From 8c651c9ef119e9db051d585984f5bd2ac13c4c9c Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Wed, 15 Jan 2025 11:47:09 +0530 Subject: [PATCH] fixing validations --- .../Parsers/ASimNetworkSessionCiscoASA.yaml | 4 +- .../Parsers/vimNetworkSessionCiscoASA.yaml | 4 +- .../Cisco_ASA_NetworkSession_IngestedLogs.csv | 6 +- .../Cisco_ASA_NetworkSession_SchemaTest.csv | 99 ------------------- 4 files changed, 7 insertions(+), 106 deletions(-) delete mode 100644 Sample Data/ASIM/Cisco_ASA_NetworkSession_SchemaTest.csv diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml index 90935bb37f2..ed38a10c007 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml @@ -246,7 +246,7 @@ ParserQuery: | | where DeviceVendor == "Cisco" and DeviceProduct == "ASA" | where DeviceEventClassID in ("106001","106006","106015","106016","106021","106022","106010","106014","106018","106023","302013","302015","302014","302016","302020","302021","710002","710003","710004","710005","106007","106017","106100","106002","106012","106013","106020") | lookup ActionResultLookup on DeviceEventClassID - | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; let parsedData = allLogs | where isnotempty(SourceIP) | project-rename NetworkRuleName = DeviceCustomString2, @@ -256,7 +256,7 @@ ParserQuery: | DstPortNumber = DestinationPort; let unparsedData = allLogs | where isempty(SourceIP) - | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; let all_106001_alike = parsedData | where DeviceEventClassID in ("106001", "106006", "106015", "106016", "106021", "106022") | parse Message with * " interface " DstInterfaceName; diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml index 2b17960524d..361c1b56f61 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml @@ -288,7 +288,7 @@ ParserQuery: | | lookup ActionResultLookup on DeviceEventClassID | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == "") | where ((eventresult == "*") or EventResult == eventresult or EventResult == "") - | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; let parsedData = allLogs | where isnotempty(SourceIP) | where (isnull(dstportnumber) or (DestinationPort == dstportnumber)) @@ -312,7 +312,7 @@ ParserQuery: | | where Message has tostring(dstportnumber) and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any))) - | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; let all_106001_alike = parsedData | where DeviceEventClassID in ("106001", "106006", "106015", "106016", "106021", "106022") | parse Message with * " interface " DstInterfaceName; diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv index 2b544aaa476..51d2cfa5ea7 100644 --- a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv @@ -1,3 +1,3 @@ -EventOriginalType,EventOriginalSeverity,Dvc,DstIpAddr,DstPortNumber,EventMessage,SrcIpAddr,SrcPortNumber,EventProductVersion,NetworkRuleName,DvcAction,EventResult,TimeGenerated,DvcOriginalAction,DstInterfaceName,SrcInterfaceName,NetworkIcmpType,NetworkIcmpCode,SrcUsername,NetworkDirection,NetworkSessionId,SrcNatIpAddr,SrcNatPortNumber,DstNatIpAddr,DstNatPortNumber,DstUsername,SessionId,EventSubType,NetworkDuration,NetworkBytes,EventResultDetails,EventOriginalResultDetails,SrcUsernameType,DstAppName,ThreatName,EventCount,EventStartTime,EventEndTime,EventVendor,EventProduct,EventType,EventSchema,EventSchemaVersion,DstUsernameType,NetworkProtocol,EventSeverity,Src,Dst,Duration,IpAddr,Rule,User -710003,3,FWL-VPN-MN,192.168.1.1,80,%ASA-3-710003: TCP access denied by ACL from 192.168.1.1/4669 to outside:192.168.1.1/80,192.168.1.1,4669,-,-,Deny,Failure,11/5/2024 11:52:00 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 11:52:00 PM,11/5/2024 11:52:00 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,192.168.1.1,192.168.1.1,-,192.168.1.1,-,- -710003,3,FWL-VPN-MN,192.168.1.1,80,%ASA-3-710003: TCP access denied by ACL from 192.168.1.1/4669 to outside:192.168.1.1/80,192.168.1.1,4669,-,-,Deny,Failure,11/5/2024 11:52:00 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 11:52:00 PM,11/5/2024 11:52:00 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,192.168.1.1,192.168.1.1,-,192.168.1.1,-,- +EventOriginalType,EventOriginalSeverity,Dvc,DstIpAddr,DstPortNumber,EventMessage,SrcIpAddr,SrcPortNumber,EventProductVersion,NetworkRuleName,DvcAction,EventResult,TimeGenerated,DvcOriginalAction,DstInterfaceName,SrcInterfaceName,NetworkIcmpType,NetworkIcmpCode,SrcUsername,NetworkDirection,NetworkSessionId,SrcNatIpAddr,SrcNatPortNumber,DstNatIpAddr,DstNatPortNumber,DstUsername,SessionId,EventSubType,NetworkDuration,NetworkBytes,EventResultDetails,EventOriginalResultDetails,SrcUsernameType,DstAppName,ThreatName,EventCount,EventStartTime,EventEndTime,EventVendor,EventProduct,EventType,EventSchema,EventSchemaVersion,DstUsernameType,NetworkProtocol,EventSeverity,Src,Dst,Duration,IpAddr,Rule,User,Type +710003,3,FWL-VPN-MN,192.168.1.1,80,%ASA-3-710003: TCP access denied by ACL from 192.168.1.1/4669 to outside:192.168.1.1/80,192.168.1.1,4669,-,-,Deny,Failure,11-05-2024 23:52,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11-05-2024 23:52,11-05-2024 23:52,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,192.168.1.1,192.168.1.1,-,192.168.1.1,-,-,CommonSecurityLog +710003,3,FWL-VPN-MN,192.168.1.1,80,%ASA-3-710003: TCP access denied by ACL from 192.168.1.1/4669 to outside:192.168.1.1/80,192.168.1.1,4669,-,-,Deny,Failure,11-05-2024 23:52,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11-05-2024 23:52,11-05-2024 23:52,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,192.168.1.1,192.168.1.1,-,192.168.1.1,-,-,CommonSecurityLog diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_SchemaTest.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_SchemaTest.csv deleted file mode 100644 index 56661aff234..00000000000 --- a/Sample Data/ASIM/Cisco_ASA_NetworkSession_SchemaTest.csv +++ /dev/null @@ -1,99 +0,0 @@ -Result -"(1) Warning: Missing recommended field [DvcDomain]" -"(1) Warning: Missing recommended field [TargetDomain]" -"(1) Warning: Missing recommended field [TargetHostname]" -"(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]" -"(2) Info: Missing optional field [ActingAppId]" -"(2) Info: Missing optional field [ActingAppName]" -"(2) Info: Missing optional field [ActingAppType]" -"(2) Info: Missing optional field [ActorOriginalUserType]" -"(2) Info: Missing optional field [ActorScopeId]" -"(2) Info: Missing optional field [ActorScope]" -"(2) Info: Missing optional field [ActorSessionId]" -"(2) Info: Missing optional field [ActorUserId]" -"(2) Info: Missing optional field [ActorUserType]" -"(2) Info: Missing optional field [ActorUsername]" -"(2) Info: Missing optional field [AdditionalFields]" -"(2) Info: Missing optional field [DvcDescription]" -"(2) Info: Missing optional field [DvcFQDN]" -"(2) Info: Missing optional field [DvcId]" -"(2) Info: Missing optional field [DvcInterface]" -"(2) Info: Missing optional field [DvcMacAddr]" -"(2) Info: Missing optional field [DvcOriginalAction]" -"(2) Info: Missing optional field [DvcOsVersion]" -"(2) Info: Missing optional field [DvcOs]" -"(2) Info: Missing optional field [DvcScopeId]" -"(2) Info: Missing optional field [DvcScope]" -"(2) Info: Missing optional field [DvcZone]" -"(2) Info: Missing optional field [EventMessage]" -"(2) Info: Missing optional field [EventOriginalResultDetails]" -"(2) Info: Missing optional field [EventOriginalSeverity]" -"(2) Info: Missing optional field [EventOriginalSubType]" -"(2) Info: Missing optional field [EventOriginalUid]" -"(2) Info: Missing optional field [EventOwner]" -"(2) Info: Missing optional field [EventProductVersion]" -"(2) Info: Missing optional field [EventReportUrl]" -"(2) Info: Missing optional field [HttpUserAgent]" -"(2) Info: Missing optional field [LogonMethod]" -"(2) Info: Missing optional field [LogonProtocol]" -"(2) Info: Missing optional field [LogonTarget]" -"(2) Info: Missing optional field [RuleName]" -"(2) Info: Missing optional field [RuleNumber]" -"(2) Info: Missing optional field [Rule]" -"(2) Info: Missing optional field [SrcDescription]" -"(2) Info: Missing optional field [SrcDeviceType]" -"(2) Info: Missing optional field [SrcDomain]" -"(2) Info: Missing optional field [SrcDvcId]" -"(2) Info: Missing optional field [SrcDvcOs]" -"(2) Info: Missing optional field [SrcDvcScopeId]" -"(2) Info: Missing optional field [SrcDvcScope]" -"(2) Info: Missing optional field [SrcFQDN]" -"(2) Info: Missing optional field [SrcGeoCity]" -"(2) Info: Missing optional field [SrcGeoCountry]" -"(2) Info: Missing optional field [SrcGeoLatitude]" -"(2) Info: Missing optional field [SrcGeoLongitude]" -"(2) Info: Missing optional field [SrcGeoRegion]" -"(2) Info: Missing optional field [SrcHostname]" -"(2) Info: Missing optional field [SrcIsp]" -"(2) Info: Missing optional field [SrcOriginalRiskLevel]" -"(2) Info: Missing optional field [SrcRiskLevel]" -"(2) Info: Missing optional field [TargetAppId]" -"(2) Info: Missing optional field [TargetAppName]" -"(2) Info: Missing optional field [TargetAppType]" -"(2) Info: Missing optional field [TargetDescription]" -"(2) Info: Missing optional field [TargetDeviceType]" -"(2) Info: Missing optional field [TargetDvcId]" -"(2) Info: Missing optional field [TargetDvcOs]" -"(2) Info: Missing optional field [TargetDvcScopeId]" -"(2) Info: Missing optional field [TargetDvcScope]" -"(2) Info: Missing optional field [TargetFQDN]" -"(2) Info: Missing optional field [TargetGeoCity]" -"(2) Info: Missing optional field [TargetGeoCountry]" -"(2) Info: Missing optional field [TargetGeoLatitude]" -"(2) Info: Missing optional field [TargetGeoLongitude]" -"(2) Info: Missing optional field [TargetGeoRegion]" -"(2) Info: Missing optional field [TargetHostname]" -"(2) Info: Missing optional field [TargetOriginalRiskLevel]" -"(2) Info: Missing optional field [TargetOriginalUserType]" -"(2) Info: Missing optional field [TargetPortNumber]" -"(2) Info: Missing optional field [TargetRiskLevel]" -"(2) Info: Missing optional field [TargetSessionId]" -"(2) Info: Missing optional field [TargetSessionId]" -"(2) Info: Missing optional field [TargetSessionId]" -"(2) Info: Missing optional field [TargetUrl]" -"(2) Info: Missing optional field [TargetUserId]" -"(2) Info: Missing optional field [TargetUserScopeId]" -"(2) Info: Missing optional field [TargetUserScope]" -"(2) Info: Missing optional field [TargetUserType]" -"(2) Info: Missing optional field [ThreatCategory]" -"(2) Info: Missing optional field [ThreatConfidence]" -"(2) Info: Missing optional field [ThreatField]" -"(2) Info: Missing optional field [ThreatFirstReportedTime]" -"(2) Info: Missing optional field [ThreatId]" -"(2) Info: Missing optional field [ThreatIpAddr]" -"(2) Info: Missing optional field [ThreatIsActive]" -"(2) Info: Missing optional field [ThreatLastReportedTime]" -"(2) Info: Missing optional field [ThreatName]" -"(2) Info: Missing optional field [ThreatOriginalConfidence]" -"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" -"(2) Info: Missing optional field [ThreatRiskLevel]"