diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv index 51d2cfa5ea..4c28776f05 100644 --- a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv @@ -1,3 +1,3 @@ -EventOriginalType,EventOriginalSeverity,Dvc,DstIpAddr,DstPortNumber,EventMessage,SrcIpAddr,SrcPortNumber,EventProductVersion,NetworkRuleName,DvcAction,EventResult,TimeGenerated,DvcOriginalAction,DstInterfaceName,SrcInterfaceName,NetworkIcmpType,NetworkIcmpCode,SrcUsername,NetworkDirection,NetworkSessionId,SrcNatIpAddr,SrcNatPortNumber,DstNatIpAddr,DstNatPortNumber,DstUsername,SessionId,EventSubType,NetworkDuration,NetworkBytes,EventResultDetails,EventOriginalResultDetails,SrcUsernameType,DstAppName,ThreatName,EventCount,EventStartTime,EventEndTime,EventVendor,EventProduct,EventType,EventSchema,EventSchemaVersion,DstUsernameType,NetworkProtocol,EventSeverity,Src,Dst,Duration,IpAddr,Rule,User,Type -710003,3,FWL-VPN-MN,192.168.1.1,80,%ASA-3-710003: TCP access denied by ACL from 192.168.1.1/4669 to outside:192.168.1.1/80,192.168.1.1,4669,-,-,Deny,Failure,11-05-2024 23:52,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11-05-2024 23:52,11-05-2024 23:52,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,192.168.1.1,192.168.1.1,-,192.168.1.1,-,-,CommonSecurityLog -710003,3,FWL-VPN-MN,192.168.1.1,80,%ASA-3-710003: TCP access denied by ACL from 192.168.1.1/4669 to outside:192.168.1.1/80,192.168.1.1,4669,-,-,Deny,Failure,11-05-2024 23:52,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11-05-2024 23:52,11-05-2024 23:52,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,192.168.1.1,192.168.1.1,-,192.168.1.1,-,-,CommonSecurityLog +TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,Type,_ResourceId +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106023,,Low,6,,,,,,,,,,,,local4,,,,,,,,,,,,,,,,,,192.168.1.1,_gateway,,,,,,,,,,,,,,,,"%ASA-6-106023: SSH session from 192.168.1.5 on interface inside for user ""*****"" disconnected by SSH server, reason: ""Rejected by server"" (0x0d) ",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106006,,Low,6,,,,,,,,,,,,local4,,,,,,,,,,,,,,,,,,192.168.1.1,_gateway,,,,,,,,,,,,,,,,"%ASA-6-106006: Login denied from 192.168.1.5/2432 to inside:192.168.1.1/ssh for user ""*****""",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_SchemaTest.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_SchemaTest.csv new file mode 100644 index 0000000000..56661aff23 --- /dev/null +++ b/Sample Data/ASIM/Cisco_ASA_NetworkSession_SchemaTest.csv @@ -0,0 +1,99 @@ +Result +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [TargetDomain]" +"(1) Warning: Missing recommended field [TargetHostname]" +"(2) Info: Missing optional alias [Application] aliasing non-existent column [TargetAppName]" +"(2) Info: Missing optional field [ActingAppId]" +"(2) Info: Missing optional field [ActingAppName]" +"(2) Info: Missing optional field [ActingAppType]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserId]" +"(2) Info: Missing optional field [ActorUserType]" +"(2) Info: Missing optional field [ActorUsername]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcOsVersion]" +"(2) Info: Missing optional field [DvcOs]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalResultDetails]" +"(2) Info: Missing optional field [EventOriginalSeverity]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOriginalUid]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventProductVersion]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [HttpUserAgent]" +"(2) Info: Missing optional field [LogonMethod]" +"(2) Info: Missing optional field [LogonProtocol]" +"(2) Info: Missing optional field [LogonTarget]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDomain]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcOs]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcHostname]" +"(2) Info: Missing optional field [SrcIsp]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [TargetAppId]" +"(2) Info: Missing optional field [TargetAppName]" +"(2) Info: Missing optional field [TargetAppType]" +"(2) Info: Missing optional field [TargetDescription]" +"(2) Info: Missing optional field [TargetDeviceType]" +"(2) Info: Missing optional field [TargetDvcId]" +"(2) Info: Missing optional field [TargetDvcOs]" +"(2) Info: Missing optional field [TargetDvcScopeId]" +"(2) Info: Missing optional field [TargetDvcScope]" +"(2) Info: Missing optional field [TargetFQDN]" +"(2) Info: Missing optional field [TargetGeoCity]" +"(2) Info: Missing optional field [TargetGeoCountry]" +"(2) Info: Missing optional field [TargetGeoLatitude]" +"(2) Info: Missing optional field [TargetGeoLongitude]" +"(2) Info: Missing optional field [TargetGeoRegion]" +"(2) Info: Missing optional field [TargetHostname]" +"(2) Info: Missing optional field [TargetOriginalRiskLevel]" +"(2) Info: Missing optional field [TargetOriginalUserType]" +"(2) Info: Missing optional field [TargetPortNumber]" +"(2) Info: Missing optional field [TargetRiskLevel]" +"(2) Info: Missing optional field [TargetSessionId]" +"(2) Info: Missing optional field [TargetSessionId]" +"(2) Info: Missing optional field [TargetSessionId]" +"(2) Info: Missing optional field [TargetUrl]" +"(2) Info: Missing optional field [TargetUserId]" +"(2) Info: Missing optional field [TargetUserScopeId]" +"(2) Info: Missing optional field [TargetUserScope]" +"(2) Info: Missing optional field [TargetUserType]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]"