From 5d2a0df603fa27a7adb7e0e7c662be7cc3d75d0a Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Sun, 19 Jan 2025 18:34:33 +0530 Subject: [PATCH 01/11] updated ASA ASIM Parser --- .../Parsers/ASimNetworkSessionCiscoASA.yaml | 13 ++++++----- .../Parsers/vimNetworkSessionCiscoASA.yaml | 13 ++++++----- .../Cisco_ASA_NetworkSession_IngestedLogs.csv | 22 +++++++++++++++++++ 3 files changed, 38 insertions(+), 10 deletions(-) create mode 100644 Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml index 00910395c62..4fd367c2e67 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml @@ -1,12 +1,12 @@ Parser: Title: Network Session ASIM parser for Cisco ASA - Version: '1.0' - LastUpdated: August 03, 2022 + Version: '0.1.1' + LastUpdated: Jan 09, 2025 Product: Name: CiscoASA Normalization: Schema: NetworkSession - Version: '0.2.4' + Version: '0.2.6' References: - Title: ASIM Network Session Schema Link: https://aka.ms/ASimNetworkSessionDoc @@ -246,7 +246,7 @@ ParserQuery: | | where DeviceVendor == "Cisco" and DeviceProduct == "ASA" | where DeviceEventClassID in ("106001","106006","106015","106016","106021","106022","106010","106014","106018","106023","302013","302015","302014","302016","302020","302021","710002","710003","710004","710005","106007","106017","106100","106002","106012","106013","106020") | lookup ActionResultLookup on DeviceEventClassID - | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; let parsedData = allLogs | where isnotempty(SourceIP) | project-rename NetworkRuleName = DeviceCustomString2, @@ -256,7 +256,7 @@ ParserQuery: | DstPortNumber = DestinationPort; let unparsedData = allLogs | where isempty(SourceIP) - | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; let all_106001_alike = parsedData | where DeviceEventClassID in ("106001", "106006", "106015", "106016", "106021", "106022") | parse Message with * " interface " DstInterfaceName; @@ -273,6 +273,9 @@ ParserQuery: | let all_106023_unparsed = unparsedData | where DeviceEventClassID == "106023" and not(Message has "protocol 41") | parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort "(" SrcUsername ") dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]" + | parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort " dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]" + | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, "(")[0] + | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, "") | parse NetworkIcmpInfo with "(type " NetworkIcmpType ", code " NetworkIcmpCode:int ") " | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,"/"), DstIpAddrAndPort = split(DstIpAddrAndPort,"/") | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]), diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml index d0f0fe6a39b..b52e4a07947 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml @@ -1,12 +1,12 @@ Parser: Title: Network Session ASIM parser for Cisco ASA - Version: '1.0' - LastUpdated: August 03, 2022 + Version: '0.1.1' + LastUpdated: Jan 09, 2025 Product: Name: CiscoASA Normalization: Schema: NetworkSession - Version: '0.2.4' + Version: '0.2.6' References: - Title: ASIM Network Session Schema Link: https://aka.ms/ASimNetworkSessionDoc @@ -288,7 +288,7 @@ ParserQuery: | | lookup ActionResultLookup on DeviceEventClassID | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == "") | where ((eventresult == "*") or EventResult == eventresult or EventResult == "") - | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; let parsedData = allLogs | where isnotempty(SourceIP) | where (isnull(dstportnumber) or (DestinationPort == dstportnumber)) @@ -312,7 +312,7 @@ ParserQuery: | | where Message has tostring(dstportnumber) and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any))) - | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; let all_106001_alike = parsedData | where DeviceEventClassID in ("106001", "106006", "106015", "106016", "106021", "106022") | parse Message with * " interface " DstInterfaceName; @@ -329,6 +329,9 @@ ParserQuery: | let all_106023_unparsed = unparsedData | where DeviceEventClassID == "106023" and not(Message has "protocol 41") | parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort "(" SrcUsername ") dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]" + | parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort " dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]" + | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, "(")[0] + | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, "") | parse NetworkIcmpInfo with "(type " NetworkIcmpType ", code " NetworkIcmpCode:int ") " | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,"/"), DstIpAddrAndPort = split(DstIpAddrAndPort,"/") | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]), diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv new file mode 100644 index 00000000000..c517c6afbe9 --- /dev/null +++ b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv @@ -0,0 +1,22 @@ +EventOriginalType,EventOriginalSeverity,Dvc,DstIpAddr,DstPortNumber,EventMessage,SrcIpAddr,SrcPortNumber,EventProductVersion,NetworkRuleName,DvcAction,EventResult,TimeGenerated,DvcOriginalAction,ASimMatchingIpAddr,DstInterfaceName,SrcInterfaceName,NetworkIcmpType,NetworkIcmpCode,SrcUsername,NetworkDirection,NetworkSessionId,SrcNatIpAddr,SrcNatPortNumber,DstNatIpAddr,DstNatPortNumber,DstUsername,SessionId,EventSubType,NetworkDuration,NetworkBytes,EventResultDetails,EventOriginalResultDetails,SrcUsernameType,DstAppName,ThreatName,EventCount,EventStartTime,EventEndTime,EventVendor,EventProduct,EventType,EventSchema,EventSchemaVersion,DstUsernameType,NetworkProtocol,EventSeverity,Src,Dst,Duration,IpAddr,Rule,User,Type +106001,2,FWL-VPN-MN,192.168.1.3,8008,%ASA-2-106001: Inbound TCP connection denied from 172.18.27.212/51062 to 192.168.1.3/8008 flags SYN on interface outside,172.18.27.212,51062,-,-,Deny,Failure,11/1/2024 1:07:47 PM,denied,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/1/2024 1:07:47 PM,11/1/2024 1:07:47 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,172.18.27.212,192.168.1.3,-,172.18.27.212,-,-,CommonSecurityLog +106007,2,FWL-VPN-MN,192.168.1.1,53,%ASA-2-106007: Deny inbound UDP from 172.18.27.50/65530 to 192.168.1.1/53 due to DNS Query,172.18.27.50,65530,-,-,Deny,Failure,10/29/2024 4:31:48 AM,Deny,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,DNS Query,-,DNS,-,1,10/29/2024 4:31:48 AM,10/29/2024 4:31:48 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,UDP,Low,172.18.27.50,192.168.1.1,-,172.18.27.50,-,-,CommonSecurityLog +106023,4,172.20.255.254,-,-,"%FTD-4-106023: Deny udp src dev-dmz:172.20.72.232/50309 dst routing:10.3.50.5/389 by access-group ""NGFW_ONBOX_ACL"" [0x66b44419, 0xf99004e5]",-,-,-,-,Deny,Failure,11/3/2024 11:04:00 AM,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/3/2024 11:04:00 AM,11/3/2024 11:04:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,-,Low,-,-,-,-,-,-,CommonSecurityLog +710003,3,FWL-VPN-MN,65.141.250.92,22,%ASA-3-710003: TCP access denied by ACL from 178.215.238.131/39591 to outside:65.141.250.92/22,178.215.238.131,39591,-,-,Deny,Failure,11/5/2024 10:04:25 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 10:04:25 PM,11/5/2024 10:04:25 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,178.215.238.131,65.141.250.92,-,178.215.238.131,-,-,CommonSecurityLog +106023,4,172.20.255.254,-,-,"%FTD-4-106023: Deny udp src dev-dmz:172.20.72.61/56585 dst routing:10.6.50.4/389 by access-group ""NGFW_ONBOX_ACL"" [0x66b44419, 0xf99004e5]",-,-,-,-,Deny,Failure,11/3/2024 11:04:00 AM,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/3/2024 11:04:00 AM,11/3/2024 11:04:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,-,Low,-,-,-,-,-,-,CommonSecurityLog +106023,4,172.20.4.10,-,-,"%FTD-4-106023: Deny tcp src osi_corp:172.17.252.95/51248 dst sct-bcc-dmz:172.20.53.85/443 by access-group ""NGFW_ONBOX_ACL"" [0x84953cae, 0x0]",-,-,-,-,Deny,Failure,11/3/2024 11:04:00 AM,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/3/2024 11:04:00 AM,11/3/2024 11:04:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,-,Low,-,-,-,-,-,-,CommonSecurityLog +106023,4,172.20.255.254,-,-,"%FTD-4-106023: Deny udp src dev-dmz:172.20.73.181/40182 dst routing:172.16.100.3/389 by access-group ""NGFW_ONBOX_ACL"" [0x66b44419, 0xc2f09170]",-,-,-,-,Deny,Failure,11/3/2024 11:04:00 AM,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/3/2024 11:04:00 AM,11/3/2024 11:04:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,-,Low,-,-,-,-,-,-,CommonSecurityLog +106023,4,172.20.255.254,-,-,"%FTD-4-106023: Deny udp src dev-dmz:172.20.73.43/45458 dst routing:172.16.50.3/389 by access-group ""NGFW_ONBOX_ACL"" [0x66b44419, 0xc2f09170]",-,-,-,-,Deny,Failure,11/3/2024 11:04:00 AM,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/3/2024 11:04:00 AM,11/3/2024 11:04:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,-,Low,-,-,-,-,-,-,CommonSecurityLog +106007,2,FWL-VPN-MN,192.168.1.1,53,%ASA-2-106007: Deny inbound UDP from 172.18.27.50/58534 to 192.168.1.1/53 due to DNS Query,172.18.27.50,58534,-,-,Deny,Failure,10/29/2024 4:31:58 AM,Deny,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,DNS Query,-,DNS,-,1,10/29/2024 4:31:58 AM,10/29/2024 4:31:58 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,UDP,Low,172.18.27.50,192.168.1.1,-,172.18.27.50,-,-,CommonSecurityLog +106007,2,FWL-VPN-MN,192.168.1.1,53,%ASA-2-106007: Deny inbound UDP from 172.18.27.50/58534 to 192.168.1.1/53 due to DNS Query,172.18.27.50,58534,-,-,Deny,Failure,10/29/2024 4:31:58 AM,Deny,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,DNS Query,-,DNS,-,1,10/29/2024 4:31:58 AM,10/29/2024 4:31:58 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,UDP,Low,172.18.27.50,192.168.1.1,-,172.18.27.50,-,-,CommonSecurityLog +106007,2,FWL-VPN-MN,192.168.1.1,53,%ASA-2-106007: Deny inbound UDP from 172.18.27.50/58534 to 192.168.1.1/53 due to DNS Query,172.18.27.50,58534,-,-,Deny,Failure,10/29/2024 4:32:00 AM,Deny,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,DNS Query,-,DNS,-,1,10/29/2024 4:32:00 AM,10/29/2024 4:32:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,UDP,Low,172.18.27.50,192.168.1.1,-,172.18.27.50,-,-,CommonSecurityLog +710003,3,FWL-VPN-MN,65.141.250.92,80,%ASA-3-710003: TCP access denied by ACL from 206.188.247.134/56423 to outside:65.141.250.92/80,206.188.247.134,56423,-,-,Deny,Failure,11/5/2024 10:07:29 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 10:07:29 PM,11/5/2024 10:07:29 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,206.188.247.134,65.141.250.92,-,206.188.247.134,-,-,CommonSecurityLog +710003,3,FWL-VPN-MN,65.141.250.92,80,%ASA-3-710003: TCP access denied by ACL from 43.240.149.12/17706 to outside:65.141.250.92/80,43.240.149.12,17706,-,-,Deny,Failure,11/5/2024 10:02:24 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 10:02:24 PM,11/5/2024 10:02:24 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,43.240.149.12,65.141.250.92,-,43.240.149.12,-,-,CommonSecurityLog +710003,3,FWL-VPN-MN,65.141.250.92,80,%ASA-3-710003: TCP access denied by ACL from 43.240.149.203/28695 to outside:65.141.250.92/80,43.240.149.203,28695,-,-,Deny,Failure,11/5/2024 10:02:29 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 10:02:29 PM,11/5/2024 10:02:29 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,43.240.149.203,65.141.250.92,-,43.240.149.203,-,-,CommonSecurityLog +710003,3,FWL-VPN-MN,65.141.250.92,23,%ASA-3-710003: TCP access denied by ACL from 195.64.252.231/3827 to outside:65.141.250.92/23,195.64.252.231,3827,-,-,Deny,Failure,11/5/2024 10:02:44 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 10:02:44 PM,11/5/2024 10:02:44 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,195.64.252.231,65.141.250.92,-,195.64.252.231,-,-,CommonSecurityLog +710003,3,FWL-VPN-MN,65.141.250.92,23,%ASA-3-710003: TCP access denied by ACL from 180.47.13.137/20752 to outside:65.141.250.92/23,180.47.13.137,20752,-,-,Deny,Failure,11/5/2024 9:04:03 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 9:04:03 PM,11/5/2024 9:04:03 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,180.47.13.137,65.141.250.92,-,180.47.13.137,-,-,CommonSecurityLog +710003,3,FWL-VPN-MN,65.141.250.92,23,%ASA-3-710003: TCP access denied by ACL from 138.19.52.228/44363 to outside:65.141.250.92/23,138.19.52.228,44363,-,-,Deny,Failure,11/5/2024 9:04:04 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 9:04:04 PM,11/5/2024 9:04:04 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,138.19.52.228,65.141.250.92,-,138.19.52.228,-,-,CommonSecurityLog +710003,3,FWL-VPN-MN,65.141.250.92,80,%ASA-3-710003: TCP access denied by ACL from 43.240.149.12/57705 to outside:65.141.250.92/80,43.240.149.12,57705,-,-,Deny,Failure,11/5/2024 9:04:15 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 9:04:15 PM,11/5/2024 9:04:15 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,43.240.149.12,65.141.250.92,-,43.240.149.12,-,-,CommonSecurityLog +710003,3,FWL-VPN-MN,65.141.250.92,80,%ASA-3-710003: TCP access denied by ACL from 43.240.149.203/57705 to outside:65.141.250.92/80,43.240.149.203,57705,-,-,Deny,Failure,11/5/2024 9:04:16 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 9:04:16 PM,11/5/2024 9:04:16 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,43.240.149.203,65.141.250.92,-,43.240.149.203,-,-,CommonSecurityLog +106001,2,FWL-VPN-MN,192.168.1.3,8008,%ASA-2-106001: Inbound TCP connection denied from 172.18.27.212/51062 to 192.168.1.3/8008 flags SYN on interface outside,172.18.27.212,51062,-,-,Deny,Failure,11/1/2024 1:07:50 PM,denied,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/1/2024 1:07:50 PM,11/1/2024 1:07:50 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,172.18.27.212,192.168.1.3,-,172.18.27.212,-,-,CommonSecurityLog +106001,2,FWL-VPN-MN,192.168.1.3,8008,%ASA-2-106001: Inbound TCP connection denied from 172.18.27.212/51079 to 192.168.1.3/8008 flags SYN on interface outside,172.18.27.212,51079,-,-,Deny,Failure,11/1/2024 1:07:51 PM,denied,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/1/2024 1:07:51 PM,11/1/2024 1:07:51 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,172.18.27.212,192.168.1.3,-,172.18.27.212,-,-,CommonSecurityLog From 660c898448e06c9c621d3008dcf8fbdd0b3da812 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Sun, 19 Jan 2025 13:11:08 +0000 Subject: [PATCH 02/11] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ARM/ASimNetworkSession/ASimNetworkSession.json | 2 +- .../ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json | 2 +- .../ASimNetworkSessionAppGateSDP.json | 2 +- .../ASimNetworkSessionAzureFirewall.json | 2 +- .../ASimNetworkSessionAzureNSG.json | 2 +- .../ASimNetworkSessionBarracudaCEF.json | 2 +- .../ASimNetworkSessionBarracudaWAF.json | 2 +- .../ASimNetworkSessionCheckPointFirewall.json | 2 +- .../ASimNetworkSessionCiscoASA.json | 4 ++-- .../ASimNetworkSessionCiscoFirepower.json | 2 +- .../ASimNetworkSessionCiscoISE.json | 2 +- .../ASimNetworkSessionCiscoMeraki.json | 2 +- .../ASimNetworkSessionCiscoMerakiSyslog.json | 2 +- .../ASimNetworkSessionCorelightZeek.json | 2 +- .../ASimNetworkSessionCrowdStrikeFalconHost.json | 2 +- .../ASimNetworkSessionForcePointFirewall.json | 2 +- .../ASimNetworkSessionFortinetFortiGate.json | 2 +- .../ASimNetworkSessionMD4IoTAgent.json | 2 +- .../ASimNetworkSessionMD4IoTSensor.json | 2 +- .../ASimNetworkSessionMicrosoft365Defender.json | 2 +- .../ASimNetworkSessionMicrosoftLinuxSysmon.json | 2 +- .../ASimNetworkSessionMicrosoftSecurityEventFirewall.json | 2 +- .../ASimNetworkSessionMicrosoftSysmon.json | 2 +- .../ASimNetworkSessionMicrosoftSysmonWindowsEvent.json | 2 +- .../ASimNetworkSessionMicrosoftWindowsEventFirewall.json | 2 +- .../ASimNetworkSessionNative/ASimNetworkSessionNative.json | 2 +- .../ASimNetworkSessionPaloAltoCEF.json | 2 +- .../ASimNetworkSessionPaloAltoCortexDataLake.json | 2 +- .../ASimNetworkSessionSentinelOne.json | 2 +- .../ASimNetworkSessionSonicWallFirewall.json | 2 +- .../ASimNetworkSessionVMConnection.json | 2 +- .../ASimNetworkSessionVMwareCarbonBlackCloud.json | 2 +- .../ASimNetworkSessionVectraAI.json | 2 +- .../ASimNetworkSessionWatchGuardFirewareOS.json | 2 +- .../ASimNetworkSessionzScalerZIA.json | 2 +- .../ARM/imNetworkSession/imNetworkSession.json | 2 +- .../ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json | 2 +- .../vimNetworkSessionAppGateSDP.json | 2 +- .../vimNetworkSessionAzureFirewall.json | 2 +- .../vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json | 2 +- .../vimNetworkSessionBarracudaCEF.json | 2 +- .../vimNetworkSessionBarracudaWAF.json | 2 +- .../vimNetworkSessionCheckPointFirewall.json | 2 +- .../vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json | 4 ++-- .../vimNetworkSessionCiscoFirepower.json | 2 +- .../vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json | 2 +- .../vimNetworkSessionCiscoMeraki.json | 2 +- .../vimNetworkSessionCiscoMerakiSyslog.json | 2 +- .../vimNetworkSessionCorelightZeek.json | 2 +- .../vimNetworkSessionCrowdStrikeFalconHost.json | 2 +- .../ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json | 2 +- .../vimNetworkSessionForcePointFirewall.json | 2 +- .../vimNetworkSessionFortinetFortiGate.json | 2 +- .../vimNetworkSessionMD4IoTAgent.json | 2 +- .../vimNetworkSessionMD4IoTSensor.json | 2 +- .../vimNetworkSessionMicrosoft365Defender.json | 2 +- .../vimNetworkSessionMicrosoftLinuxSysmon.json | 2 +- .../vimNetworkSessionMicrosoftSecurityEventFirewall.json | 2 +- .../vimNetworkSessionMicrosoftSysmon.json | 2 +- .../vimNetworkSessionMicrosoftSysmonWindowsEvent.json | 2 +- .../vimNetworkSessionMicrosoftWindowsEventFirewall.json | 2 +- .../ARM/vimNetworkSessionNative/vimNetworkSessionNative.json | 2 +- .../vimNetworkSessionPaloAltoCEF.json | 2 +- .../vimNetworkSessionPaloAltoCortexDataLake.json | 2 +- .../vimNetworkSessionSentinelOne.json | 2 +- .../vimNetworkSessionSonicWallFirewall.json | 2 +- .../vimNetworkSessionVMConnection.json | 2 +- .../vimNetworkSessionVMwareCarbonBlackCloud.json | 2 +- .../vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json | 2 +- .../vimNetworkSessionWatchGuardFirewareOS.json | 2 +- .../vimNetworkSessionzScalerZIA.json | 2 +- 71 files changed, 73 insertions(+), 73 deletions(-) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json index b88d559d872..7db41349adf 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json index 71abd5f41a2..1cfdd739bf4 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json index 824e0b9ab13..ed110f69039 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json index 854d6af2ec9..b0aa1487620 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json index 1b96d84e2aa..65be660470b 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json index 01205397b47..6f90a1ee7cd 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json index b02adbf39fe..2960bd7eb37 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json index a70c80413cf..be4111715f0 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json index be433d84792..6dacf13426e 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json @@ -27,10 +27,10 @@ "displayName": "Network Session ASIM parser for Cisco ASA", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json index 5ba457c5767..07f438f02c0 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json index 991d5fe7c6f..fe7d12b2e97 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json index a7a06f3eaa6..edfecf74202 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json index c5cbba2a227..7d5668cf136 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json index e98be491da7..3ea3434876c 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json index ba8e05942e1..8d59a980490 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json index fd2b6f4e703..1ae1f88f006 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json index fb7d186be97..42217390f35 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json index 733271c404f..67da4ea7d1b 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json index ea1d0f87e44..2ee01de3a00 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json index 52ceae1f101..72b5ae87622 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json index 794febb6565..88697c40310 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json index 5445e521a0c..4ed701f93d5 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json index b65dbd9550e..1fd557abeeb 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json index 010dd89612a..a7826e9b1ce 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json index dd09199cb10..a0a6465aeab 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json index 3e228a66b59..587ead47297 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json index feb595a1a95..4a0fea05a51 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json index e546d3d2859..3fc9e4dd289 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json index 7c0188f1f05..9617122d622 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json index 7f0c242b9d2..5a154133766 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json index ee37d31ea88..2fdf9f939c0 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json index 53c687b9be5..503ec3b40b1 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json index 5c2ae6a55b5..cb82fb7d06c 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json index bc3861e4c88..b4fe6967782 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json index c873b739c5c..f54e4b2feb5 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json index f0c37dbad81..d684f03b4df 100644 --- a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json index e237c6fb537..58cc3f4fad6 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json index 20b167404e3..9d8533ba371 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json index a5e94f01714..c6e7f7fcd5a 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json index fafe9b3f1db..679932cba6d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json index 8e63af38325..220e8d7ade6 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json index 59268e62134..dcdf73c5be6 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json index ec48ec479c9..52a4280f79b 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json index a921bb70636..c7481d19d34 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json @@ -27,10 +27,10 @@ "displayName": "Network Session ASIM parser for Cisco ASA", "category": "ASIM", "FunctionAlias": "vimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json index 51dc52a1955..4bab6c0361f 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json index c70fbc26768..0a1f39d183d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json index 6f45b405d8a..f59995e1355 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json index 7ebe916fb76..a9df140f4f9 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json index dea11980926..a42765cdfb8 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json index a546418acdf..988e2f249a4 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json index 7a5d3ff897a..2ac58d86619 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json @@ -32,4 +32,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json index ba857324972..11f3dc6644b 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json index 3a086215c44..d6590f20603 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json index 8925cd81f0d..69a3e1cd5c7 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json index 55a8f122183..9e4dc0dfad3 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json index 8673d8717b4..7febb43433b 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json index f0cdaf3bd64..38f90cdef63 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json index b0c8ada05ca..550d3e0664e 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json index 874a35dc85d..04633655097 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json index 49666efc4b6..780b89a76d3 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json index 49edb72a4ef..1cd61b59a71 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json index 76cc5af26db..6757e6afb8d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json index 41068b9fe31..04ca23ff391 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json index b9b4284ad1d..2823fbb769a 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json index 3191da3f9c0..ea35eea9d55 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json index b45506ed48b..5a31daa469e 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json index 044f4869f8e..482c1b1f1e3 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json index 7e2ff29b9b9..e4fdc08c079 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json index a46f817f897..f6122492ceb 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json index 9fcdcc9e9ce..0fe64b8f7fb 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json index ade8927846f..f31a12497df 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file From 64476588d51b790ddd5483ee7bf196832ab46851 Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Mon, 20 Jan 2025 19:36:23 +0530 Subject: [PATCH 03/11] Update Cisco_ASA_NetworkSession_IngestedLogs.csv --- .../Cisco_ASA_NetworkSession_IngestedLogs.csv | 53 +++++++++++-------- 1 file changed, 31 insertions(+), 22 deletions(-) diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv index c517c6afbe9..07e7cd469bd 100644 --- a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv @@ -1,22 +1,31 @@ -EventOriginalType,EventOriginalSeverity,Dvc,DstIpAddr,DstPortNumber,EventMessage,SrcIpAddr,SrcPortNumber,EventProductVersion,NetworkRuleName,DvcAction,EventResult,TimeGenerated,DvcOriginalAction,ASimMatchingIpAddr,DstInterfaceName,SrcInterfaceName,NetworkIcmpType,NetworkIcmpCode,SrcUsername,NetworkDirection,NetworkSessionId,SrcNatIpAddr,SrcNatPortNumber,DstNatIpAddr,DstNatPortNumber,DstUsername,SessionId,EventSubType,NetworkDuration,NetworkBytes,EventResultDetails,EventOriginalResultDetails,SrcUsernameType,DstAppName,ThreatName,EventCount,EventStartTime,EventEndTime,EventVendor,EventProduct,EventType,EventSchema,EventSchemaVersion,DstUsernameType,NetworkProtocol,EventSeverity,Src,Dst,Duration,IpAddr,Rule,User,Type -106001,2,FWL-VPN-MN,192.168.1.3,8008,%ASA-2-106001: Inbound TCP connection denied from 172.18.27.212/51062 to 192.168.1.3/8008 flags SYN on interface outside,172.18.27.212,51062,-,-,Deny,Failure,11/1/2024 1:07:47 PM,denied,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/1/2024 1:07:47 PM,11/1/2024 1:07:47 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,172.18.27.212,192.168.1.3,-,172.18.27.212,-,-,CommonSecurityLog -106007,2,FWL-VPN-MN,192.168.1.1,53,%ASA-2-106007: Deny inbound UDP from 172.18.27.50/65530 to 192.168.1.1/53 due to DNS Query,172.18.27.50,65530,-,-,Deny,Failure,10/29/2024 4:31:48 AM,Deny,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,DNS Query,-,DNS,-,1,10/29/2024 4:31:48 AM,10/29/2024 4:31:48 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,UDP,Low,172.18.27.50,192.168.1.1,-,172.18.27.50,-,-,CommonSecurityLog -106023,4,172.20.255.254,-,-,"%FTD-4-106023: Deny udp src dev-dmz:172.20.72.232/50309 dst routing:10.3.50.5/389 by access-group ""NGFW_ONBOX_ACL"" [0x66b44419, 0xf99004e5]",-,-,-,-,Deny,Failure,11/3/2024 11:04:00 AM,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/3/2024 11:04:00 AM,11/3/2024 11:04:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,-,Low,-,-,-,-,-,-,CommonSecurityLog -710003,3,FWL-VPN-MN,65.141.250.92,22,%ASA-3-710003: TCP access denied by ACL from 178.215.238.131/39591 to outside:65.141.250.92/22,178.215.238.131,39591,-,-,Deny,Failure,11/5/2024 10:04:25 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 10:04:25 PM,11/5/2024 10:04:25 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,178.215.238.131,65.141.250.92,-,178.215.238.131,-,-,CommonSecurityLog -106023,4,172.20.255.254,-,-,"%FTD-4-106023: Deny udp src dev-dmz:172.20.72.61/56585 dst routing:10.6.50.4/389 by access-group ""NGFW_ONBOX_ACL"" [0x66b44419, 0xf99004e5]",-,-,-,-,Deny,Failure,11/3/2024 11:04:00 AM,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/3/2024 11:04:00 AM,11/3/2024 11:04:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,-,Low,-,-,-,-,-,-,CommonSecurityLog -106023,4,172.20.4.10,-,-,"%FTD-4-106023: Deny tcp src osi_corp:172.17.252.95/51248 dst sct-bcc-dmz:172.20.53.85/443 by access-group ""NGFW_ONBOX_ACL"" [0x84953cae, 0x0]",-,-,-,-,Deny,Failure,11/3/2024 11:04:00 AM,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/3/2024 11:04:00 AM,11/3/2024 11:04:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,-,Low,-,-,-,-,-,-,CommonSecurityLog -106023,4,172.20.255.254,-,-,"%FTD-4-106023: Deny udp src dev-dmz:172.20.73.181/40182 dst routing:172.16.100.3/389 by access-group ""NGFW_ONBOX_ACL"" [0x66b44419, 0xc2f09170]",-,-,-,-,Deny,Failure,11/3/2024 11:04:00 AM,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/3/2024 11:04:00 AM,11/3/2024 11:04:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,-,Low,-,-,-,-,-,-,CommonSecurityLog -106023,4,172.20.255.254,-,-,"%FTD-4-106023: Deny udp src dev-dmz:172.20.73.43/45458 dst routing:172.16.50.3/389 by access-group ""NGFW_ONBOX_ACL"" [0x66b44419, 0xc2f09170]",-,-,-,-,Deny,Failure,11/3/2024 11:04:00 AM,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/3/2024 11:04:00 AM,11/3/2024 11:04:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,-,Low,-,-,-,-,-,-,CommonSecurityLog -106007,2,FWL-VPN-MN,192.168.1.1,53,%ASA-2-106007: Deny inbound UDP from 172.18.27.50/58534 to 192.168.1.1/53 due to DNS Query,172.18.27.50,58534,-,-,Deny,Failure,10/29/2024 4:31:58 AM,Deny,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,DNS Query,-,DNS,-,1,10/29/2024 4:31:58 AM,10/29/2024 4:31:58 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,UDP,Low,172.18.27.50,192.168.1.1,-,172.18.27.50,-,-,CommonSecurityLog -106007,2,FWL-VPN-MN,192.168.1.1,53,%ASA-2-106007: Deny inbound UDP from 172.18.27.50/58534 to 192.168.1.1/53 due to DNS Query,172.18.27.50,58534,-,-,Deny,Failure,10/29/2024 4:31:58 AM,Deny,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,DNS Query,-,DNS,-,1,10/29/2024 4:31:58 AM,10/29/2024 4:31:58 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,UDP,Low,172.18.27.50,192.168.1.1,-,172.18.27.50,-,-,CommonSecurityLog -106007,2,FWL-VPN-MN,192.168.1.1,53,%ASA-2-106007: Deny inbound UDP from 172.18.27.50/58534 to 192.168.1.1/53 due to DNS Query,172.18.27.50,58534,-,-,Deny,Failure,10/29/2024 4:32:00 AM,Deny,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,DNS Query,-,DNS,-,1,10/29/2024 4:32:00 AM,10/29/2024 4:32:00 AM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,UDP,Low,172.18.27.50,192.168.1.1,-,172.18.27.50,-,-,CommonSecurityLog -710003,3,FWL-VPN-MN,65.141.250.92,80,%ASA-3-710003: TCP access denied by ACL from 206.188.247.134/56423 to outside:65.141.250.92/80,206.188.247.134,56423,-,-,Deny,Failure,11/5/2024 10:07:29 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 10:07:29 PM,11/5/2024 10:07:29 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,206.188.247.134,65.141.250.92,-,206.188.247.134,-,-,CommonSecurityLog -710003,3,FWL-VPN-MN,65.141.250.92,80,%ASA-3-710003: TCP access denied by ACL from 43.240.149.12/17706 to outside:65.141.250.92/80,43.240.149.12,17706,-,-,Deny,Failure,11/5/2024 10:02:24 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 10:02:24 PM,11/5/2024 10:02:24 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,43.240.149.12,65.141.250.92,-,43.240.149.12,-,-,CommonSecurityLog -710003,3,FWL-VPN-MN,65.141.250.92,80,%ASA-3-710003: TCP access denied by ACL from 43.240.149.203/28695 to outside:65.141.250.92/80,43.240.149.203,28695,-,-,Deny,Failure,11/5/2024 10:02:29 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 10:02:29 PM,11/5/2024 10:02:29 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,43.240.149.203,65.141.250.92,-,43.240.149.203,-,-,CommonSecurityLog -710003,3,FWL-VPN-MN,65.141.250.92,23,%ASA-3-710003: TCP access denied by ACL from 195.64.252.231/3827 to outside:65.141.250.92/23,195.64.252.231,3827,-,-,Deny,Failure,11/5/2024 10:02:44 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 10:02:44 PM,11/5/2024 10:02:44 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,195.64.252.231,65.141.250.92,-,195.64.252.231,-,-,CommonSecurityLog -710003,3,FWL-VPN-MN,65.141.250.92,23,%ASA-3-710003: TCP access denied by ACL from 180.47.13.137/20752 to outside:65.141.250.92/23,180.47.13.137,20752,-,-,Deny,Failure,11/5/2024 9:04:03 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 9:04:03 PM,11/5/2024 9:04:03 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,180.47.13.137,65.141.250.92,-,180.47.13.137,-,-,CommonSecurityLog -710003,3,FWL-VPN-MN,65.141.250.92,23,%ASA-3-710003: TCP access denied by ACL from 138.19.52.228/44363 to outside:65.141.250.92/23,138.19.52.228,44363,-,-,Deny,Failure,11/5/2024 9:04:04 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 9:04:04 PM,11/5/2024 9:04:04 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,138.19.52.228,65.141.250.92,-,138.19.52.228,-,-,CommonSecurityLog -710003,3,FWL-VPN-MN,65.141.250.92,80,%ASA-3-710003: TCP access denied by ACL from 43.240.149.12/57705 to outside:65.141.250.92/80,43.240.149.12,57705,-,-,Deny,Failure,11/5/2024 9:04:15 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 9:04:15 PM,11/5/2024 9:04:15 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,43.240.149.12,65.141.250.92,-,43.240.149.12,-,-,CommonSecurityLog -710003,3,FWL-VPN-MN,65.141.250.92,80,%ASA-3-710003: TCP access denied by ACL from 43.240.149.203/57705 to outside:65.141.250.92/80,43.240.149.203,57705,-,-,Deny,Failure,11/5/2024 9:04:16 PM,denied,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/5/2024 9:04:16 PM,11/5/2024 9:04:16 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,43.240.149.203,65.141.250.92,-,43.240.149.203,-,-,CommonSecurityLog -106001,2,FWL-VPN-MN,192.168.1.3,8008,%ASA-2-106001: Inbound TCP connection denied from 172.18.27.212/51062 to 192.168.1.3/8008 flags SYN on interface outside,172.18.27.212,51062,-,-,Deny,Failure,11/1/2024 1:07:50 PM,denied,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/1/2024 1:07:50 PM,11/1/2024 1:07:50 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,172.18.27.212,192.168.1.3,-,172.18.27.212,-,-,CommonSecurityLog -106001,2,FWL-VPN-MN,192.168.1.3,8008,%ASA-2-106001: Inbound TCP connection denied from 172.18.27.212/51079 to 192.168.1.3/8008 flags SYN on interface outside,172.18.27.212,51079,-,-,Deny,Failure,11/1/2024 1:07:51 PM,denied,-,-,-,-,-,-,Inbound,-,-,-,-,-,-,-,-,-,-,-,-,-,-,-,1,11/1/2024 1:07:51 PM,11/1/2024 1:07:51 PM,Cisco,ASA,NetworkSession,NetworkSession,0.2.4,-,TCP,Low,172.18.27.212,192.168.1.3,-,172.18.27.212,-,-,CommonSecurityLog +TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,Type,_ResourceId +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106023,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,0,192.168.1.1,,,,192.168.1.1,_gateway,,,,,,,,,,,,,,,,"%ASA-6-106023: SSH session from 192.168.1.5 on interface inside for user ""*****"" disconnected by SSH server, reason: ""Rejected by server"" (0x0d) ",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106006,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,192.168.1.2,,,,192.168.1.2,_gateway,,,,,,,,,,,,,,,,"%ASA-6-106006: Login denied from 192.168.1.5/2432 to inside:192.168.1.1/ssh for user ""*****""",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106001,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.3,,,,192.168.1.3,_gateway,,,,,,,,,,,,,,,,"%ASA-6-106001: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,113004,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,192.168.1.4,,,,192.168.1.4,_gateway,,,,,,,,,,,,,,,,"%ASA-6-113004: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106015,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,192.168.1.5,,,,192.168.1.5,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.754 PM",Cisco,ASA,,106016,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.6,,,,192.168.1.6,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.753 PM",Cisco,ASA,,106021,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.7,,,,192.168.1.7,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.753 PM",Cisco,ASA,,106022,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.8,,,,192.168.1.8,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:40.757 PM",Cisco,ASA,,106010,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.9,,,,192.168.1.9,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:40.757 PM",Cisco,ASA,,106014,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.10,,,,192.168.1.10,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:40.757 PM",Cisco,ASA,,106018,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.11,,,,192.168.1.11,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.753 PM",Cisco,ASA,,302013,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.12,,,,192.168.1.12,_gateway,,,,,,,,,,,,,,,,"%ASA-6-315011: SSH session from 192.168.1.5 on interface inside for user ""*****"" disconnected by SSH server, reason: ""Rejected by server"" (0x0d) ",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.12,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,302015,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,0,192.168.1.13,,,,192.168.1.13,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,302014,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,192.168.1.14,,,,192.168.1.14,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,113005,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.15,,,,192.168.1.15,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,302016,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,192.168.1.16,,,,192.168.1.16,_gateway,,,,,,,,,,,,,,,,"%ASA-6-605004: Login denied from 192.168.1.5/2421 to inside:192.168.1.1/ssh for user ""*****""",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.16,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.750 PM",Cisco,ASA,,302020,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,192.168.1.17,,,,192.168.1.17,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.750 PM",Cisco,ASA,,302021,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.18,,,,192.168.1.18,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.749 PM",Cisco,ASA,,710002,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.19,,,,192.168.1.19,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:24.793 PM",Cisco,ASA,,710003,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.20,,,,192.168.1.20,_gateway,,,,,,,,,,,,,,,,"%ASA-6-605004: Login denied from 192.168.1.5/1929 to inside:192.168.1.1/https for user ""Administrator""",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:24.793 PM",Cisco,ASA,,611102,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.21,,,,192.168.1.21,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: Administrator",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.21,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:24.792 PM",Cisco,ASA,,710004,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.22,,,,192.168.1.22,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Invalid password : server = 192.168.1.254 : user = Administrator : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.22,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.791 PM",Cisco,ASA,,710005,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.23,,,,192.168.1.23,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.23,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.791 PM",Cisco,ASA,,106007,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.24,,,,192.168.1.24,_gateway,,,,,,,,,,,,,,,,"%ASA-6-716039: Group User <*****> IP <192.168.1.5> Authentication: rejected, Session Type: Admin.",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.791 PM",Cisco,ASA,,106017,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,0,192.168.1.25,,,,192.168.1.25,_gateway,,,,,,,,,,,,,,,,"%ASA-6-605004: Login denied from 192.168.1.5/1907 to inside:192.168.1.1/https for user ""*****""",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.25,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.790 PM",Cisco,ASA,,106100,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,192.168.1.26,,,,192.168.1.26,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106002,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.27,,,,192.168.1.27,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.27,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106012,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,192.168.1.28,,,,192.168.1.28,_gateway,,,,,,,,,,,,,,,,"%ASA-6-605004: Login denied from 192.168.1.5/1907 to inside:192.168.1.1/https for user ""*****""",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.28,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106013,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,192.168.1.29,,,,192.168.1.29,_gateway,,,,,,,,,,,,,,,,"%ASA-6-716039: Group User <*****> IP <192.168.1.5> Authentication: rejected, Session Type: Admin.",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.29,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106020,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.30,,,,192.168.1.30,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 From 93f18e688a1835871eaa8158b1221b9f9c14d3ab Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Mon, 20 Jan 2025 19:47:06 +0530 Subject: [PATCH 04/11] update --- .../ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml | 2 +- .../ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml index 4fd367c2e67..ed38a10c007 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml @@ -256,7 +256,7 @@ ParserQuery: | DstPortNumber = DestinationPort; let unparsedData = allLogs | where isempty(SourceIP) - | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; let all_106001_alike = parsedData | where DeviceEventClassID in ("106001", "106006", "106015", "106016", "106021", "106022") | parse Message with * " interface " DstInterfaceName; diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml index b52e4a07947..361c1b56f61 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml @@ -312,7 +312,7 @@ ParserQuery: | | where Message has tostring(dstportnumber) and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any))) - | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; let all_106001_alike = parsedData | where DeviceEventClassID in ("106001", "106006", "106015", "106016", "106021", "106022") | parse Message with * " interface " DstInterfaceName; From 1159aef94c6d5c99adaad9b770b251b98bfa7c4a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Mon, 20 Jan 2025 14:23:28 +0000 Subject: [PATCH 05/11] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json | 2 +- .../vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json index 6dacf13426e..27adb835f7a 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json @@ -27,7 +27,7 @@ "displayName": "Network Session ASIM parser for Cisco ASA", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json index c7481d19d34..05767b665c5 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json @@ -27,7 +27,7 @@ "displayName": "Network Session ASIM parser for Cisco ASA", "category": "ASIM", "FunctionAlias": "vimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } From 6c5227fed1339a85d12f73c6cb27b7db809e9440 Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Mon, 20 Jan 2025 20:30:40 +0530 Subject: [PATCH 06/11] Update Cisco_ASA_NetworkSession_IngestedLogs.csv --- Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv index 07e7cd469bd..074a891f10e 100644 --- a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv @@ -1,7 +1,7 @@ TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,Type,_ResourceId 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106023,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,0,192.168.1.1,,,,192.168.1.1,_gateway,,,,,,,,,,,,,,,,"%ASA-6-106023: SSH session from 192.168.1.5 on interface inside for user ""*****"" disconnected by SSH server, reason: ""Rejected by server"" (0x0d) ",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106006,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,192.168.1.2,,,,192.168.1.2,_gateway,,,,,,,,,,,,,,,,"%ASA-6-106006: Login denied from 192.168.1.5/2432 to inside:192.168.1.1/ssh for user ""*****""",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106001,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.3,,,,192.168.1.3,_gateway,,,,,,,,,,,,,,,,"%ASA-6-106001: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106001,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.3,,,,192.168.1.3,_gateway,,,,,,,,,,,,,,,,%ASA-2-106001: Inbound TCP connection denied from 172.00.00.123/12345 to 00.00.123/12345 flags SYN on interface outside,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,113004,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,192.168.1.4,,,,192.168.1.4,_gateway,,,,,,,,,,,,,,,,"%ASA-6-113004: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106015,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,192.168.1.5,,,,192.168.1.5,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.754 PM",Cisco,ASA,,106016,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.6,,,,192.168.1.6,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 From b64e6a8b5839bd16a1b7383890fa3fba3191dbb8 Mon Sep 17 00:00:00 2001 From: v-prasadboke Date: Mon, 20 Jan 2025 21:48:32 +0530 Subject: [PATCH 07/11] updated --- .../ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml | 2 +- .../ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml index ed38a10c007..a2a8cc01b54 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml @@ -246,7 +246,7 @@ ParserQuery: | | where DeviceVendor == "Cisco" and DeviceProduct == "ASA" | where DeviceEventClassID in ("106001","106006","106015","106016","106021","106022","106010","106014","106018","106023","302013","302015","302014","302016","302020","302021","710002","710003","710004","710005","106007","106017","106100","106002","106012","106013","106020") | lookup ActionResultLookup on DeviceEventClassID - | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; let parsedData = allLogs | where isnotempty(SourceIP) | project-rename NetworkRuleName = DeviceCustomString2, diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml index 361c1b56f61..c7789fb03b8 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml @@ -288,7 +288,7 @@ ParserQuery: | | lookup ActionResultLookup on DeviceEventClassID | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == "") | where ((eventresult == "*") or EventResult == eventresult or EventResult == "") - | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction; let parsedData = allLogs | where isnotempty(SourceIP) | where (isnull(dstportnumber) or (DestinationPort == dstportnumber)) From 050d420f539c13d55f0d089a0bf8ee00057d9bb0 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Mon, 20 Jan 2025 16:23:44 +0000 Subject: [PATCH 08/11] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json | 2 +- .../vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json index 27adb835f7a..d455aff87a7 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json @@ -27,7 +27,7 @@ "displayName": "Network Session ASIM parser for Cisco ASA", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json index 05767b665c5..b70701f604b 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json @@ -27,7 +27,7 @@ "displayName": "Network Session ASIM parser for Cisco ASA", "category": "ASIM", "FunctionAlias": "vimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } From c8859904b78f0e783100dfbea4f2121605d19443 Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Tue, 21 Jan 2025 18:58:35 +0530 Subject: [PATCH 09/11] Update Cisco_ASA_NetworkSession_IngestedLogs.csv --- .../Cisco_ASA_NetworkSession_IngestedLogs.csv | 60 +++++++++---------- 1 file changed, 30 insertions(+), 30 deletions(-) diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv index 074a891f10e..4c1dab673d9 100644 --- a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv @@ -1,31 +1,31 @@ TenantId,TimeGenerated [UTC],DeviceVendor,DeviceProduct,DeviceVersion,DeviceEventClassID,Activity,LogSeverity,OriginalLogSeverity,AdditionalExtensions,DeviceAction,ApplicationProtocol,EventCount,DestinationDnsDomain,DestinationServiceName,DestinationTranslatedAddress,DestinationTranslatedPort,CommunicationDirection,DeviceDnsDomain,DeviceExternalID,DeviceFacility,DeviceInboundInterface,DeviceNtDomain,DeviceOutboundInterface,DevicePayloadId,ProcessName,DeviceTranslatedAddress,DestinationHostName,DestinationMACAddress,DestinationNTDomain,DestinationProcessId,DestinationUserPrivileges,DestinationProcessName,DestinationPort,DestinationIP,DeviceTimeZone,DestinationUserID,DestinationUserName,DeviceAddress,DeviceName,DeviceMacAddress,ProcessID,EndTime [UTC],ExternalID,ExtID,FileCreateTime,FileHash,FileID,FileModificationTime,FilePath,FilePermission,FileType,FileName,FileSize,ReceivedBytes,Message,OldFileCreateTime,OldFileHash,OldFileID,OldFileModificationTime,OldFileName,OldFilePath,OldFilePermission,OldFileSize,OldFileType,SentBytes,EventOutcome,Protocol,Reason,RequestURL,RequestClientApplication,RequestContext,RequestCookies,RequestMethod,ReceiptTime,SourceHostName,SourceMACAddress,SourceNTDomain,SourceDnsDomain,SourceServiceName,SourceTranslatedAddress,SourceTranslatedPort,SourceProcessId,SourceUserPrivileges,SourceProcessName,SourcePort,SourceIP,StartTime [UTC],SourceUserID,SourceUserName,EventType,DeviceEventCategory,DeviceCustomIPv6Address1,DeviceCustomIPv6Address1Label,DeviceCustomIPv6Address2,DeviceCustomIPv6Address2Label,DeviceCustomIPv6Address3,DeviceCustomIPv6Address3Label,DeviceCustomIPv6Address4,DeviceCustomIPv6Address4Label,DeviceCustomFloatingPoint1,DeviceCustomFloatingPoint1Label,DeviceCustomFloatingPoint2,DeviceCustomFloatingPoint2Label,DeviceCustomFloatingPoint3,DeviceCustomFloatingPoint3Label,DeviceCustomFloatingPoint4,DeviceCustomFloatingPoint4Label,DeviceCustomNumber1,FieldDeviceCustomNumber1,DeviceCustomNumber1Label,DeviceCustomNumber2,FieldDeviceCustomNumber2,DeviceCustomNumber2Label,DeviceCustomNumber3,FieldDeviceCustomNumber3,DeviceCustomNumber3Label,DeviceCustomString1,DeviceCustomString1Label,DeviceCustomString2,DeviceCustomString2Label,DeviceCustomString3,DeviceCustomString3Label,DeviceCustomString4,DeviceCustomString4Label,DeviceCustomString5,DeviceCustomString5Label,DeviceCustomString6,DeviceCustomString6Label,DeviceCustomDate1,DeviceCustomDate1Label,DeviceCustomDate2,DeviceCustomDate2Label,FlexDate1,FlexDate1Label,FlexNumber1,FlexNumber1Label,FlexNumber2,FlexNumber2Label,FlexString1,FlexString1Label,FlexString2,FlexString2Label,RemoteIP,RemotePort,MaliciousIP,ThreatSeverity,IndicatorThreatType,ThreatDescription,ThreatConfidence,ReportReferenceLink,MaliciousIPLongitude,MaliciousIPLatitude,MaliciousIPCountry,Computer,SourceSystem,SimplifiedDeviceAction,Type,_ResourceId -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106023,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,0,192.168.1.1,,,,192.168.1.1,_gateway,,,,,,,,,,,,,,,,"%ASA-6-106023: SSH session from 192.168.1.5 on interface inside for user ""*****"" disconnected by SSH server, reason: ""Rejected by server"" (0x0d) ",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106006,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,192.168.1.2,,,,192.168.1.2,_gateway,,,,,,,,,,,,,,,,"%ASA-6-106006: Login denied from 192.168.1.5/2432 to inside:192.168.1.1/ssh for user ""*****""",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106001,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.3,,,,192.168.1.3,_gateway,,,,,,,,,,,,,,,,%ASA-2-106001: Inbound TCP connection denied from 172.00.00.123/12345 to 00.00.123/12345 flags SYN on interface outside,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,113004,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,192.168.1.4,,,,192.168.1.4,_gateway,,,,,,,,,,,,,,,,"%ASA-6-113004: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.4,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106015,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,192.168.1.5,,,,192.168.1.5,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.754 PM",Cisco,ASA,,106016,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.6,,,,192.168.1.6,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.6,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.753 PM",Cisco,ASA,,106021,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.7,,,,192.168.1.7,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.7,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.753 PM",Cisco,ASA,,106022,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.8,,,,192.168.1.8,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.8,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:40.757 PM",Cisco,ASA,,106010,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.9,,,,192.168.1.9,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.9,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:40.757 PM",Cisco,ASA,,106014,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.10,,,,192.168.1.10,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.10,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:40.757 PM",Cisco,ASA,,106018,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.11,,,,192.168.1.11,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.753 PM",Cisco,ASA,,302013,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.12,,,,192.168.1.12,_gateway,,,,,,,,,,,,,,,,"%ASA-6-315011: SSH session from 192.168.1.5 on interface inside for user ""*****"" disconnected by SSH server, reason: ""Rejected by server"" (0x0d) ",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.12,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,302015,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,0,192.168.1.13,,,,192.168.1.13,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.13,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,302014,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,192.168.1.14,,,,192.168.1.14,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.14,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,113005,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.15,,,,192.168.1.15,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.15,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,302016,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,192.168.1.16,,,,192.168.1.16,_gateway,,,,,,,,,,,,,,,,"%ASA-6-605004: Login denied from 192.168.1.5/2421 to inside:192.168.1.1/ssh for user ""*****""",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.16,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.750 PM",Cisco,ASA,,302020,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,192.168.1.17,,,,192.168.1.17,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.17,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.750 PM",Cisco,ASA,,302021,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.18,,,,192.168.1.18,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.749 PM",Cisco,ASA,,710002,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.19,,,,192.168.1.19,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,192.168.1.19,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:24.793 PM",Cisco,ASA,,710003,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.20,,,,192.168.1.20,_gateway,,,,,,,,,,,,,,,,"%ASA-6-605004: Login denied from 192.168.1.5/1929 to inside:192.168.1.1/https for user ""Administrator""",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.20,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:24.793 PM",Cisco,ASA,,611102,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.21,,,,192.168.1.21,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: Administrator",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.21,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:24.792 PM",Cisco,ASA,,710004,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.22,,,,192.168.1.22,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Invalid password : server = 192.168.1.254 : user = Administrator : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.22,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.791 PM",Cisco,ASA,,710005,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.23,,,,192.168.1.23,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.23,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.791 PM",Cisco,ASA,,106007,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.24,,,,192.168.1.24,_gateway,,,,,,,,,,,,,,,,"%ASA-6-716039: Group User <*****> IP <192.168.1.5> Authentication: rejected, Session Type: Admin.",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.791 PM",Cisco,ASA,,106017,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,0,192.168.1.25,,,,192.168.1.25,_gateway,,,,,,,,,,,,,,,,"%ASA-6-605004: Login denied from 192.168.1.5/1907 to inside:192.168.1.1/https for user ""*****""",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.25,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.790 PM",Cisco,ASA,,106100,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,192.168.1.26,,,,192.168.1.26,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.26,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106002,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,192.168.1.27,,,,192.168.1.27,_gateway,,,,,,,,,,,,,,,,"%ASA-6-611102: User authentication failed: IP address: 192.168.1.5, Uname: *****",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.27,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106012,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,192.168.1.28,,,,192.168.1.28,_gateway,,,,,,,,,,,,,,,,"%ASA-6-605004: Login denied from 192.168.1.5/1907 to inside:192.168.1.1/https for user ""*****""",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.28,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106013,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,192.168.1.29,,,,192.168.1.29,_gateway,,,,,,,,,,,,,,,,"%ASA-6-716039: Group User <*****> IP <192.168.1.5> Authentication: rejected, Session Type: Admin.",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.29,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106020,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,192.168.1.30,,,,192.168.1.30,_gateway,,,,,,,,,,,,,,,,%ASA-6-113005: AAA user authentication Rejected : reason = Unspecified : server = 192.168.1.254 : user = ***** : user IP = 192.168.1.5,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,192.168.1.30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106023,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,0,123.00.00.123,,,,192.168.1.1,_gateway,,,,,,,,,,,,,,,,%ASA-2-106007: Deny inbound UDP from 123.00.00.123/12345 to 123.00.00.123/12345 due to DNS Query,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.123,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106006,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,123.00.00.124,,,,192.168.1.2,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.124,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106001,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.125,,,,192.168.1.3,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.125,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,113004,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,123.00.00.126,,,,192.168.1.4,_gateway,,,,,,,,,,,,,,,,%ASA-3-710003: TCP access denied by ACL from 123.00.00.123/12345 to outside:123.00.00.123/11,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.126,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106015,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,123.00.00.127,,,,192.168.1.5,_gateway,,,,,,,,,,,,,,,,%ASA-2-106001: Inbound TCP connection denied from 123.00.00.123/123 to 123.00.00.123/12345 flags SYN on interface outside,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.127,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.754 PM",Cisco,ASA,,106016,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.128,,,,192.168.1.6,_gateway,,,,,,,,,,,,,,,,%ASA-2-106007: Deny inbound UDP from 123.00.00.123/12345 to 123.00.00.123/12345 due to DNS Query,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.128,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.753 PM",Cisco,ASA,,106021,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.129,,,,192.168.1.7,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.129,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.753 PM",Cisco,ASA,,106022,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.130,,,,192.168.1.8,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.130,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:40.757 PM",Cisco,ASA,,106010,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.131,,,,192.168.1.9,_gateway,,,,,,,,,,,,,,,,%ASA-3-710003: TCP access denied by ACL from 123.00.00.123/12345 to outside:123.00.00.123/11,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.131,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:40.757 PM",Cisco,ASA,,106014,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.132,,,,192.168.1.10,_gateway,,,,,,,,,,,,,,,,%ASA-2-106001: Inbound TCP connection denied from 123.00.00.123/123 to 123.00.00.123/12345 flags SYN on interface outside,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.132,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:40.757 PM",Cisco,ASA,,106018,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.133,,,,192.168.1.11,_gateway,,,,,,,,,,,,,,,,%ASA-2-106007: Deny inbound UDP from 123.00.00.123/12345 to 123.00.00.123/12345 due to DNS Query,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.133,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.753 PM",Cisco,ASA,,302013,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.134,,,,192.168.1.12,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.134,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,302015,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,0,123.00.00.135,,,,192.168.1.13,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.135,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,302014,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,123.00.00.136,,,,192.168.1.14,_gateway,,,,,,,,,,,,,,,,%ASA-3-710003: TCP access denied by ACL from 123.00.00.123/12345 to outside:123.00.00.123/11,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.136,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,113005,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.137,,,,192.168.1.15,_gateway,,,,,,,,,,,,,,,,%ASA-2-106001: Inbound TCP connection denied from 123.00.00.123/123 to 123.00.00.123/12345 flags SYN on interface outside,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.137,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.752 PM",Cisco,ASA,,302016,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,123.00.00.138,,,,192.168.1.16,_gateway,,,,,,,,,,,,,,,,%ASA-2-106007: Deny inbound UDP from 123.00.00.123/12345 to 123.00.00.123/12345 due to DNS Query,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.138,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.750 PM",Cisco,ASA,,302020,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,123.00.00.139,,,,192.168.1.17,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.139,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.750 PM",Cisco,ASA,,302021,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.140,,,,192.168.1.18,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.140,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:28.749 PM",Cisco,ASA,,710002,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.141,,,,192.168.1.19,_gateway,,,,,,,,,,,,,,,,%ASA-3-710003: TCP access denied by ACL from 123.00.00.123/12345 to outside:123.00.00.123/11,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.141,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:24.793 PM",Cisco,ASA,,710003,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.142,,,,192.168.1.20,_gateway,,,,,,,,,,,,,,,,%ASA-2-106001: Inbound TCP connection denied from 123.00.00.123/123 to 123.00.00.123/12345 flags SYN on interface outside,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.142,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:24.793 PM",Cisco,ASA,,611102,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.143,,,,192.168.1.21,_gateway,,,,,,,,,,,,,,,,%ASA-2-106007: Deny inbound UDP from 123.00.00.123/12345 to 123.00.00.123/12345 due to DNS Query,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.143,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:24.792 PM",Cisco,ASA,,710004,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.144,,,,192.168.1.22,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.144,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.791 PM",Cisco,ASA,,710005,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.145,,,,192.168.1.23,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.145,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.791 PM",Cisco,ASA,,106007,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.146,,,,192.168.1.24,_gateway,,,,,,,,,,,,,,,,%ASA-3-710003: TCP access denied by ACL from 123.00.00.123/12345 to outside:123.00.00.123/11,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.146,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.791 PM",Cisco,ASA,,106017,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,0,123.00.00.147,,,,192.168.1.25,_gateway,,,,,,,,,,,,,,,,%ASA-2-106001: Inbound TCP connection denied from 123.00.00.123/123 to 123.00.00.123/12345 flags SYN on interface outside,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.147,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:04.790 PM",Cisco,ASA,,106100,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,123.00.00.148,,,,192.168.1.26,_gateway,,,,,,,,,,,,,,,,%ASA-2-106007: Deny inbound UDP from 123.00.00.123/12345 to 123.00.00.123/12345 due to DNS Query,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.148,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106002,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.149,,,,192.168.1.27,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.149,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106012,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,123.00.00.150,,,,192.168.1.28,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.150,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106013,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,123.00.00.151,,,,192.168.1.29,_gateway,,,,,,,,,,,,,,,,%ASA-3-710003: TCP access denied by ACL from 123.00.00.123/12345 to outside:123.00.00.123/11,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.151,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:04:00.793 PM",Cisco,ASA,,106020,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.152,,,,192.168.1.30,_gateway,,,,,,,,,,,,,,,,%ASA-2-106001: Inbound TCP connection denied from 123.00.00.123/123 to 123.00.00.123/12345 flags SYN on interface outside,,,,,,,,,,,,,,,,,,,07-05-2023 14:04,,,,,,,,,,,,100.00.00.152,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 From 5ff9f9cf25ac95711cff2786d8d8f7a661843b7c Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Tue, 21 Jan 2025 19:11:24 +0530 Subject: [PATCH 10/11] parser update --- .../ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml | 2 +- .../ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml | 2 +- Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml index a2a8cc01b54..fb32b27bfb7 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml @@ -256,7 +256,7 @@ ParserQuery: | DstPortNumber = DestinationPort; let unparsedData = allLogs | where isempty(SourceIP) - | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; let all_106001_alike = parsedData | where DeviceEventClassID in ("106001", "106006", "106015", "106016", "106021", "106022") | parse Message with * " interface " DstInterfaceName; diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml index c7789fb03b8..83108ba197c 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml @@ -312,7 +312,7 @@ ParserQuery: | | where Message has tostring(dstportnumber) and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any))) - | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; + | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction; let all_106001_alike = parsedData | where DeviceEventClassID in ("106001", "106006", "106015", "106016", "106021", "106022") | parse Message with * " interface " DstInterfaceName; diff --git a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv index 4c1dab673d9..6d9d28f2d83 100644 --- a/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv +++ b/Sample Data/ASIM/Cisco_ASA_NetworkSession_IngestedLogs.csv @@ -3,7 +3,7 @@ 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106006,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,8002,123.00.00.124,,,,192.168.1.2,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.124,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106001,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.125,,,,192.168.1.3,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.125,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,113004,,Low,6,,,,,,,,0,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,0,123.00.00.126,,,,192.168.1.4,_gateway,,,,,,,,,,,,,,,,%ASA-3-710003: TCP access denied by ACL from 123.00.00.123/12345 to outside:123.00.00.123/11,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.126,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 -01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106015,,Low,6,,,,,,,,8002,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,123.00.00.127,,,,192.168.1.5,_gateway,,,,,,,,,,,,,,,,%ASA-2-106001: Inbound TCP connection denied from 123.00.00.123/123 to 123.00.00.123/12345 flags SYN on interface outside,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.127,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 +01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.756 PM",Cisco,ASA,,106015,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,8002,123.00.00.127,,,,192.168.1.5,_gateway,,,,,,,,,,,,,,,,%ASA-2-106001: Inbound TCP connection denied from 123.00.00.123/123 to 123.00.00.123/12345 flags SYN on interface outside,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.127,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.754 PM",Cisco,ASA,,106016,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.128,,,,192.168.1.6,_gateway,,,,,,,,,,,,,,,,%ASA-2-106007: Deny inbound UDP from 123.00.00.123/12345 to 123.00.00.123/12345 due to DNS Query,,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.128,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.753 PM",Cisco,ASA,,106021,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-abc-2-vm03,,,123,,test,22,123.00.00.129,,,,192.168.1.7,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.129,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 01680ad8-1090-4dec-a395-f77b161a9051,"7/5/2023, 2:16:44.753 PM",Cisco,ASA,,106022,,Low,6,,,,,,,,22,,,,local4,,,,,,,self-serve-efg-1-vm03,,,123,,test,22,123.00.00.130,,,,192.168.1.8,_gateway,,,,,,,,,,,,,,,,"%FTD-4-106023: Deny udp src dev-test:123.00.00.123/12345 dst routing:123.00.00.000/123 by access-group ""ABC"" [0x00b0000, 0xf00000e0]",,,,,,,,,,,,,,,,,,,07-05-2023 14:16,,,,,,,,,,,,100.00.00.130,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,_gateway,OpsManager,,CommonSecurityLog,/subscriptions/e174f759-39db-49b8-b8bc-15cf9abca0f3/resourcegroups/kustoworksarc/providers/microsoft.hybridcompute/machines/col1 From 77257b462b15ac4a5d5addfb65cd027d0770e066 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Tue, 21 Jan 2025 13:46:40 +0000 Subject: [PATCH 11/11] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json | 2 +- .../vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json index d455aff87a7..b2f792f9734 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json @@ -27,7 +27,7 @@ "displayName": "Network Session ASIM parser for Cisco ASA", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json index b70701f604b..66fea32a2ad 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json @@ -27,7 +27,7 @@ "displayName": "Network Session ASIM parser for Cisco ASA", "category": "ASIM", "FunctionAlias": "vimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor,Type, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" }