-
Notifications
You must be signed in to change notification settings - Fork 3.6k
Expand file tree
/
Copy pathASimWebSessionCitrixNetScaler.yaml
More file actions
154 lines (154 loc) · 5.85 KB
/
ASimWebSessionCitrixNetScaler.yaml
File metadata and controls
154 lines (154 loc) · 5.85 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
Parser:
Title: Web Session ASIM parser for Citrix NetScaler(Web App Firewall)
Version: '0.1.1'
LastUpdated: Jun 26, 2025
Product:
Name: Citrix NetScaler
Normalization:
Schema: WebSession
Version: '0.2.6'
References:
- Title: ASIM Web Session Schema
Link: https://aka.ms/ASimWebSessionDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
- Title: Citrix NetScaler WAF Documentation
Link:
https://support.citrix.com/article/CTX136146/common-event-format-cef-logging-support-in-the-application-firewall
https://docs.netscaler.com/en-us/citrix-adc/current-release/application-firewall/logs
https://docs.netscaler.com/en-us/citrix-adc/current-release/application-firewall/xml-protections/xml-cross-site-scripting-check
Description: |
This ASIM parser supports normalizing Citrix NetScaler WAF(Web Application Firewall) logs to the ASIM Web Session normalized schema. Citrix NetScaler WAF(Web Application Firewall) events are captured through Citrix WAF (Web App Firewall) data connector which ingests web attack logs into Microsoft Sentinel in CEF format via Syslog.
ParserName: ASimWebSessionCitrixNetScaler
EquivalentBuiltInParser: _ASim_WebSession_CitrixNetScaler
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let EventSeverityLookup = datatable (DeviceCustomString4: string, EventSeverity: string)
[
"EMERGENCY", "High",
"ALERT", "High",
"CRITICAL", "High",
"ERROR", "Medium",
"WARNING", "Low",
"NOTICE", "Low",
"INFORMATIONAL", "Informational",
"DEBUG", "Informational",
"INFO", "Informationl",
"WARN", "Low",
"ERR", "Medium"
];
let EventFieldsLookup = datatable(
DeviceAction: string,
DvcAction: string,
EventResult: string
)
[
"blocked", "Deny", "Failure",
"not blocked", "Allow", "Success",
"transformed", "Allow", "Success"
];
let parser = (disabled: bool=false) {
CommonSecurityLog
| where not(disabled)
| where DeviceVendor == "Citrix" and DeviceProduct == "NetScaler"
| where DeviceEventClassID == "APPFW" and Activity has_any ("APPFW_STARTURL", "APPFW_XML_cross-site scripting", "APPFW_SAFECOMMERCE", "APPFW_SAFECOMMERCE_XFORM", "APPFW_SIGNATURE_MATCH", "APPFW_XML_ERR_NOT_WELLFORMED", "APPFW_FIELDCONSISTENCY", "APPFW_SQL", "APPFW_BUFFEROVERFLOW_URL", "APPFW_BUFFEROVERFLOW_COOKIE", "APPFW_cross-site scripting", "APPFW_FIELDFORMAT", "APPFW_REFERER_HEADER", "APPFW_XSS")
| parse-kv AdditionalExtensions as (method: string, geolocation: string, script: string) with (pair_delimiter=";", kv_delimiter="=")
| parse RequestURL with * "://" host: string "/" *
| extend
DeviceAction = trim("[*]+", DeviceAction),
Ip_host = iff(host matches regex "(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))", host, ""),
Ip_computer = iff(Computer matches regex "(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.(([0-9]{1,3})))", Computer, ""),
HttpHost = host
| lookup EventFieldsLookup on DeviceAction
| lookup EventSeverityLookup on DeviceCustomString4
| extend
host = iff(isempty(Ip_host), host, ""),
Computer = iff(isempty(Ip_computer), Computer, ""),
AdditionalFields = bag_pack(
"Script", script,
"Event ID", FieldDeviceCustomNumber1,
"HTTP Transaction ID", FieldDeviceCustomNumber2,
"Profile Name", DeviceCustomString1,
"PPE ID", DeviceCustomString2,
"Signature Violation Category", DeviceCustomString6
)
| invoke _ASIM_ResolveDvcFQDN('Computer')
| invoke _ASIM_ResolveDstFQDN('host')
| extend
DstIpAddr = tostring(split(Ip_host, ":")[0]),
DstPortNumber = toint(split(Ip_host, ":")[1]),
DvcIpAddr = tostring(split(Ip_computer, ":")[0])
| extend
DstHostname = coalesce(DstIpAddr, DstHostname)
| extend
EventProduct = "NetScaler",
EventVendor = "Citrix",
EventCount = int(1),
EventStartTime = TimeGenerated,
EventSchema = "WebSession",
EventSchemaVersion = "0.2.6",
EventType = "HTTPsession"
| project-rename
EventUid = _ItemId,
SrcIpAddr = SourceIP,
DvcOriginalAction = DeviceAction,
EventMessage = Message,
EventOriginalSeverity = DeviceCustomString4,
EventProductVersion = DeviceVersion,
HttpRequestMethod = method,
NetworkSessionId = DeviceCustomString3,
SrcPortNumber = SourcePort,
Url = RequestURL,
EventOriginalType = DeviceEventClassID,
EventOriginalSubType = Activity,
SrcGeoCountry = geolocation
| extend
EventEndTime = EventStartTime,
Dvc = coalesce(DvcFQDN, DvcHostname, DvcIpAddr),
Src = SrcIpAddr,
Dst = DstHostname,
Hostname = DstHostname,
IpAddr = SrcIpAddr,
SessionId = NetworkSessionId
| project-away
Source*,
Destination*,
Device*,
AdditionalExtensions,
CommunicationDirection,
Computer,
EndTime,
EventOutcome,
FieldDevice*,
Flex*,
File*,
Old*,
MaliciousIP*,
OriginalLogSeverity,
Process*,
Protocol,
ReceivedBytes,
SentBytes,
Remote*,
Request*,
SimplifiedDeviceAction,
StartTime,
TenantId,
Threat*,
ExternalID,
ReportReferenceLink,
ReceiptTime,
Reason,
ApplicationProtocol,
Indicator*,
Ip_*,
LogSeverity,
_ResourceId,
host,
script,
ExtID
};
parser(disabled=disabled)