+ "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet LogonMethod = datatable(FieldDeviceCustomNumber1: long, LogonMethod: string)\n[\n 1, \"Username & Password\",\n 2, \"Multi factor authentication\",\n 3, \"Multi factor authentication\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = coalesce(todatetime(start), TimeGenerated),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1, \"Username & Password\",\n FieldDeviceCustomNumber1 == 2, \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3, \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n ),\n TargetUsername = coalesce(PanOSAuthenticatedUserName, DestinationUserName)\n | project-rename\n DvcIpAddr = Computer,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvcId = DeviceCustomString1,\n EventUid = _ItemId\n | extend\n TargetDvcIdType = iff(isempty(TargetDvcId), \"\", \"Other\"),\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n EventResult = iff(EventMessage has \"Invalid Certificate\", \"Failure\", \"Success\"),\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetDomainType = case(\n array_length(split(TargetUsername, \".\")) > 1, \"FQDN\",\n array_length(split(TargetUsername, \"\\\\\")) > 1, \"Windows\",\n \"\"\n ),\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\",\n Type = \"CommonSecurityLog\",\n EventCount = int(1)\n | project\n TimeGenerated,\n DvcHostname,\n DvcDomain,\n DvcFQDN,\n DvcDomainType,\n SrcHostname,\n SrcDomain,\n SrcFQDN,\n SrcDomainType,\n EventSeverity,\n EventStartTime,\n SrcIpAddr,\n TargetIpAddr,\n EventMessage,\n LogonMethod,\n DvcIpAddr,\n DvcId,\n EventOriginalResultDetails,\n EventOriginalSeverity,\n EventOriginalType,\n EventOriginalUid,\n EventProductVersion,\n LogonProtocol,\n SrcDvcOs,\n TargetUsername,\n TargetUserId,\n TargetDomain,\n TargetDomainType,\n EventOriginalSubType,\n HttpUserAgent,\n TargetDvcScopeId,\n TargetSessionId,\n TargetDvcId,\n TargetDvcIdType,\n EventUid,\n Dvc,\n EventEndTime,\n EventResult,\n Dst,\n Src,\n TargetUserType,\n User,\n IpAddr,\n DvcIdType,\n TargetUserIdType,\n TargetUsernameType,\n EventSchema,\n EventSchemaVersion,\n EventType,\n EventProduct,\n EventVendor,\n Type,\n EventCount\n};\nparser(disabled=disabled)\n",
0 commit comments