Skip to content

Commit

Permalink
[ASIM Parsers] Generate deployable ARM templates from KQL function YA…
Browse files Browse the repository at this point in the history 
…ML files.
  • Loading branch information
github-actions[bot] committed Nov 10, 2022
1 parent 16fb161 commit c06b711
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion Parsers/ASimDns/ARM/vimDnsMicrosoftSysmon/vimDnsMicrosoftSysmon.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
"displayName": "DNS activity ASIM filtering parser for Sysmon for Windows",
"category": "ASIM",
"FunctionAlias": "vimDnsMicrosoftSysmon",
"query": "let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n , 9001, \"FORMERR\"\n , 9002,\"SERVFAIL\"\n , 9003,'NXDOMAIN'\n , 9004,'NOTIMP'\n , 9005,'REFUSED'\n , 9006,'YXDOMAIN'\n , 9007,'YXRRSET'\n , 9008,'NXRRSET'\n , 9009,'NOTAUTH'\n , 9010,'NOTZONE'\n , 9011,'DSOTYPENI'\n , 9016,'BADVERS'\n , 9016,'BADSIG'\n , 9017,'BADKEY'\n , 9018,'BADTIME'\n , 9019,'BADMODE'\n , 9020,'BADNAME'\n , 9021,'BADALG'\n , 9022,'BADTRUNC'\n , 9023,'BADCOOKIE'\n , 1460, 'TIMEOUT'\n];\nlet ParsedDnsEvent_Event =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n) \n{\n Event | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==22\n // -- Pre-parsing filtering (srcipaddr not available, responsecodename not optimizable)\n | where\n (eventtype in~ ('Query', 'lookup'))\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n // --\n | parse EventData with \n * \n '<Data Name=\"RuleName\">' RuleName:string '</Data>' \n '<Data Name=\"UtcTime\">' EventEndTime:datetime '</Data>'\n '<Data Name=\"ProcessGuid\">{' ProcessGuid:string '}</Data>'\n '<Data Name=\"ProcessId\">' ProcessId:string '</Data>'\n '<Data Name=\"QueryName\">' DnsQuery:string '</Data>'\n '<Data Name=\"QueryStatus\">' DnsResponseCode:int '</Data>'\n '<Data Name=\"QueryResults\">' DnsResponseName:string '</Data>'\n '<Data Name=\"Image\">' Process:string '</Data>'\n *\n | project-away EventData, ParameterXml, RenderedDescription \n // -- Post-filtering tests differnt for Event and WindowsEvent\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n | project-rename SrcUsername = UserName\n | extend Username = SrcUsername\n };\nlet ParsedDnsEvent_WindowsEvent =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n WindowsEvent | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\n // -- Pre-parsing filtering (srcipaddr not available)\n | where\n (eventtype=='lookup')\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n | extend DnsResponseCode = toint(EventData.QueryStatus)\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n | extend \n RuleName = tostring(EventData.RuleName),\n EventEndTime = todatetime(EventData.UtcTime),\n ProcessGuid = extract ('{(.*)}', 1, tostring(EventData.ProcessGuid), typeof(string)),\n ProcessId = tostring(EventData.ProcessId), \n DnsQuery = tostring(EventData.QueryName),\n DnsResponseName = tostring(EventData.QueryResults),\n Process = tostring(EventData.Image)\n | project-away EventData\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n};\nlet ParsedDnsEvent=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n union isfuzzy=true \n ParsedDnsEvent_Event (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n , ParsedDnsEvent_WindowsEvent (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n// -- Post-filtering accurately now that message is parsed\n| where\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n// --\n| project-rename \n DvcHostname = Computer\n| extend\n EventOriginalUid = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.3\",\n EventType = 'lookup',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows'\n// -- Aliases\n| extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Src = DvcHostname,\n Hostname=DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername\n// -- Backward Computability\n| extend\n Query=DnsQuery,\n ResponseCodeName=DnsResponseCodeName \n};\nParsedDnsEvent (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)",
"query": "let RCodeTable=datatable(DnsResponseCode:int,DnsResponseCodeName:string)[\n // See https://docs.microsoft.com/windows/win32/debug/system-error-codes--9000-11999-\n 0, 'NOERROR'\n , 9001, \"FORMERR\"\n , 9002,\"SERVFAIL\"\n , 9003,'NXDOMAIN'\n , 9004,'NOTIMP'\n , 9005,'REFUSED'\n , 9006,'YXDOMAIN'\n , 9007,'YXRRSET'\n , 9008,'NXRRSET'\n , 9009,'NOTAUTH'\n , 9010,'NOTZONE'\n , 9011,'DSOTYPENI'\n , 9016,'BADVERS'\n , 9016,'BADSIG'\n , 9017,'BADKEY'\n , 9018,'BADTIME'\n , 9019,'BADMODE'\n , 9020,'BADNAME'\n , 9021,'BADALG'\n , 9022,'BADTRUNC'\n , 9023,'BADCOOKIE'\n , 1460, 'TIMEOUT'\n];\nlet ParsedDnsEvent_Event =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n , disabled:bool=false\n) \n{\n Event | where not(disabled)\n | where Source == \"Microsoft-Windows-Sysmon\" and EventID==22\n // -- Pre-parsing filtering (srcipaddr not available, responsecodename not optimizable)\n | where\n (eventtype in~ ('Query', 'lookup'))\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n // --\n | parse EventData with \n * \n '<Data Name=\"RuleName\">' RuleName:string '</Data>' \n '<Data Name=\"UtcTime\">' EventEndTime:datetime '</Data>'\n '<Data Name=\"ProcessGuid\">{' ProcessGuid:string '}</Data>'\n '<Data Name=\"ProcessId\">' ProcessId:string '</Data>'\n '<Data Name=\"QueryName\">' DnsQuery:string '</Data>'\n '<Data Name=\"QueryStatus\">' DnsResponseCode:int '</Data>'\n '<Data Name=\"QueryResults\">' DnsResponseName:string '</Data>'\n '<Data Name=\"Image\">' Process:string '</Data>'\n *\n | project-away EventData, ParameterXml, RenderedDescription \n // -- Post-filtering tests differnt for Event and WindowsEvent\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n | project-rename SrcUsername = UserName\n | extend Username = SrcUsername\n };\nlet ParsedDnsEvent_WindowsEvent =(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n WindowsEvent | where not(disabled)\n | where Provider == \"Microsoft-Windows-Sysmon\" and EventID == 22\n // -- Pre-parsing filtering (srcipaddr not available)\n | where\n (eventtype=='lookup')\n and (srcipaddr=='*')\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(domain_has_any) ==0 or EventData has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(EventData,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(EventData, response_has_any_prefix))\n | extend DnsResponseCode = toint(EventData.QueryStatus)\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n // --\n | extend \n RuleName = tostring(EventData.RuleName),\n EventEndTime = todatetime(EventData.UtcTime),\n ProcessGuid = extract ('^{(.*)}$', 1, tostring(EventData.ProcessGuid), typeof(string)),\n ProcessId = tostring(EventData.ProcessId), \n DnsQuery = tostring(EventData.QueryName),\n DnsResponseName = tostring(EventData.QueryResults),\n Process = tostring(EventData.Image)\n | project-away EventData\n | lookup RCodeTable on DnsResponseCode\n | where (responsecodename==\"*\" or DnsResponseCodeName has responsecodename) // -- filter is not optimized\n};\nlet ParsedDnsEvent=(\n starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n , srcipaddr:string='*'\n , domain_has_any:dynamic=dynamic([]) \n , responsecodename:string='*', response_has_ipv4:string='*'\n , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup'\n , disabled:bool=false\n) \n{\n union isfuzzy=true \n ParsedDnsEvent_Event (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n , ParsedDnsEvent_WindowsEvent (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)\n// -- Post-filtering accurately now that message is parsed\n| where\n (array_length(domain_has_any) == 0 or DnsQuery has_any (domain_has_any))\n and (response_has_ipv4=='*' or has_ipv4(DnsResponseName,response_has_ipv4) )\n and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DnsResponseName, response_has_any_prefix))\n// --\n| project-rename \n DvcHostname = Computer\n| extend\n EventOriginalUid = '22',\n EventCount=int(1),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'Dns',\n EventSchemaVersion=\"0.1.3\",\n EventType = 'lookup',\n EventResult = iff (DnsResponseCode == 0,'Success','Failure'),\n EventStartTime = EventEndTime,\n EventSubType= 'response',\n EventSeverity= iif (DnsResponseCode == 0, 'Informational', 'Low'),\n SrcUsernameType = 'Windows'\n// -- Aliases\n| extend \n EventResultDetails = DnsResponseCodeName,\n Domain = DnsQuery,\n Dvc = DvcHostname,\n SrcHostname = DvcHostname,\n Src = DvcHostname,\n Hostname=DvcHostname,\n DnsResponseCode = toint(iff (DnsResponseCode > 9000 and DnsResponseCode < 9100, DnsResponseCode-9000, DnsResponseCode)),\n User = SrcUsername\n// -- Backward Computability\n| extend\n Query=DnsQuery,\n ResponseCodeName=DnsResponseCodeName \n};\nParsedDnsEvent (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr:string='*',domain_has_any:dynamic=dynamic([]),responsecodename:string='*',response_has_ipv4:string='*',response_has_any_prefix:dynamic=dynamic([]),eventtype:string='Query',disabled:bool=False"
}
Expand Down

0 comments on commit c06b711

Please sign in to comment.