/ASimAuthenticationPaloAltoGlobalProtect.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
"displayName": "Authentication ASIM parser for Palo Alto PAN-OS GlobalProtect",
2828
"category": "ASIM",
2929
"FunctionAlias": "ASimAuthenticationPaloAltoGlobalProtect",
30-
"query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\",\n \"Informational\", \"Informational\"\n];\nlet parser = (disabled: bool=false, pack: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and DeviceEventClassID == \"GLOBALPROTECT\"\n | where AdditionalExtensions has_any (\"gateway-login\", \"gateway-logout\", \"gateway-auth\", \"portal-auth\", \"portal-prelogin\", \"gateway-connected\")\n | parse-kv AdditionalExtensions as (\n PanOSEventID: string,\n PanOSStage: string,\n PanOSLogTimeStamp: string,\n PanOSAuthMethod: string,\n PanOSTunnelType: string,\n PanOSSourceUserName: string,\n PanOSSourceRegion: string,\n PanOSEndpointDeviceName: string,\n PanOSPublicIPv4: string,\n PanOSPublicIPv6: string,\n PanOSPrivateIPv4: string,\n PanOSPrivateIPv6: string,\n PanOSHostID: string,\n PanOSGlobalProtectClientVersion: string,\n PanOSEndpointOSType: string,\n PanOSEndpointOSVersion: string,\n PanOSEventStatus: string,\n PanOSGPGatewayLocation: string,\n PanOSPortal: string,\n PanOSLoginDuration: string,\n PanOSConnectionError: string,\n PanOSDescription: string,\n PanOSDeviceSN: string,\n PanOSVirtualSystem: string\n ) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend EventType = case(\n PanOSEventID =~ \"gateway-login\", \"Logon\",\n PanOSEventID =~ \"gateway-logout\", \"Logoff\",\n PanOSEventID =~ \"gateway-auth\", \"Logon\",\n PanOSEventID =~ \"portal-auth\", \"Logon\",\n PanOSEventID =~ \"portal-prelogin\", \"Logon\",\n PanOSEventID =~ \"gateway-connected\", \"Logon\",\n \"\"\n )\n | where isnotempty(EventType)\n | extend LogonMethod = case(\n PanOSAuthMethod =~ \"LDAP\", \"Username & Password\",\n PanOSAuthMethod =~ \"RADIUS\", \"Username & Password\",\n PanOSAuthMethod =~ \"SAML\", \"Other\",\n PanOSAuthMethod =~ \"certificate\", \"PKI\",\n PanOSAuthMethod =~ \"local-database\", \"Username & Password\",\n PanOSAuthMethod =~ \"Kerberos\", \"Username & Password\",\n PanOSAuthMethod =~ \"TACACS+\", \"Username & Password\",\n PanOSAuthMethod =~ \"Cookie\", \"Other\",\n \"\"\n )\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSEndpointDeviceName')\n | lookup EventSeverityLookup on LogSeverity\n | extend EventSeverity = iif(isempty(EventSeverity), \"Informational\", EventSeverity)\n | extend\n EventResult = case(\n PanOSEventStatus =~ \"success\", \"Success\",\n PanOSEventStatus =~ \"failure\", \"Failure\",\n isnotempty(PanOSConnectionError), \"Failure\",\n \"Success\"\n ),\n EventResultDetails = case(\n PanOSConnectionError has \"auth\", \"No such user or password\",\n PanOSConnectionError has \"expired\", \"Session expired\",\n PanOSConnectionError has \"timeout\", \"Session expired\",\n PanOSConnectionError has \"cert\", \"Incorrect key\",\n PanOSConnectionError has \"policy\", \"Logon violates policy\",\n PanOSConnectionError has \"locked\", \"User locked\",\n PanOSConnectionError has \"disabled\", \"User disabled\",\n isnotempty(PanOSConnectionError), \"Other\",\n \"\"\n ),\n TargetUsername = coalesce(SourceUserName, PanOSSourceUserName),\n SrcIpAddr = coalesce(SourceIP, PanOSPublicIPv4, PanOSPublicIPv6),\n EventStartTime = coalesce(todatetime(PanOSLogTimeStamp), TimeGenerated),\n EventMessage = Message,\n SrcDvcOs = coalesce(PanOSEndpointOSVersion, PanOSEndpointOSType),\n TargetAppName = coalesce(PanOSPortal, \"GlobalProtect\"),\n TargetAppType = \"Service\",\n AdditionalFields = iff(\n pack,\n bag_pack(\n \"PanOSPortal\", PanOSPortal,\n \"PanOSGPGatewayLocation\", PanOSGPGatewayLocation,\n \"PanOSTunnelType\", PanOSTunnelType,\n \"PanOSGlobalProtectClientVersion\", PanOSGlobalProtectClientVersion,\n \"PanOSLoginDuration\", PanOSLoginDuration,\n \"PanOSHostID\", PanOSHostID,\n \"PanOSSourceRegion\", PanOSSourceRegion,\n \"PanOSVirtualSystem\", PanOSVirtualSystem,\n \"PanOSDescription\", PanOSDescription,\n \"PanOSPrivateIPv4\", PanOSPrivateIPv4,\n \"PanOSPrivateIPv6\", PanOSPrivateIPv6,\n \"PanOSDeviceSN\", PanOSDeviceSN,\n \"PanOSStage\", PanOSStage\n ),\n dynamic([])\n )\n | project-rename\n DvcIpAddr = Computer,\n DvcId = DeviceExternalID,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n EventOriginalSubType = PanOSEventID,\n EventOriginalResultDetails = PanOSConnectionError,\n LogonProtocol = PanOSTunnelType,\n TargetIpAddr = DestinationIP,\n EventUid = _ResourceId\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n Application = TargetAppName,\n DvcAction = iff(EventResult == \"Success\", \"Allowed\", \"Blocked\"),\n TargetHostname = DvcHostname,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n EventSubType = \"Remote\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.4\",\n EventProduct = \"PAN-OS\",\n EventVendor = \"Palo Alto Networks\",\n Type = \"CommonSecurityLog\",\n EventCount = int(1)\n | project\n TimeGenerated,\n EventType,\n EventResult,\n EventResultDetails,\n EventOriginalResultDetails,\n EventMessage,\n EventStartTime,\n EventEndTime,\n EventCount,\n EventSeverity,\n EventOriginalSeverity,\n EventOriginalType,\n EventOriginalSubType,\n EventOriginalUid,\n EventSubType,\n EventProduct,\n EventProductVersion,\n EventVendor,\n EventSchema,\n EventSchemaVersion,\n EventUid,\n Dvc,\n DvcIpAddr,\n DvcId,\n DvcIdType,\n DvcHostname,\n DvcDomain,\n DvcFQDN,\n DvcDomainType,\n TargetUsername,\n TargetUsernameType,\n TargetUserType,\n User,\n TargetAppName,\n TargetAppType,\n TargetIpAddr,\n Dst,\n SrcIpAddr,\n SrcHostname,\n SrcDomain,\n SrcFQDN,\n SrcDomainType,\n SrcDvcOs,\n Src,\n IpAddr,\n LogonMethod,\n LogonProtocol,\n Application,\n DvcAction,\n TargetHostname,\n TargetDomain,\n TargetDomainType,\n AdditionalFields,\n Type\n};\nparser(disabled=disabled, pack=pack)\n",
30+
"query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\",\n \"Informational\", \"Informational\"\n];\nlet parser = (disabled: bool=false, pack: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and DeviceEventClassID == \"GLOBALPROTECT\"\n | where AdditionalExtensions has_any (\"gateway-login\", \"gateway-logout\", \"gateway-auth\", \"portal-auth\", \"portal-prelogin\", \"gateway-connected\")\n | parse-kv AdditionalExtensions as (\n PanOSEventID: string,\n PanOSStage: string,\n PanOSLogTimeStamp: string,\n PanOSAuthMethod: string,\n PanOSTunnelType: string,\n PanOSSourceUserName: string,\n PanOSSourceRegion: string,\n PanOSEndpointDeviceName: string,\n PanOSPublicIPv4: string,\n PanOSPublicIPv6: string,\n PanOSPrivateIPv4: string,\n PanOSPrivateIPv6: string,\n PanOSHostID: string,\n PanOSGlobalProtectClientVersion: string,\n PanOSEndpointOSType: string,\n PanOSEndpointOSVersion: string,\n PanOSEventStatus: string,\n PanOSGPGatewayLocation: string,\n PanOSPortal: string,\n PanOSLoginDuration: string,\n PanOSConnectionError: string,\n PanOSDescription: string,\n PanOSDeviceSN: string,\n PanOSVirtualSystem: string\n ) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend EventType = case(\n PanOSEventID =~ \"gateway-login\", \"Logon\",\n PanOSEventID =~ \"gateway-logout\", \"Logoff\",\n PanOSEventID =~ \"gateway-auth\", \"Logon\",\n PanOSEventID =~ \"portal-auth\", \"Logon\",\n PanOSEventID =~ \"portal-prelogin\", \"Logon\",\n PanOSEventID =~ \"gateway-connected\", \"Logon\",\n \"\"\n )\n | where isnotempty(EventType)\n | extend LogonMethod = case(\n PanOSAuthMethod =~ \"LDAP\", \"Username & Password\",\n PanOSAuthMethod =~ \"RADIUS\", \"Username & Password\",\n PanOSAuthMethod =~ \"SAML\", \"Other\",\n PanOSAuthMethod =~ \"certificate\", \"PKI\",\n PanOSAuthMethod =~ \"local-database\", \"Username & Password\",\n PanOSAuthMethod =~ \"Kerberos\", \"Username & Password\",\n PanOSAuthMethod =~ \"TACACS+\", \"Username & Password\",\n PanOSAuthMethod =~ \"Cookie\", \"Other\",\n \"\"\n )\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSEndpointDeviceName')\n | lookup EventSeverityLookup on LogSeverity\n | extend EventSeverity = iif(isempty(EventSeverity), \"Informational\", EventSeverity)\n | extend\n EventResult = case(\n PanOSEventStatus =~ \"success\", \"Success\",\n PanOSEventStatus =~ \"failure\", \"Failure\",\n isnotempty(PanOSConnectionError), \"Failure\",\n \"Success\"\n ),\n EventResultDetails = case(\n PanOSConnectionError has \"auth\", \"No such user or password\",\n PanOSConnectionError has \"expired\", \"Session expired\",\n PanOSConnectionError has \"timeout\", \"Session expired\",\n PanOSConnectionError has \"cert\", \"Incorrect key\",\n PanOSConnectionError has \"policy\", \"Logon violates policy\",\n PanOSConnectionError has \"locked\", \"User locked\",\n PanOSConnectionError has \"disabled\", \"User disabled\",\n isnotempty(PanOSConnectionError), \"Other\",\n \"\"\n ),\n TargetUsername = coalesce(SourceUserName, PanOSSourceUserName),\n SrcIpAddr = coalesce(SourceIP, PanOSPublicIPv4, PanOSPublicIPv6),\n EventStartTime = coalesce(todatetime(PanOSLogTimeStamp), TimeGenerated),\n EventMessage = Message,\n SrcDvcOs = coalesce(PanOSEndpointOSVersion, PanOSEndpointOSType),\n TargetAppName = coalesce(PanOSPortal, \"GlobalProtect\"),\n TargetAppType = \"Service\",\n AdditionalFields = iff(\n pack,\n bag_pack(\n \"PanOSPortal\", PanOSPortal,\n \"PanOSGPGatewayLocation\", PanOSGPGatewayLocation,\n \"PanOSTunnelType\", PanOSTunnelType,\n \"PanOSGlobalProtectClientVersion\", PanOSGlobalProtectClientVersion,\n \"PanOSLoginDuration\", PanOSLoginDuration,\n \"PanOSHostID\", PanOSHostID,\n \"PanOSSourceRegion\", PanOSSourceRegion,\n \"PanOSVirtualSystem\", PanOSVirtualSystem,\n \"PanOSDescription\", PanOSDescription,\n \"PanOSPrivateIPv4\", PanOSPrivateIPv4,\n \"PanOSPrivateIPv6\", PanOSPrivateIPv6,\n \"PanOSDeviceSN\", PanOSDeviceSN,\n \"PanOSStage\", PanOSStage\n ),\n dynamic([])\n )\n | project-rename\n DvcIpAddr = Computer,\n DvcId = DeviceExternalID,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n EventOriginalSubType = PanOSEventID,\n EventOriginalResultDetails = PanOSConnectionError,\n LogonProtocol = PanOSTunnelType,\n TargetIpAddr = DestinationIP,\n EventUid = _ResourceId\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n Application = TargetAppName,\n DvcAction = iff(EventResult == \"Success\", \"Allowed\", \"Blocked\"),\n TargetHostname = DvcHostname,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n EventSubType = \"Remote\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.4\",\n EventProduct = \"PAN-OS\",\n EventVendor = \"Palo Alto\",\n Type = \"CommonSecurityLog\",\n EventCount = int(1)\n | project\n TimeGenerated,\n EventType,\n EventResult,\n EventResultDetails,\n EventOriginalResultDetails,\n EventMessage,\n EventStartTime,\n EventEndTime,\n EventCount,\n EventSeverity,\n EventOriginalSeverity,\n EventOriginalType,\n EventOriginalSubType,\n EventOriginalUid,\n EventSubType,\n EventProduct,\n EventProductVersion,\n EventVendor,\n EventSchema,\n EventSchemaVersion,\n EventUid,\n Dvc,\n DvcIpAddr,\n DvcId,\n DvcIdType,\n DvcHostname,\n DvcDomain,\n DvcFQDN,\n DvcDomainType,\n TargetUsername,\n TargetUsernameType,\n TargetUserType,\n User,\n TargetAppName,\n TargetAppType,\n TargetIpAddr,\n Dst,\n SrcIpAddr,\n SrcHostname,\n SrcDomain,\n SrcFQDN,\n SrcDomainType,\n SrcDvcOs,\n Src,\n IpAddr,\n LogonMethod,\n LogonProtocol,\n Application,\n DvcAction,\n TargetHostname,\n TargetDomain,\n TargetDomainType,\n AdditionalFields,\n Type\n};\nparser(disabled=disabled, pack=pack)\n",
3131
"version": 1,
3232
"functionParameters": "disabled:bool=False,pack:bool=False"
3333
}

0 commit comments

Comments
 (0)