From 45e295e6162d0f057aeabec21fbfa86d2f8712d4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Thu, 9 Jan 2025 16:10:56 +0000 Subject: [PATCH] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ARM/ASimNetworkSession/ASimNetworkSession.json | 2 +- .../ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json | 2 +- .../ASimNetworkSessionAppGateSDP.json | 2 +- .../ASimNetworkSessionAzureFirewall.json | 2 +- .../ASimNetworkSessionAzureNSG.json | 2 +- .../ASimNetworkSessionBarracudaCEF.json | 2 +- .../ASimNetworkSessionBarracudaWAF.json | 2 +- .../ASimNetworkSessionCheckPointFirewall.json | 2 +- .../ASimNetworkSessionCiscoASA.json | 4 ++-- .../ASimNetworkSessionCiscoFirepower.json | 2 +- .../ASimNetworkSessionCiscoISE.json | 2 +- .../ASimNetworkSessionCiscoMeraki.json | 2 +- .../ASimNetworkSessionCiscoMerakiSyslog.json | 2 +- .../ASimNetworkSessionCorelightZeek.json | 2 +- .../ASimNetworkSessionCrowdStrikeFalconHost.json | 2 +- .../ASimNetworkSessionForcePointFirewall.json | 2 +- .../ASimNetworkSessionFortinetFortiGate.json | 2 +- .../ASimNetworkSessionMD4IoTAgent.json | 2 +- .../ASimNetworkSessionMD4IoTSensor.json | 2 +- .../ASimNetworkSessionMicrosoft365Defender.json | 2 +- .../ASimNetworkSessionMicrosoftLinuxSysmon.json | 2 +- .../ASimNetworkSessionMicrosoftSecurityEventFirewall.json | 2 +- .../ASimNetworkSessionMicrosoftSysmon.json | 2 +- .../ASimNetworkSessionMicrosoftSysmonWindowsEvent.json | 2 +- .../ASimNetworkSessionMicrosoftWindowsEventFirewall.json | 2 +- .../ASimNetworkSessionNative/ASimNetworkSessionNative.json | 2 +- .../ASimNetworkSessionPaloAltoCEF.json | 2 +- .../ASimNetworkSessionPaloAltoCortexDataLake.json | 2 +- .../ASimNetworkSessionSentinelOne.json | 2 +- .../ASimNetworkSessionSonicWallFirewall.json | 2 +- .../ASimNetworkSessionVMConnection.json | 2 +- .../ASimNetworkSessionVMwareCarbonBlackCloud.json | 2 +- .../ASimNetworkSessionVectraAI.json | 2 +- .../ASimNetworkSessionWatchGuardFirewareOS.json | 2 +- .../ASimNetworkSessionzScalerZIA.json | 2 +- .../ARM/imNetworkSession/imNetworkSession.json | 2 +- .../ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json | 2 +- .../vimNetworkSessionAppGateSDP.json | 2 +- .../vimNetworkSessionAzureFirewall.json | 2 +- .../vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json | 2 +- .../vimNetworkSessionBarracudaCEF.json | 2 +- .../vimNetworkSessionBarracudaWAF.json | 2 +- .../vimNetworkSessionCheckPointFirewall.json | 2 +- .../vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json | 4 ++-- .../vimNetworkSessionCiscoFirepower.json | 2 +- .../vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json | 2 +- .../vimNetworkSessionCiscoMeraki.json | 2 +- .../vimNetworkSessionCiscoMerakiSyslog.json | 2 +- .../vimNetworkSessionCorelightZeek.json | 2 +- .../vimNetworkSessionCrowdStrikeFalconHost.json | 2 +- .../ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json | 2 +- .../vimNetworkSessionForcePointFirewall.json | 2 +- .../vimNetworkSessionFortinetFortiGate.json | 2 +- .../vimNetworkSessionMD4IoTAgent.json | 2 +- .../vimNetworkSessionMD4IoTSensor.json | 2 +- .../vimNetworkSessionMicrosoft365Defender.json | 2 +- .../vimNetworkSessionMicrosoftLinuxSysmon.json | 2 +- .../vimNetworkSessionMicrosoftSecurityEventFirewall.json | 2 +- .../vimNetworkSessionMicrosoftSysmon.json | 2 +- .../vimNetworkSessionMicrosoftSysmonWindowsEvent.json | 2 +- .../vimNetworkSessionMicrosoftWindowsEventFirewall.json | 2 +- .../ARM/vimNetworkSessionNative/vimNetworkSessionNative.json | 2 +- .../vimNetworkSessionPaloAltoCEF.json | 2 +- .../vimNetworkSessionPaloAltoCortexDataLake.json | 2 +- .../vimNetworkSessionSentinelOne.json | 2 +- .../vimNetworkSessionSonicWallFirewall.json | 2 +- .../vimNetworkSessionVMConnection.json | 2 +- .../vimNetworkSessionVMwareCarbonBlackCloud.json | 2 +- .../vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json | 2 +- .../vimNetworkSessionWatchGuardFirewareOS.json | 2 +- .../vimNetworkSessionzScalerZIA.json | 2 +- 71 files changed, 73 insertions(+), 73 deletions(-) diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json index b88d559d872..7db41349adf 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSession/ASimNetworkSession.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json index 71abd5f41a2..1cfdd739bf4 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAWSVPC/ASimNetworkSessionAWSVPC.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json index 824e0b9ab13..ed110f69039 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAppGateSDP/ASimNetworkSessionAppGateSDP.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json index 854d6af2ec9..b0aa1487620 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureFirewall/ASimNetworkSessionAzureFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json index 1b96d84e2aa..65be660470b 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionAzureNSG/ASimNetworkSessionAzureNSG.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json index 01205397b47..6f90a1ee7cd 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaCEF/ASimNetworkSessionBarracudaCEF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json index b02adbf39fe..2960bd7eb37 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionBarracudaWAF/ASimNetworkSessionBarracudaWAF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json index a70c80413cf..be4111715f0 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCheckPointFirewall/ASimNetworkSessionCheckPointFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json index be433d84792..098256aaa47 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoASA/ASimNetworkSessionCiscoASA.json @@ -27,10 +27,10 @@ "displayName": "Network Session ASIM parser for Cisco ASA", "category": "ASIM", "FunctionAlias": "ASimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (disabled:bool=false)\n { \n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * ;\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, Device*\n };\n NWParser (disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json index 5ba457c5767..07f438f02c0 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoFirepower/ASimNetworkSessionCiscoFirepower.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json index 991d5fe7c6f..fe7d12b2e97 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoISE/ASimNetworkSessionCiscoISE.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json index a7a06f3eaa6..edfecf74202 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMeraki/ASimNetworkSessionCiscoMeraki.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json index c5cbba2a227..7d5668cf136 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json index e98be491da7..3ea3434876c 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCorelightZeek/ASimNetworkSessionCorelightZeek.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json index ba8e05942e1..8d59a980490 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCrowdStrikeFalconHost/ASimNetworkSessionCrowdStrikeFalconHost.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json index fd2b6f4e703..1ae1f88f006 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionForcePointFirewall/ASimNetworkSessionForcePointFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json index fb7d186be97..42217390f35 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json index 733271c404f..67da4ea7d1b 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTAgent/ASimNetworkSessionMD4IoTAgent.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json index ea1d0f87e44..2ee01de3a00 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMD4IoTSensor/ASimNetworkSessionMD4IoTSensor.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json index 52ceae1f101..72b5ae87622 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoft365Defender/ASimNetworkSessionMicrosoft365Defender.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json index 794febb6565..88697c40310 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftLinuxSysmon/ASimNetworkSessionMicrosoftLinuxSysmon.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json index 5445e521a0c..4ed701f93d5 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSecurityEventFirewall/ASimNetworkSessionMicrosoftSecurityEventFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json index b65dbd9550e..1fd557abeeb 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmon/ASimNetworkSessionMicrosoftSysmon.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json index 010dd89612a..a7826e9b1ce 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftSysmonWindowsEvent/ASimNetworkSessionMicrosoftSysmonWindowsEvent.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json index dd09199cb10..a0a6465aeab 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionMicrosoftWindowsEventFirewall/ASimNetworkSessionMicrosoftWindowsEventFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json index 3e228a66b59..587ead47297 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionNative/ASimNetworkSessionNative.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json index feb595a1a95..4a0fea05a51 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCEF/ASimNetworkSessionPaloAltoCEF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json index e546d3d2859..3fc9e4dd289 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionPaloAltoCortexDataLake/ASimNetworkSessionPaloAltoCortexDataLake.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json index 7c0188f1f05..9617122d622 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSentinelOne/ASimNetworkSessionSentinelOne.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json index 7f0c242b9d2..5a154133766 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/ASimNetworkSessionSonicWallFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json index ee37d31ea88..2fdf9f939c0 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMConnection/ASimNetworkSessionVMConnection.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json index 53c687b9be5..503ec3b40b1 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVMwareCarbonBlackCloud/ASimNetworkSessionVMwareCarbonBlackCloud.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json index 5c2ae6a55b5..cb82fb7d06c 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionVectraAI/ASimNetworkSessionVectraAI.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json index bc3861e4c88..b4fe6967782 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionWatchGuardFirewareOS/ASimNetworkSessionWatchGuardFirewareOS.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json index c873b739c5c..f54e4b2feb5 100644 --- a/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json +++ b/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json index f0c37dbad81..d684f03b4df 100644 --- a/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json +++ b/Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json index e237c6fb537..58cc3f4fad6 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAWSVPC/vimNetworkSessionAWSVPC.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json index 20b167404e3..9d8533ba371 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAppGateSDP/vimNetworkSessionAppGateSDP.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json index a5e94f01714..c6e7f7fcd5a 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureFirewall/vimNetworkSessionAzureFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json index fafe9b3f1db..679932cba6d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionAzureNSG/vimNetworkSessionAzureNSG.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json index 8e63af38325..220e8d7ade6 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaCEF/vimNetworkSessionBarracudaCEF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json index 59268e62134..dcdf73c5be6 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionBarracudaWAF/vimNetworkSessionBarracudaWAF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json index ec48ec479c9..52a4280f79b 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCheckPointFirewall/vimNetworkSessionCheckPointFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json index a921bb70636..5cae2fa2de3 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoASA/vimNetworkSessionCiscoASA.json @@ -27,10 +27,10 @@ "displayName": "Network Session ASIM parser for Cisco ASA", "category": "ASIM", "FunctionAlias": "vimNetworkSessionCiscoASA", - "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", + "query": "let EventResultMapping = datatable (Reason:string, DvcAction:string, EventResult:string, EventResultDetails:string, EventOriginalResultDetails:string) [\n 'Conn-timeout', '', 'Success', 'Timeout', 'The connection ended when a flow is closed because of the expiration of its inactivity timer.',\n 'Deny Terminate', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by application inspection.',\n 'Failover primary closed', '', 'Success', 'Failover', 'The standby unit in a failover pair deleted a connection because of a message received from the active unit.',\n 'FIN Timeout', '', 'Success', 'Timeout', 'Force termination after 10 minutes awaiting the last ACK or after half-closed timeout.', \n 'Flow closed by inspection', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by the inspection feature.',\n 'Flow terminated by IPS', 'Deny', 'Failure', 'Terminated', 'Flow was terminated by IPS.',\n 'Flow reset by IPS', 'Reset', 'Failure', 'Terminated', 'Flow was reset by IPS.', \n 'Flow terminated by TCP Intercept', 'TCP Intercept', 'Failure', 'Terminated', 'Flow was terminated by TCP Intercept.',\n 'Flow timed out', '', 'Success', 'Timeout', 'Flow has timed out.',\n 'Flow timed out with reset', 'Reset', 'Failure', 'Timeout', 'Flow has timed out, but was reset.',\n 'Free the flow created as result of packet injection', '', 'Success', 'Simulation', 'The connection was built because the packet tracer feature sent a simulated packet through the Secure Firewall ASA.',\n 'Invalid SYN', '', 'Failure', 'Invalid TCP', 'The SYN packet was not valid.',\n 'IPS fail-close', 'Deny', 'Failure', 'Terminated', 'Flow was terminated because the IPS card is down.',\n 'No interfaces associated with zone', '', 'Failure', 'Routing issue', 'Flows were torn down after the \"no nameif\" or \"no zone-member\" leaves a zone with no interface members.',\n 'No valid adjacency', 'Drop', 'Failure', 'Routing issue', 'This counter is incremented when the Secure Firewall ASA tried to obtain an adjacency and could not obtain the MAC address for the next hop. The packet is dropped.',\n 'Pinhole Timeout', '', 'Failure', 'Timeout', 'The counter is incremented to report that the Secure Firewall ASA opened a secondary flow, but no packets passed through this flow within the timeout interval, and so it was removed. An example of a secondary flow is the FTP data channel that is created after successful negotiation on the FTP control channel.',\n 'Probe maximum retries of retransmission exceeded', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the TCP packet exceeded maximum probe retries of retransmission.',\n 'Probe maximum retransmission time elapsed', '', 'Failure', 'Maximum Retry', 'The connection was torn down because the maximum probing time for TCP packet had elapsed.',\n 'Probe received RST', '', 'Failure', 'Reset', 'The connection was torn down because probe connection received RST from server.',\n 'Probe received FIN', '', 'Success', '', 'The connection was torn down because probe connection received FIN from server and complete FIN closure process was completed.',\n 'Probe completed', '', 'Success', '', 'The probe connection was successful.', \n 'Route change', '', 'Success', '', 'When the Secure Firewall ASA adds a lower cost (better metric) route, packets arriving that match the new route cause their existing connection to be torn down after the user-configured timeout (floating-conn) value. Subsequent packets rebuild the connection out of the interface with the better metric. To prevent the addition of lower cost routes from affecting active flows, you can set the floating-conn configuration timeout value to 0:0:0.', \n 'SYN Control', '', 'Failure', 'Invalid TCP', 'A back channel initiation occurred from the wrong side.',\n 'SYN Timeout', '', 'Failure', 'Timeout', 'Force termination after 30 seconds, awaiting three-way handshake completion.',\n 'TCP bad retransmission', '', 'Success', 'Invalid TCP', 'The connection was terminated because of a bad TCP retransmission.',\n 'TCP FINs', '', 'Success', '', 'A normal close-down sequence occurred.',\n 'TCP Invalid SYN', '', 'Failure', 'Invalid TCP', 'Invalid TCP SYN packet.', \n 'TCP Reset-APPLIANCE', '', 'Failure', 'Reset', 'The flow is closed when a TCP reset is generated by the Secure Firewall ASA.',\n 'TCP Reset-I', '', 'Failure', 'Reset', 'Reset was from the inside.',\n 'TCP Reset-O', '', 'Failure', 'Reset', 'Reset was from the outside.',\n 'TCP segment partial overlap', '', 'Failure', 'Invalid TCP', 'A partially overlapping segment was detected.',\n 'TCP unexpected window size variation', '', 'Failure', 'Invalid TCP', 'A connection was terminated due to variation in the TCP window size.', \n 'Tunnel has been torn down', '', 'Failure', 'Invalid Tunnel', 'Flow was terminated because the tunnel is down.',\n 'Unknown', 'Deny', 'Failure', 'Terminated', 'An authorization was denied by a URL filter.', 'Unauth Deny', '', 'Failure', 'Unknown', 'An unknown error has occurred.', \n 'Xlate Clear', '', '', '', 'A command line was removed.',\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"\n ];\n let ActionResultLookup = datatable (DeviceEventClassID:string, DvcAction:string, EventResult:string)[\n \"106001\", \"Deny\", \"Failure\",\n \"106002\", \"Deny\", \"Failure\",\n \"106006\", \"Deny\", \"Failure\",\n \"106007\", \"Deny\", \"Failure\",\n \"106010\", \"Deny\", \"Failure\",\n \"106012\", \"Deny\", \"Failure\",\n \"106013\", \"Drop\", \"Failure\",\n \"106014\", \"Deny\", \"Failure\",\n \"106015\", \"Deny\", \"Failure\",\n \"106016\", \"Deny\", \"Failure\",\n \"106017\", \"Deny\", \"Failure\",\n \"106018\", \"Deny\", \"Failure\",\n \"106020\", \"Deny\", \"Failure\",\n \"106021\", \"Deny\", \"Failure\",\n \"106022\", \"Deny\", \"Failure\",\n \"106023\", \"Deny\", \"Failure\",\n \"106100\", \"\", \"\",\n \"302013\", \"Allow\", \"Success\",\n \"302014\", \"\", \"\", \n \"302015\", \"Allow\", \"Success\",\n \"302016\", \"Allow\", \"Success\",\n \"302020\", \"Allow\", \"Success\",\n \"302021\", \"Allow\", \"Success\",\n \"710002\", \"Allow\", \"Success\",\n \"710003\", \"Deny\", \"Failure\",\n \"710004\", \"Drop\", \"Failure\",\n \"710005\", \"Drop\", \"Failure\",\n ];\n let NWParser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n dstipaddr_has_any_prefix:dynamic=dynamic([]), \n ipaddr_has_any_prefix:dynamic=dynamic([]),\n dstportnumber:int=int(null), \n hostname_has_any:dynamic=dynamic([]), \n dvcaction:dynamic=dynamic([]), \n eventresult:string='*', \n disabled:bool=false)\n { \n let src_or_any = set_union(srcipaddr_has_any_prefix, ipaddr_has_any_prefix); \n let dst_or_any = set_union(dstipaddr_has_any_prefix, ipaddr_has_any_prefix);\n let allLogs = CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where DeviceVendor == \"Cisco\" and DeviceProduct == \"ASA\"\n | where DeviceEventClassID in (\"106001\",\"106006\",\"106015\",\"106016\",\"106021\",\"106022\",\"106010\",\"106014\",\"106018\",\"106023\",\"302013\",\"302015\",\"302014\",\"302016\",\"302020\",\"302021\",\"710002\",\"710003\",\"710004\",\"710005\",\"106007\",\"106017\",\"106100\",\"106002\",\"106012\",\"106013\",\"106020\")\n | lookup ActionResultLookup on DeviceEventClassID\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction) or DvcAction == \"\")\n | where ((eventresult == \"*\") or EventResult == eventresult or EventResult == \"\")\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, CommunicationDirection, DestinationIP, DestinationPort, DeviceAddress, DeviceName, Message, Protocol, SourceIP, SourcePort, DeviceVersion, DeviceCustomString2, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let parsedData = allLogs\n | where isnotempty(SourceIP)\n | where (isnull(dstportnumber) or (DestinationPort == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SourceIP,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DestinationIP,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-rename NetworkRuleName = DeviceCustomString2,\n SrcIpAddr = SourceIP,\n SrcPortNumber = SourcePort,\n DstIpAddr = DestinationIP, \n DstPortNumber = DestinationPort;\n let unparsedData = allLogs\n | where isempty(SourceIP)\n | where Message has tostring(dstportnumber)\n and ((array_length(src_or_any) == 0 or has_any_ipv4_prefix(Message,src_or_any)) \n or (array_length(dst_or_any) == 0 or has_any_ipv4_prefix(Message,dst_or_any)))\n | project DeviceVendor, DeviceProduct, DeviceEventClassID, LogSeverity, OriginalLogSeverity, Computer, DeviceAddress, DeviceName, Message, DeviceVersion, Protocol, DvcAction, EventResult, TimeGenerated, DeviceAction;\n let all_106001_alike = parsedData\n | where DeviceEventClassID in (\"106001\", \"106006\", \"106015\", \"106016\", \"106021\", \"106022\") \n | parse Message with * \" interface \" DstInterfaceName;\n let all_106010_alike = parsedData\n | where DeviceEventClassID in (\"106010\", \"106014\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\";\n let all_106018 = parsedData\n | where DeviceEventClassID == \"106018\"\n | parse Message with * \" packet type \" NetworkIcmpType \" \" * \"list \" NetworkRuleName \" \" *;\n let all_106023 = parsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \" src \" SrcInterfaceName \":\" * \" dst \" DstInterfaceName \":\" * ' by access-group \"' NetworkRuleName '\" ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *;\n let all_106023_unparsed = unparsedData\n | where DeviceEventClassID == \"106023\" and not(Message has \"protocol 41\")\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \"(\" SrcUsername \") dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" src \" SrcInterfaceName \":\" SrcIpAddrAndPort \" dst \" DstInterfaceName \":\" DstIpAddrAndPort \" \" NetworkIcmpInfo 'by access-group \"' NetworkRuleName '\" [' * \"]\"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, \"(\")[0]\n | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, \"\")\n | parse NetworkIcmpInfo with \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \") \"\n | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,\"/\"), DstIpAddrAndPort = split(DstIpAddrAndPort,\"/\")\n | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),\n SrcPortNumber = toint(SrcIpAddrAndPort[1]),\n DstIpAddr = tostring(DstIpAddrAndPort[0]),\n DstPortNumber = toint(DstIpAddrAndPort[1])\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away SrcIpAddrAndPort, DstIpAddrAndPort, NetworkIcmpInfo;\n let all_106023_41 = unparsedData\n | where DeviceEventClassID == \"106023\" and Message has \"protocol 41\"\n | parse Message with * \":\" DeviceAction \" \" ProtocolFromLog \" src \" SrcInterfaceName \":\" SrcIpAddr \" dst \" DstInterfaceName \":\" DstIpAddr ' by access-group ' NetworkRuleName ' ' *\n | parse Message with * \"(type \" NetworkIcmpType \", code \" NetworkIcmpCode:int \")\" *\n | extend Protocol = case(isnotempty(Protocol), Protocol,\n ProtocolFromLog endswith \"41\", \"41\",\n \"\"),\n NetworkRuleName = trim_start(@\"\\s*\",NetworkRuleName)\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | project-away ProtocolFromLog;\n let all_302013_302015_parsed = parsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" * \" \" * \" \" * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \"/\" * \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" * \"/\" * \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\";\n let all_302013_302015_unparsed = unparsedData\n | where DeviceEventClassID in (\"302013\",\"302015\")\n | parse Message with * \":\" DeviceAction \" \" NetworkDirection \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int \" (\" SrcNatIpAddr \"/\" SrcNatPortNumber:int \")\" SrcUsername \"to \" DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int \" (\" DstNatIpAddr \"/\" DstNatPortNumber:int \")\" DstUsername\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | extend SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = trim(@\"\\s?\\(?\\)?\\s?\", DstUsername),\n NetworkDirection = case(NetworkDirection == \"inbound\", \"Inbound\",\n NetworkDirection == \"outbound\", \"Outbound\",\n \"\"),\n SessionId = NetworkSessionId,\n EventSubType = \"Start\"; \n let all_302014_unparsed = unparsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n // SrcInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n // DstInfoString is extracted from the Message and not the direct values of IP, Port, Interface and User because Username is optional here\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n // Remaining string can have multiple formats. Mapping of all of them is as follows:\n // 1. empty --> no mapping required, RemainingString will be empty \n | parse Message with * \" bytes \" * \" \" RemainingString\n // 2. (domain\\USER001) 3. TCP FINs from OUTSIDE (domain\\USER001) 4. TCP FINs (domain\\USER001) --> DstUsernameSimple will now contain the value of the Destination Username\n | parse RemainingString with ReasonString \"(\" DstUsernameSimple \")\"\n // Now to cover case #3 and 5. TCP FINs from OUTSIDE, adding check for the word \"from\" \n | extend ReasonString = case(RemainingString has \"from\" and RemainingString !has \"(\", RemainingString,\n ReasonString)\n // Finally extract the required Reason information from the string to be utilized later\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away DstUsernameSimple, *String, Reason;\n let all_302014_parsed = parsedData\n | where DeviceEventClassID == \"302014\"\n | project-away DvcAction, EventResult\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse Message with * \" bytes \" * \" \" ReasonString\n | parse ReasonString with Reason \" from \" *\n | extend Reason = case(isempty(Reason), ReasonString,\n Reason)\n | lookup EventResultMapping on Reason\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | extend \n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\",\n EventOriginalResultDetails = iif(isnotempty(EventOriginalResultDetails), strcat(Reason, \" - \", EventOriginalResultDetails), EventOriginalResultDetails)\n | project-away Reason, ReasonString;\n let all_302016_parsed = parsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \" connection \" NetworkSessionId \" for \" SrcInterfaceName \":\" * \" to \" DstInterfaceName \":\" * \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | extend NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\";\n let all_302016_unparsed = unparsedData\n | where DeviceEventClassID == \"302016\"\n | parse Message with * \":\" DeviceAction \" \" Protocol \" connection \" NetworkSessionId \" for \" SrcInfoString \" to \" DstInfoString \" duration \" NetworkDuration \" bytes \" NetworkBytes:long *\n | parse kind=regex SrcInfoString with SrcInterfaceName \":\" SrcIpAddr \"/\" SrcPortNumber:int @\"\\(?\\s?\" SrcUsername @\"\\)?\\s?\"\n | parse kind=regex DstInfoString with DstInterfaceName \":\" DstIpAddr \"/\" DstPortNumber:int @\"\\(?\\s?\" DstUsername @\"\\)?\\s?\"\n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\"\n | parse Message with * \" bytes \" * \" (\" DstUsernameSimple \")\"\n | extend \n SrcUsername = trim(@\"\\s?\\(?\\)?\\s?\", SrcUsername),\n DstUsername = case(isempty(DstUsername),DstUsernameSimple,\n trim(@\"\\s?\\(?\\)?\\s?\", DstUsername)),\n NetworkDuration = toint(24 * 60 * totimespan(NetworkDuration) / time(1s)),\n SessionId = NetworkSessionId,\n EventSubType = \"End\"\n | project-away DstUsernameSimple, *InfoString;\n let all_302020_302021 = parsedData\n | where DeviceEventClassID in (\"302020\",\"302021\")\n | parse Message with * \"(\" SrcUsername \")\" *\n | parse Message with * \"type \" NetworkIcmpType \" code \" NetworkIcmpCode:int *\n | extend SrcUsernameType = iif(isnotempty(SrcUsername),\"Windows\",\"\"),\n EventSubType = case(DeviceEventClassID == \"302020\", \"Start\",\n \"End\");\n let all_7_series = parsedData\n | where DeviceEventClassID in (\"710002\",\"710003\",\"710004\",\"710005\")\n | parse Message with * \" to \" DstInterfaceName \":\" *;\n let all_106007 = parsedData\n | where DeviceEventClassID == \"106007\"\n | extend DstAppName = \"DNS\"\n | parse Message with * \" due to \" EventOriginalResultDetails;\n let all_106017 = parsedData\n | where DeviceEventClassID == \"106017\"\n | extend ThreatName = \"Land Attack\";\n let all_106100_parsed = parsedData\n | where DeviceEventClassID == \"106100\" and isnotempty(SrcIpAddr)\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" * \" \" * \" \" * \" \" SrcInterfaceName \"/\" * \") -> \" DstInterfaceName \"/\" * \") hit-cnt \" EventCount:int *;\n let all_106100_unparsed = unparsedData\n | where DeviceEventClassID == \"106100\"\n | extend DvcAction = case(Message has \"denied\", \"Deny\",\n \"Allow\")\n | extend EventResult = case(DvcAction == \"Deny\", \"Failure\",\n \"Success\")\n | where ((array_length(dvcaction) == 0) or DvcAction has_any (dvcaction))\n | where ((eventresult == \"*\") or EventResult == eventresult)\n | parse Message with * \"access-list \" NetworkRuleName \" \" DeviceAction \" \" Protocol \" \" SrcInterfaceName \"/\" SrcIpAddr \"(\" SrcPortNumber:int \") -> \" DstInterfaceName \"/\" DstIpAddr \"(\" DstPortNumber:int \") hit-cnt \" EventCount:int * \n | where (isnull(dstportnumber) or (DstPortNumber == dstportnumber))\n | extend temp_isSrcMatch=has_any_ipv4_prefix(SrcIpAddr,src_or_any), \n temp_isDstMatch=has_any_ipv4_prefix(DstIpAddr,dst_or_any)\n | extend ASimMatchingIpAddr = case(\n array_length(src_or_any) == 0 and array_length(dst_or_any) == 0, \"-\", // match not requested\n (temp_isSrcMatch and temp_isDstMatch), \"Both\", // has to be checked before the individual \n temp_isSrcMatch, \"SrcIpAddr\",\n temp_isDstMatch, \"DstIpAddr\",\n \"No match\"\n )\n | where ASimMatchingIpAddr != \"No match\";\n let remainingLogs = parsedData\n | where DeviceEventClassID in (\"106002\", \"106012\", \"106013\", \"106020\");\n let networkaddressWatchlistData = materialize (_ASIM_GetWatchlistRaw(\"NetworkAddresses\"));\n let internalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"Internal\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n let externalInterface = networkaddressWatchlistData | where WatchlistItem.Tags has \"External\" | distinct tostring(WatchlistItem[\"Range Name\"]);\n union isfuzzy=false all_106001_alike, all_106010_alike, all_106018, all_106023, all_106023_unparsed, all_106023_41, all_302013_302015_unparsed, all_302013_302015_parsed, all_302014_parsed, all_302014_unparsed, all_302016_parsed, all_302016_unparsed, all_302020_302021, all_7_series, all_106007, all_106017, all_106100_parsed, all_106100_unparsed, remainingLogs\n | extend \n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = coalesce(EventCount,toint(1)),\n EventType = \"NetworkSession\",\n EventSchema = \"NetworkSession\",\n EventSchemaVersion = \"0.2.4\",\n SrcInterfaceName = tolower(SrcInterfaceName),\n DstInterfaceName = tolower(SrcInterfaceName)\n | extend \n SrcUsernameType = case(isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n isnotempty(SrcUsername) and SrcUsername !has \"@\" and SrcUsername has \"\\\\\", \"Windows\",\n isnotempty(SrcUsername), \"Simple\",\n \"\"),\n DstUsernameType = case(isnotempty(DstUsername) and DstUsername has \"@\", \"UPN\",\n isnotempty(DstUsername) and DstUsername !has \"@\" and DstUsername has \"\\\\\", \"Windows\",\n isnotempty(DstUsername), \"Simple\",\n \"\")\n | lookup ProtocolLookup on Protocol\n | project-rename \n EventProductVersion = DeviceVersion,\n EventOriginalType = DeviceEventClassID,\n EventOriginalSeverity = OriginalLogSeverity,\n DvcOriginalAction = DeviceAction,\n EventMessage = Message,\n Dvc = Computer\n | extend\n EventSeverity = iff(isempty(EventResult) or EventResult == \"Success\", \"Informational\", \"Low\"),\n NetworkDirection = case(isnotempty(CommunicationDirection), CommunicationDirection,\n SrcInterfaceName in (internalInterface) and DstInterfaceName in (internalInterface), \"Local\",\n SrcInterfaceName in (externalInterface) and DstInterfaceName in (externalInterface), \"External\",\n DstInterfaceName in (externalInterface), \"Outbound\",\n SrcInterfaceName in (externalInterface), \"Inbound\",\n \"\"),\n NetworkProtocol = case(isempty(NetworkProtocol) and isnotempty(Protocol), toupper(Protocol),\n NetworkProtocol)\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n Duration = NetworkDuration,\n IpAddr = SrcIpAddr,\n Rule = NetworkRuleName,\n User = DstUsername\n | project-away CommunicationDirection, LogSeverity, Protocol, temp_*, Device*\n };\n NWParser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, dstipaddr_has_any_prefix=dstipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, dstportnumber=dstportnumber, hostname_has_any=hostname_has_any, dvcaction=dvcaction, eventresult=eventresult, disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),dstipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),dstportnumber:int=int(null),hostname_has_any:dynamic=dynamic([]),dvcaction:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json index 51dc52a1955..4bab6c0361f 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoFirepower/vimNetworkSessionCiscoFirepower.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json index c70fbc26768..0a1f39d183d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoISE/vimNetworkSessionCiscoISE.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json index 6f45b405d8a..f59995e1355 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMeraki/vimNetworkSessionCiscoMeraki.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json index 7ebe916fb76..a9df140f4f9 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json index dea11980926..a42765cdfb8 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCorelightZeek/vimNetworkSessionCorelightZeek.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json index a546418acdf..988e2f249a4 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionCrowdStrikeFalconHost/vimNetworkSessionCrowdStrikeFalconHost.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json index 7a5d3ff897a..2ac58d86619 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json @@ -32,4 +32,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json index ba857324972..11f3dc6644b 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionForcePointFirewall/vimNetworkSessionForcePointFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json index 3a086215c44..d6590f20603 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionFortinetFortiGate/vimNetworkSessionFortinetFortiGate.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json index 8925cd81f0d..69a3e1cd5c7 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTAgent/vimNetworkSessionMD4IoTAgent.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json index 55a8f122183..9e4dc0dfad3 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMD4IoTSensor/vimNetworkSessionMD4IoTSensor.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json index 8673d8717b4..7febb43433b 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/vimNetworkSessionMicrosoft365Defender.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json index f0cdaf3bd64..38f90cdef63 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/vimNetworkSessionMicrosoftLinuxSysmon.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json index b0c8ada05ca..550d3e0664e 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSecurityEventFirewall/vimNetworkSessionMicrosoftSecurityEventFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json index 874a35dc85d..04633655097 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmon/vimNetworkSessionMicrosoftSysmon.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json index 49666efc4b6..780b89a76d3 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftSysmonWindowsEvent/vimNetworkSessionMicrosoftSysmonWindowsEvent.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json index 49edb72a4ef..1cd61b59a71 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/vimNetworkSessionMicrosoftWindowsEventFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json index 76cc5af26db..6757e6afb8d 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionNative/vimNetworkSessionNative.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json index 41068b9fe31..04ca23ff391 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCEF/vimNetworkSessionPaloAltoCEF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json index b9b4284ad1d..2823fbb769a 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionPaloAltoCortexDataLake/vimNetworkSessionPaloAltoCortexDataLake.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json index 3191da3f9c0..ea35eea9d55 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSentinelOne/vimNetworkSessionSentinelOne.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json index b45506ed48b..5a31daa469e 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/vimNetworkSessionSonicWallFirewall.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json index 044f4869f8e..482c1b1f1e3 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMConnection/vimNetworkSessionVMConnection.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json index 7e2ff29b9b9..e4fdc08c079 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVMwareCarbonBlackCloud/vimNetworkSessionVMwareCarbonBlackCloud.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json index a46f817f897..f6122492ceb 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionVectraAI/vimNetworkSessionVectraAI.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json index 9fcdcc9e9ce..0fe64b8f7fb 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionWatchGuardFirewareOS/vimNetworkSessionWatchGuardFirewareOS.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json index ade8927846f..f31a12497df 100644 --- a/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json +++ b/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file