fixing validations

Azure · Jan 15, 2025 · 8c651c9 · 8c651c9
1 parent 5d68c3f
commit 8c651c9
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 106 deletions.
diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml
@@ -246,7 +246,7 @@ ParserQuery: |
                 | where DeviceVendor == "Cisco" and DeviceProduct == "ASA"
                 | where DeviceEventClassID in ("106001","106006","106015","106016","106021","106022","106010","106014","106018","106023","302013","302015","302014","302016","302020","302021","710002","710003","710004","710005","106007","106017","106100","106002","106012","106013","106020")
                 | lookup ActionResultLookup on DeviceEventClassID
-                | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;
+                | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;
       let parsedData = allLogs
                 | where isnotempty(SourceIP)
                 | project-rename NetworkRuleName = DeviceCustomString2,
@@ -256,7 +256,7 @@ ParserQuery: |
                                  DstPortNumber = DestinationPort;
       let unparsedData = allLogs
                 | where isempty(SourceIP)
-                | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;
+                | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;
       let all_106001_alike = parsedData
                 | where DeviceEventClassID in ("106001", "106006", "106015", "106016", "106021", "106022") 
                 | parse Message with * " interface " DstInterfaceName;

diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml
@@ -288,7 +288,7 @@ ParserQuery: |
                 | lookup ActionResultLookup on DeviceEventClassID
                 | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == "")
                 | where ((eventresult == "*") or EventResult == eventresult or EventResult == "")
-                | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;
+                | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;
       let parsedData = allLogs
                 | where isnotempty(SourceIP)
                 | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))
@@ -312,7 +312,7 @@ ParserQuery: |
                 | where Message has tostring(dstportnumber)
                         and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) 
                             or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))
-                | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;
+                | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;
       let all_106001_alike = parsedData
                 | where DeviceEventClassID in ("106001", "106006", "106015", "106016", "106021", "106022") 
                 | parse Message with * " interface " DstInterfaceName;

diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv
@@ -1,3 +1,3 @@
-EventOriginalType,EventOriginalSeverity,Dvc,DstIpAddr,DstPortNumber,EventMessage,SrcIpAddr,SrcPortNumber,EventProductVersion,NetworkRuleName,DvcAction,EventResult,TimeGenerated,DvcOriginalAction,DstInterfaceName,SrcInterfaceName,NetworkIcmpType,NetworkIcmpCode,SrcUsername,NetworkDirection,NetworkSessionId,SrcNatIpAddr,SrcNatPortNumber,DstNatIpAddr,DstNatPortNumber,DstUsername,SessionId,EventSubType,NetworkDuration,NetworkBytes,EventResultDetails,EventOriginalResultDetails,SrcUsernameType,DstAppName,ThreatName,EventCount,EventStartTime,EventEndTime,EventVendor,EventProduct,EventType,EventSchema,EventSchemaVersion,DstUsernameType,NetworkProtocol,EventSeverity,Src,Dst,Duration,IpAddr,Rule,User
-710003,3,FWL-VPN-MN,192.168.1.1,80,%ASA-3-710003:  TCP access denied by ACL from 192.168.1.1/4669 to outside:192.168.1.1/80,192.168.1.1,4669,-,-,Deny,Failure,11/5/2024 11:52:00 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 11:52:00 PM,11/5/2024 11:52:00 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,192.168.1.1,192.168.1.1,-,192.168.1.1,-,-
-710003,3,FWL-VPN-MN,192.168.1.1,80,%ASA-3-710003:  TCP access denied by ACL from 192.168.1.1/4669 to outside:192.168.1.1/80,192.168.1.1,4669,-,-,Deny,Failure,11/5/2024 11:52:00 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 11:52:00 PM,11/5/2024 11:52:00 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,192.168.1.1,192.168.1.1,-,192.168.1.1,-,-
+EventOriginalType,EventOriginalSeverity,Dvc,DstIpAddr,DstPortNumber,EventMessage,SrcIpAddr,SrcPortNumber,EventProductVersion,NetworkRuleName,DvcAction,EventResult,TimeGenerated,DvcOriginalAction,DstInterfaceName,SrcInterfaceName,NetworkIcmpType,NetworkIcmpCode,SrcUsername,NetworkDirection,NetworkSessionId,SrcNatIpAddr,SrcNatPortNumber,DstNatIpAddr,DstNatPortNumber,DstUsername,SessionId,EventSubType,NetworkDuration,NetworkBytes,EventResultDetails,EventOriginalResultDetails,SrcUsernameType,DstAppName,ThreatName,EventCount,EventStartTime,EventEndTime,EventVendor,EventProduct,EventType,EventSchema,EventSchemaVersion,DstUsernameType,NetworkProtocol,EventSeverity,Src,Dst,Duration,IpAddr,Rule,User,Type
+710003,3,FWL-VPN-MN,192.168.1.1,80,%ASA-3-710003:  TCP access denied by ACL from 192.168.1.1/4669 to outside:192.168.1.1/80,192.168.1.1,4669,-,-,Deny,Failure,11-05-2024 23:52,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11-05-2024 23:52,11-05-2024 23:52,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,192.168.1.1,192.168.1.1,-,192.168.1.1,-,-,CommonSecurityLog
+710003,3,FWL-VPN-MN,192.168.1.1,80,%ASA-3-710003:  TCP access denied by ACL from 192.168.1.1/4669 to outside:192.168.1.1/80,192.168.1.1,4669,-,-,Deny,Failure,11-05-2024 23:52,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11-05-2024 23:52,11-05-2024 23:52,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,192.168.1.1,192.168.1.1,-,192.168.1.1,-,-,CommonSecurityLog
diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_SchemaTest.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_SchemaTest.csv