diff --git a/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json b/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json index d56e22cb70d..59a6bd8c546 100644 --- a/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json +++ b/Parsers/ASimWebSession/ARM/vimWebSessionBarracudaCEF/vimWebSessionBarracudaCEF.json @@ -35,7 +35,7 @@ "displayName": "Web Session ASIM filtering parser for Barracuda CEF", "category": "ASIM", "FunctionAlias": "vimWebSessionBarracudaCEF", - "query": "let barracudaSchema = datatable(\n ServerIP_s: string,\n UnitName_s: string,\n HTTPStatus_s: string,\n Action_s: string,\n Severity_s: string,\n DeviceReceiptTime_s: string,\n LogType_s: string,\n ClientIP_s: string,\n host_s: string,\n HostIP_s: string,\n BytesReceived_d: real,\n ServerPort_d: real,\n Cookie_s: string,\n Referer_s: string,\n Method_s: string,\n BytesSent_d: real,\n SessionID_s: string,\n ClientPort_d: real,\n AuthenticatedUser_s: string,\n CertificateUser_s: string,\n UserAgent_s: string,\n URL_s: string,\n CacheHit_d: real,\n ProxyIP_s: string,\n ProxyPort_d: real,\n RuleType_s: string,\n ServiceIP_s: string,\n TimeTaken_d: real,\n ServicePort_d: real,\n ProtocolVersion_s: string,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory in (\"WF\", \"TR\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventOutcome) has_any(eventresultdetails_in))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | lookup EventResultWFLookup on $left.DeviceAction == $right.Action_s\n | extend\n status_code = toint(EventOutcome)\n | extend EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n )\n | extend EventResult = iff(DeviceEventCategory == \"TR\", EventResult_TR, EventResult_WF)\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup EventTypeLookup on $left.DeviceEventCategory == $right.LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dst = DestinationIP,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DstBytes = tolong(ReceivedBytes),\n DstPortNumber = toint(coalesce(DestinationPort,FieldDeviceCustomNumber1)),\n HttpCookie = RequestCookies,\n HttpReferrer = RequestContext,\n HttpRequestBodyBytes = tolong(ReceivedBytes),\n HttpRequestMethod = RequestMethod,\n HttpResponseBodyBytes = tolong(SentBytes),\n NetworkDuration = toint(FlexNumber2),\n HttpUserAgent = RequestClientApplication,\n NetworkSessionId = SourceUserID,\n RuleName = iff(DeviceEventCategory == \"WF\", DeviceCustomString3, \"\"),\n SrcPortNumber = toint(SourcePort),\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n HttpResponseCacheControl = iff(\n FieldDeviceCustomNumber2 == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n iff(DeviceEventCategory == \"WF\", DeviceCustomString5, DeviceCustomString3),\n \"ProxyPort\",\n FieldDeviceCustomNumber3\n ),\n DvcHostname = DeviceName,\n DvcIpAddr = DeviceAddress,\n EventResultDetails = EventOutcome,\n HttpVersion = FlexString1,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\"),\n EventEndTime = EventStartTime\n | extend\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n Rule = RuleName,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n EventResult_*,\n temp_*,\n status_code,\n EventType_lookup,\n TenantId,\n CollectorHostName;\n BarracudaCEF\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "query": "let barracudaSchema = datatable(\n ServerIP_s: string,\n UnitName_s: string,\n HTTPStatus_s: string,\n Action_s: string,\n Severity_s: string,\n DeviceReceiptTime_s: string,\n LogType_s: string,\n ClientIP_s: string,\n host_s: string,\n HostIP_s: string,\n BytesReceived_d: real,\n ServerPort_d: real,\n Cookie_s: string,\n Referer_s: string,\n Method_s: string,\n BytesSent_d: real,\n SessionID_s: string,\n ClientPort_d: real,\n AuthenticatedUser_s: string,\n CertificateUser_s: string,\n UserAgent_s: string,\n URL_s: string,\n CacheHit_d: real,\n ProxyIP_s: string,\n ProxyPort_d: real,\n RuleType_s: string,\n ServiceIP_s: string,\n TimeTaken_d: real,\n ServicePort_d: real,\n ProtocolVersion_s: string,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventResultWFLookup = datatable (\n Action_s: string,\n EventResult_WF: string,\n DvcAction: string\n)\n [\n \"LOG\", \"Success\", \"Allow\",\n \"DENY\", \"Failure\", \"Deny\",\n \"WARNING\", \"Success\", \"Allow\"\n];\nlet EventTypeLookup = datatable (\n LogType_s: string,\n EventType_lookup: string,\n EventOriginalType: string\n)\n [\n \"WF\", \"HTTPsession\", \"Web Firewall\",\n \"TR\", \"WebServerSession\", \"Access\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n ipaddr_has_any_prefix: dynamic=dynamic([]), \n url_has_any: dynamic=dynamic([]),\n httpuseragent_has_any: dynamic=dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string='*',\n disabled: bool=false\n ) {\nlet src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix);\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory in (\"WF\", \"TR\")\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(url_has_any) == 0 or RequestURL has_any (url_has_any))\n | where (array_length(httpuseragent_has_any) == 0 or RequestClientApplication has_any(httpuseragent_has_any))\n | where (array_length(eventresultdetails_in) == 0 or tostring(EventOutcome) has_any(eventresultdetails_in))\n | extend\n temp_SrcMatch = has_any_ipv4_prefix(SourceIP, src_or_any),\n temp_DstMatch = has_any_ipv4_prefix(DestinationIP, ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0,\n \"-\",\n temp_SrcMatch and temp_DstMatch,\n \"Both\",\n temp_SrcMatch,\n \"SrcIpAddr\",\n temp_DstMatch,\n \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\" \n | lookup EventResultWFLookup on $left.DeviceAction == $right.Action_s\n | extend\n status_code = toint(EventOutcome)\n | extend EventResult_TR = case(\n status_code between (200 .. 299),\n \"Success\", \n status_code between (400 .. 599),\n \"Failure\",\n status_code between (300 .. 399),\n \"Partial\",\n \"NA\"\n )\n | extend EventResult = iff(DeviceEventCategory == \"TR\", EventResult_TR, EventResult_WF)\n | where (eventresult == '*' or EventResult =~ eventresult)\n | lookup EventTypeLookup on $left.DeviceEventCategory == $right.LogType_s\n | extend\n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dst = DestinationIP,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\",\n EventVendor = \"Barracuda\"\n | extend\n Dvc = DeviceName,\n DstIpAddr = DestinationIP,\n SrcIpAddr = SourceIP,\n DstBytes = tolong(ReceivedBytes),\n DstPortNumber = toint(coalesce(DestinationPort,FieldDeviceCustomNumber1)),\n HttpCookie = RequestCookies,\n HttpReferrer = RequestContext,\n HttpRequestBodyBytes = tolong(ReceivedBytes),\n HttpRequestMethod = RequestMethod,\n HttpResponseBodyBytes = tolong(SentBytes),\n NetworkDuration = toint(FlexNumber2),\n HttpUserAgent = RequestClientApplication,\n NetworkSessionId = SourceUserID,\n RuleName = iff(DeviceEventCategory == \"WF\", DeviceCustomString3, \"\"),\n SrcPortNumber = toint(SourcePort),\n SrcUsername = SourceUserName,\n DstUsername = DestinationUserName,\n Url = RequestURL,\n HttpResponseCacheControl = iff(\n FieldDeviceCustomNumber2 == 0,\n \"Response from the server\",\n \"Response from the cache\"\n ),\n AdditionalFields = bag_pack(\n \"ProxyIP\",\n iff(DeviceEventCategory == \"WF\", DeviceCustomString5, DeviceCustomString3),\n \"ProxyPort\",\n FieldDeviceCustomNumber3\n ),\n DvcHostname = DeviceName,\n DvcIpAddr = DeviceAddress,\n EventResultDetails = EventOutcome,\n HttpVersion = FlexString1,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend \n SrcUsernameType = iff(isnotempty(SrcUsername), \"Simple\", \"\"),\n DstUsernameType = iff(isnotempty(DstUsername), \"Simple\", \"\"),\n EventEndTime = EventStartTime\n | extend\n Duration = NetworkDuration,\n HttpStatusCode = EventResultDetails,\n Rule = RuleName,\n SessionId = NetworkSessionId,\n UserAgent = HttpUserAgent,\n User = SrcUsername,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n EventResult_*,\n temp_*,\n status_code,\n EventType_lookup,\n TenantId,\n CollectorHostName;\n BarracudaCEF\n};\nparser(\n starttime=starttime, \n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n ipaddr_has_any_prefix=ipaddr_has_any_prefix, \n url_has_any=url_has_any,\n httpuseragent_has_any=httpuseragent_has_any,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" }