Skip to content

Commit

Permalink
Merge branch 'users/demehra/fortinetasim' of https://github.com/Azure…
Browse files Browse the repository at this point in the history 
…/Azure-Sentinel into users/demehra/fortinetasim
  • Loading branch information
@devikamehra
devikamehra committed Nov 10, 2022
2 parents 19d9797 + 8d6d706 commit f69440f
Show file tree
Hide file tree
Showing 7 changed files with 18 additions and 41 deletions.
2 changes: 1 addition & 1 deletion ...kSession/ARM/ASimNetworkSessionFortinetFortiGate/ASimNetworkSessionFortinetFortiGate.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
"displayName": "Network Session ASIM parser for Fortinet FortiGate",
"category": "ASIM",
"FunctionAlias": "ASimNetworkSessionFortinetFortiGate",
"query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n[\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)\n[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"];\nlet Parser=(disabled:bool=false){\n CommonSecurityLog \n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and AdditionalExtensions has \"cat=traffic\"\n | where DeviceAction != \"dns\"\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceName,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = DeviceName\n , EventEndTime = TimeGenerated\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n | lookup EventLookup on DeviceAction \n | lookup ProtocolLookup on Protocol\n | project-rename DvcOriginalAction = DeviceAction\n | parse AdditionalExtensions with \"start=\" EventStartTime:datetime \n \";\" * \"srcintfrole=\" SrcZone \n \";\" * \"dstintfrole=\" DstZone\n \";\" * \"externalID=\" NetworkSessionId\n \";\" * \"policyid=\" NetworkRuleNumber:int\n \";\" * \"dstcountry=\" DstGeoCountry\n \";\" * \"srccountry=\" SrcGeoCountry\n \";\" *\n | parse AdditionalExtensions with * \"crscore=\" ThreatRiskLevel:int\n \";\" *\n | parse AdditionalExtensions with * \"duration=\" NetworkDuration:int\n \";\" * \"sentpkt=\" SrcPackets:long\n \";\" * \"rcvdpkt=\" DstPackets:long\n \";\" *\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventSeverity = iif(EventOriginalSeverity == 5, \"Informational\", \"\")\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , NetworkBytes = DstBytes + SrcBytes\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Rule = tostring(NetworkRuleNumber),\n Duration = NetworkDuration\n | project-away Protocol\n};\nParser (disabled=disabled)",
"query": "let EventLookup=datatable(DeviceAction:string,DvcAction:string,EventResult:string,EventResultDetails:string)\n[\n \"accept\",\"Allow\",\"Success\",\"\"\n , \"client-rst\",\"Reset Source\",\"Failure\",\"\"\n , \"close\",\"\",\"Success\",\"\"\n , \"deny\",\"Deny\",\"Failure\",\"\"\n , \"ip-conn\",\"\",\"Failure\",\"IP connection error\"\n , \"server-rst\",\"Reset Destination\",\"Failure\",\"\"\n , \"timeout\",\"\",\"Failure\",\"\"\n];\nlet ProtocolLookup=datatable(Protocol:string,NetworkProtocol:string)\n[\n \"0\",\"HOPOPT\"\n , \"1\",\"ICMP\"\n , \"2\",\"IGMP\"\n , \"3\",\"GGP\"\n , \"4\",\"IPv4\"\n , \"5\",\"ST\"\n , \"6\",\"TCP\"\n , \"7\",\"CBT\"\n , \"8\",\"EGP\"\n , \"9\",\"IGP\"\n , \"10\",\"BBN-RCC-MON\"\n , \"11\",\"NVP-II\"\n , \"12\",\"PUP\"\n , \"13\",\"ARGUS (deprecated)\"\n , \"14\",\"EMCON\"\n , \"15\",\"XNET\"\n , \"16\",\"CHAOS\"\n , \"17\",\"UDP\"\n , \"18\",\"MUX\"\n , \"19\",\"DCN-MEAS\"\n , \"20\",\"HMP\"\n , \"21\",\"PRM\"\n , \"22\",\"XNS-IDP\"\n , \"23\",\"TRUNK-1\"\n , \"24\",\"TRUNK-2\"\n , \"25\",\"LEAF-1\"\n , \"26\",\"LEAF-2\"\n , \"27\",\"RDP\"\n , \"28\",\"IRTP\"\n , \"29\",\"ISO-TP4\"\n , \"30\",\"NETBLT\"\n , \"31\",\"MFE-NSP\"\n , \"32\",\"MERIT-INP\"\n , \"33\",\"DCCP\"\n , \"34\",\"3PC\"\n , \"35\",\"IDPR\"\n , \"36\",\"XTP\"\n , \"37\",\"DDP\"\n , \"38\",\"IDPR-CMTP\"\n , \"39\",\"TP++\"\n , \"40\",\"IL\"\n , \"41\",\"IPv6\"\n , \"42\",\"SDRP\"\n , \"43\",\"IPv6-Route\"\n , \"44\",\"IPv6-Frag\"\n , \"45\",\"IDRP\"\n , \"46\",\"RSVP\"\n , \"47\",\"GRE\"\n , \"48\",\"DSR\"\n , \"49\",\"BNA\"\n , \"50\",\"ESP\"\n , \"51\",\"AH\"\n , \"52\",\"I-NLSP\"\n , \"53\",\"SWIPE (deprecated)\"\n , \"54\",\"NARP\"\n , \"55\",\"MOBILE\"\n , \"56\",\"TLSP\"\n , \"57\",\"SKIP\"\n , \"58\",\"IPv6-ICMP\"\n , \"59\",\"IPv6-NoNxt\"\n , \"60\",\"IPv6-Opts\"\n , \"61\",\"\"\n , \"62\",\"CFTP\"\n , \"63\",\"\"\n , \"64\",\"SAT-EXPAK\"\n , \"65\",\"KRYPTOLAN\"\n , \"66\",\"RVD\"\n , \"67\",\"IPPC\"\n , \"68\",\"\"\n , \"69\",\"SAT-MON\"\n , \"70\",\"VISA\"\n , \"71\",\"IPCV\"\n , \"72\",\"CPNX\"\n , \"73\",\"CPHB\"\n , \"74\",\"WSN\"\n , \"75\",\"PVP\"\n , \"76\",\"BR-SAT-MON\"\n , \"77\",\"SUN-ND\"\n , \"78\",\"WB-MON\"\n , \"79\",\"WB-EXPAK\"\n , \"80\",\"ISO-IP\"\n , \"81\",\"VMTP\"\n , \"82\",\"SECURE-VMTP\"\n , \"83\",\"VINES\"\n , \"84\",\"TTP\"\n , \"84\",\"IPTM\"\n , \"85\",\"NSFNET-IGP\"\n , \"86\",\"DGP\"\n , \"87\",\"TCF\"\n , \"88\",\"EIGRP\"\n , \"89\",\"OSPFIGP\"\n , \"90\",\"Sprite-RPC\"\n , \"91\",\"LARP\"\n , \"92\",\"MTP\"\n , \"93\",\"AX.25\"\n , \"94\",\"IPIP\"\n , \"95\",\"MICP (deprecated)\"\n , \"96\",\"SCC-SP\"\n , \"97\",\"ETHERIP\"\n , \"98\",\"ENCAP\"\n , \"99\",\"\"\n , \"100\",\"GMTP\"\n , \"101\",\"IFMP\"\n , \"102\",\"PNNI\"\n , \"103\",\"PIM\"\n , \"104\",\"ARIS\"\n , \"105\",\"SCPS\"\n , \"106\",\"QNX\"\n , \"107\",\"A/N\"\n , \"108\",\"IPComp\"\n , \"109\",\"SNP\"\n , \"110\",\"Compaq-Peer\"\n , \"111\",\"IPX-in-IP\"\n , \"112\",\"VRRP\"\n , \"113\",\"PGM\"\n , \"114\",\"\"\n , \"115\",\"L2TP\"\n , \"116\",\"DDX\"\n , \"117\",\"IATP\"\n , \"118\",\"STP\"\n , \"119\",\"SRP\"\n , \"120\",\"UTI\"\n , \"121\",\"SMP\"\n , \"122\",\"SM (deprecated)\"\n , \"123\",\"PTP\"\n , \"124\",\"ISIS over IPv4\"\n , \"125\",\"FIRE\"\n , \"126\",\"CRTP\"\n , \"127\",\"CRUDP\"\n , \"128\",\"SSCOPMCE\"\n , \"129\",\"IPLT\"\n , \"130\",\"SPS\"\n , \"131\",\"PIPE\"\n , \"132\",\"SCTP\"\n , \"133\",\"FC\"\n , \"134\",\"RSVP-E2E-IGNORE\"\n , \"135\",\"Mobility Header\"\n , \"136\",\"UDPLite\"\n , \"137\",\"MPLS-in-IP\"\n , \"138\",\"manet\"\n , \"139\",\"HIP\"\n , \"140\",\"Shim6\"\n , \"141\",\"WESP\"\n , \"142\",\"ROHC\"\n , \"143\",\"Ethernet\"\n , \"253\",\"\"\n , \"254\",\"\"\n , \"255\",\"Reserved\"];\nlet Parser=(disabled:bool=false){\n CommonSecurityLog \n | where not(disabled)\n | where DeviceVendor == \"Fortinet\" and DeviceProduct startswith \"FortiGate\" and AdditionalExtensions has \"cat=traffic\"\n | where DeviceAction != \"dns\"\n | project Activity,AdditionalExtensions,DestinationIP,DestinationPort,DeviceAction,DeviceInboundInterface,DeviceName,DeviceOutboundInterface,DeviceProduct,DeviceVersion,LogSeverity,Protocol,ReceivedBytes,SentBytes,SourceIP,SourcePort,TimeGenerated\n | project-rename DstBytes = ReceivedBytes\n , DstInterfaceName = DeviceOutboundInterface\n , DstIpAddr = DestinationIP\n , DstPortNumber = DestinationPort\n , Dvc = DeviceName\n , EventMessage = Activity\n , EventOriginalSeverity = LogSeverity\n , EventProduct = DeviceProduct\n , EventProductVersion = DeviceVersion\n , SrcBytes = SentBytes\n , SrcInterfaceName = DeviceInboundInterface\n , SrcIpAddr = SourceIP\n , SrcPortNumber = SourcePort\n | lookup EventLookup on DeviceAction \n | lookup ProtocolLookup on Protocol\n | project-rename DvcOriginalAction = DeviceAction\n | parse AdditionalExtensions with \"start=\" EventStartTime:datetime \n \";\" * \"srcintfrole=\" SrcZone \n \";\" * \"dstintfrole=\" DstZone\n \";\" * \"externalID=\" NetworkSessionId\n \";\" * \"policyid=\" NetworkRuleNumber:int\n \";\" * \"dstcountry=\" DstGeoCountry\n \";\" * \"srccountry=\" SrcGeoCountry\n \";\" *\n | parse AdditionalExtensions with * \"crscore=\" ThreatRiskLevel:int\n \";\" *\n | parse AdditionalExtensions with * \"duration=\" NetworkDuration:int\n \";\" * \"sentpkt=\" SrcPackets:long\n \";\" * \"rcvdpkt=\" DstPackets:long\n \";\" *\n | extend EventCount = int(1)\n , EventSchema = \"NetworkSession\"\n , EventSchemaVersion = \"0.2.3\"\n , EventSeverity = iif(EventOriginalSeverity == 5, \"Informational\", \"\")\n , EventType = \"NetworkSession\"\n , EventVendor = \"Fortinet\"\n , NetworkBytes = DstBytes + SrcBytes\n , EventEndTime = TimeGenerated\n , NetworkProtocolVersion = case(DstIpAddr contains \".\", \"IPv4\"\n , DstIpAddr contains \":\", \"IPv6\"\n , \"\")\n , NetworkPackets = DstPackets + SrcPackets\n | extend \n Src = SrcIpAddr,\n Dst = DstIpAddr,\n SessionId = NetworkSessionId,\n IpAddr = SrcIpAddr,\n Rule = tostring(NetworkRuleNumber),\n Duration = NetworkDuration\n | project-away Protocol\n};\nParser (disabled=disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
Expand Down
Loading

0 comments on commit f69440f

Please sign in to comment.