From 0e710b9ffbe63fefabac1765298c31e58cc2a15c Mon Sep 17 00:00:00 2001 From: v-sabiraj Date: Fri, 10 Jan 2025 11:32:37 +0530 Subject: [PATCH] Updated parser for ASIM ciscoASA --- .../Parsers/ASimNetworkSessionCiscoASA.yaml | 9 ++++++--- .../Parsers/vimNetworkSessionCiscoASA.yaml | 9 ++++++--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml index 00910395c62..90935bb37f2 100644 --- a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml @@ -1,12 +1,12 @@ Parser: Title: Network Session ASIM parser for Cisco ASA - Version: '1.0' - LastUpdated: August 03, 2022 + Version: '0.1.1' + LastUpdated: Jan 09, 2025 Product: Name: CiscoASA Normalization: Schema: NetworkSession - Version: '0.2.4' + Version: '0.2.6' References: - Title: ASIM Network Session Schema Link: https://aka.ms/ASimNetworkSessionDoc @@ -273,6 +273,9 @@ ParserQuery: | let all_106023_unparsed = unparsedData | where DeviceEventClassID == "106023" and not(Message has "protocol 41") | parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort "(" SrcUsername ") dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]" + | parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort " dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]" + | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, "(")[0] + | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, "") | parse NetworkIcmpInfo with "(type " NetworkIcmpType ", code " NetworkIcmpCode:int ") " | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,"/"), DstIpAddrAndPort = split(DstIpAddrAndPort,"/") | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]), diff --git a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml index d0f0fe6a39b..2b17960524d 100644 --- a/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml +++ b/Parsers/ASimNetworkSession/Parsers/vimNetworkSessionCiscoASA.yaml @@ -1,12 +1,12 @@ Parser: Title: Network Session ASIM parser for Cisco ASA - Version: '1.0' - LastUpdated: August 03, 2022 + Version: '0.1.1' + LastUpdated: Jan 09, 2025 Product: Name: CiscoASA Normalization: Schema: NetworkSession - Version: '0.2.4' + Version: '0.2.6' References: - Title: ASIM Network Session Schema Link: https://aka.ms/ASimNetworkSessionDoc @@ -329,6 +329,9 @@ ParserQuery: | let all_106023_unparsed = unparsedData | where DeviceEventClassID == "106023" and not(Message has "protocol 41") | parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort "(" SrcUsername ") dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]" + | parse Message with * ":" DeviceAction " " Protocol " src " SrcInterfaceName ":" SrcIpAddrAndPort " dst " DstInterfaceName ":" DstIpAddrAndPort " " NetworkIcmpInfo 'by access-group "' NetworkRuleName '" [' * "]" + | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort, "(")[0] + | extend SrcUsername = iff(isnotempty(SrcUsername), SrcUsername, "") | parse NetworkIcmpInfo with "(type " NetworkIcmpType ", code " NetworkIcmpCode:int ") " | extend SrcIpAddrAndPort = split(SrcIpAddrAndPort,"/"), DstIpAddrAndPort = split(DstIpAddrAndPort,"/") | extend SrcIpAddr = tostring(SrcIpAddrAndPort[0]),