updated

v-sreddyt · v-sreddyt · commit 729088479b72 · 2025-06-27T13:26:29.000+05:30
diff --git a/Solutions/Amazon Web Services NetworkFirewall/Data Connectors/AWSNetworkFirewallLogs_CCP/AWSNetworkFirewallLog_DCR.json b/Solutions/Amazon Web Services NetworkFirewall/Data Connectors/AWSNetworkFirewallLogs_CCP/AWSNetworkFirewallLog_DCR.json
@@ -85,7 +85,7 @@
 					"destinations": [
 						"clv2ws1"
 					],
-					"transformKql": "source | extend TimeGenerated = now()  | extend FirewallName = firewall_name, EventTimestamp = event_timestamp, AvailabilityZone = availability_zone, TCPFlags = tostring(event.tcp.tcp_flags), Syn = tobool(event.tcp.syn), Fin = tobool(event.tcp.fin), Psh = tobool(event.tcp.psh), Ack = tobool(event.tcp.ack), Ecn= tobool(event.tcp.ecn), Rst = tobool(event.tcp.rst),AppProto = tostring(event.app_proto), SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), NetFlowPkts = tostring(event.netflow.pkts), NetFlowBytes = tostring(event.netflow.bytes), NetFlowStart = todatetime(event.netflow.start), NetFlowEnd = todatetime(event.netflow.end), NetFlowAge = tostring(event.netflow.age), NetFlowMinttl = tostring(event.netflow.min_ttl), NetFlowMaxttl = tostring(event.netflow.max_ttl), EventType = tostring(event.event_type) | where EventType == \"netflow\" |extend FlowId = tostring(event.flow_id), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Proto = tostring(event.proto)  | project-away event, availability_zone, firewall_name",
+					"transformKql": "source | extend TimeGenerated = now()  | extend FirewallName = firewall_name, EventTimestamp = event_timestamp, AvailabilityZone = availability_zone, TCPFlags = tostring(event.tcp.tcp_flags), Syn = tobool(event.tcp.syn), Fin = tobool(event.tcp.fin), Psh = tobool(event.tcp.psh), Ack = tobool(event.tcp.ack), Ecn= tobool(event.tcp.ecn), Rst = tobool(event.tcp.rst),AppProto = tostring(event.app_proto), SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), NetFlowPkts = tostring(event.netflow.pkts), NetFlowBytes = tostring(event.netflow.bytes), NetFlowStart = todatetime(event.netflow.start), NetFlowEnd = todatetime(event.netflow.end), NetFlowAge = tostring(event.netflow.age), NetFlowMinttl = tostring(event.netflow.min_ttl), NetFlowMaxttl = tostring(event.netflow.max_ttl), EventType = tostring(event.event_type) | where EventType == \"netflow\" |extend FlowId = tostring(event.flow_id), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Proto = tostring(event.proto), EventType",
 					"outputStream": "Microsoft-AWSNetworkFirewallFlow"
 				},
 				{
@@ -95,7 +95,7 @@
 					"destinations": [
 						"clv2ws1"
 					],
-					"transformKql": "source | extend TimeGenerated = now(), FirewallName = firewall_name, AvailabilityZone = availability_zone, EventTimestamp = event_timestamp, TxId = tostring(event.tx_id), AppProto = tostring(event.app_proto), SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), EventType = tostring(event.event_type) | where EventType == \"alert\" | extend Severity = tostring(event.alert.severity), SignatureId = tostring(event.alert.signature_id), Rev = tostring(event.alert.rev), Signature = tostring(event.alert.signature), AlertAction = tostring(event.alert.action), Category = tostring(event.alert.category), FlowId = tostring(event.flow_id), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Proto = tostring(event.proto), VerdictAction = tostring(event.verdict.action), Sni = tostring(event.tls.sni), Version = tostring(event.tls.version), PktSrc = tostring(event.pkt_src), Direction = tostring(event.direction) | project-away event",
+					"transformKql": "source | extend TimeGenerated = now(), FirewallName = firewall_name, AvailabilityZone = availability_zone, EventTimestamp = todatetime(event_timestamp), TxId = tostring(event.tx_id), AppProto = tostring(event.app_proto), SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), EventType = tostring(event.event_type) | where EventType == \"alert\" | extend Severity = tostring(event.alert.severity), SignatureId = tostring(event.alert.signature_id), Rev = tostring(event.alert.rev), Signature = tostring(event.alert.signature), AlertAction = tostring(event.alert.action), Category = tostring(event.alert.category), FlowId = tostring(event.flow_id), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Proto = tostring(event.proto), VerdictAction = tostring(event.verdict.action), Sni = tostring(event.tls.sni), Version = tostring(event.tls.version), PktSrc = tostring(event.pkt_src), Direction = tostring(event.direction), EventType",
 					"outputStream": "Microsoft-AWSNetworkFirewallAlert"
 				},
 				{
@@ -105,7 +105,7 @@
 					"destinations": [
 						"clv2ws1"
 					],
-					"transformKql": "source | extend TimeGenerated = now(), FirewallName = firewall_name, AvailabilityZone = availability_zone, EventTimestamp = event_timestamp, SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Sni = tostring(event.sni), LeafCertificateFingerprint = tostring(event.leaf_cert_fpr), Status = tostring(event.status), Action = tostring(event.action), ErrorMessage = tostring(event.tls_error.error_message) | project-away event",
+					"transformKql": "source | extend TimeGenerated = now(), FirewallName = firewall_name, AvailabilityZone = availability_zone, EventTimestamp = todatetime(event_timestamp), SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Sni = tostring(event.sni), LeafCertificateFingerprint = tostring(event.leaf_cert_fpr), Status = tostring(event.status), Action = tostring(event.action), ErrorMessage = tostring(event.tls_error.error_message)",
 					"outputStream": "Microsoft-AWSNetworkFirewallTls"
 				}
 			]
diff --git a/Solutions/Amazon Web Services NetworkFirewall/Package/3.0.0.zip b/Solutions/Amazon Web Services NetworkFirewall/Package/3.0.0.zip
diff --git a/Solutions/Amazon Web Services NetworkFirewall/Package/mainTemplate.json b/Solutions/Amazon Web Services NetworkFirewall/Package/mainTemplate.json
@@ -410,7 +410,7 @@
                     "destinations": [
                       "clv2ws1"
                     ],
-                    "transformKql": "source | extend TimeGenerated = now()  | extend FirewallName = firewall_name, EventTimestamp = event_timestamp, AvailabilityZone = availability_zone, TCPFlags = tostring(event.tcp.tcp_flags), Syn = tobool(event.tcp.syn), Fin = tobool(event.tcp.fin), Psh = tobool(event.tcp.psh), Ack = tobool(event.tcp.ack), Ecn= tobool(event.tcp.ecn), Rst = tobool(event.tcp.rst),AppProto = tostring(event.app_proto), SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), NetFlowPkts = tostring(event.netflow.pkts), NetFlowBytes = tostring(event.netflow.bytes), NetFlowStart = todatetime(event.netflow.start), NetFlowEnd = todatetime(event.netflow.end), NetFlowAge = tostring(event.netflow.age), NetFlowMinttl = tostring(event.netflow.min_ttl), NetFlowMaxttl = tostring(event.netflow.max_ttl), EventType = tostring(event.event_type) | where EventType == \"netflow\" |extend FlowId = tostring(event.flow_id), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Proto = tostring(event.proto)  | project-away event, availability_zone, firewall_name",
+                    "transformKql": "source | extend TimeGenerated = now()  | extend FirewallName = firewall_name, EventTimestamp = event_timestamp, AvailabilityZone = availability_zone, TCPFlags = tostring(event.tcp.tcp_flags), Syn = tobool(event.tcp.syn), Fin = tobool(event.tcp.fin), Psh = tobool(event.tcp.psh), Ack = tobool(event.tcp.ack), Ecn= tobool(event.tcp.ecn), Rst = tobool(event.tcp.rst),AppProto = tostring(event.app_proto), SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), NetFlowPkts = tostring(event.netflow.pkts), NetFlowBytes = tostring(event.netflow.bytes), NetFlowStart = todatetime(event.netflow.start), NetFlowEnd = todatetime(event.netflow.end), NetFlowAge = tostring(event.netflow.age), NetFlowMinttl = tostring(event.netflow.min_ttl), NetFlowMaxttl = tostring(event.netflow.max_ttl), EventType = tostring(event.event_type) | where EventType == \"netflow\" |extend FlowId = tostring(event.flow_id), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Proto = tostring(event.proto), EventType",
                     "outputStream": "Microsoft-AWSNetworkFirewallFlow"
                   },
                   {
@@ -420,7 +420,7 @@
                     "destinations": [
                       "clv2ws1"
                     ],
-                    "transformKql": "source | extend TimeGenerated = now(), FirewallName = firewall_name, AvailabilityZone = availability_zone, EventTimestamp = event_timestamp, TxId = tostring(event.tx_id), AppProto = tostring(event.app_proto), SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), EventType = tostring(event.event_type) | where EventType == \"alert\" | extend Severity = tostring(event.alert.severity), SignatureId = tostring(event.alert.signature_id), Rev = tostring(event.alert.rev), Signature = tostring(event.alert.signature), AlertAction = tostring(event.alert.action), Category = tostring(event.alert.category), FlowId = tostring(event.flow_id), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Proto = tostring(event.proto), VerdictAction = tostring(event.verdict.action), Sni = tostring(event.tls.sni), Version = tostring(event.tls.version), PktSrc = tostring(event.pkt_src), Direction = tostring(event.direction) | project-away event",
+                    "transformKql": "source | extend TimeGenerated = now(), FirewallName = firewall_name, AvailabilityZone = availability_zone, EventTimestamp = todatetime(event_timestamp), TxId = tostring(event.tx_id), AppProto = tostring(event.app_proto), SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), EventType = tostring(event.event_type) | where EventType == \"alert\" | extend Severity = tostring(event.alert.severity), SignatureId = tostring(event.alert.signature_id), Rev = tostring(event.alert.rev), Signature = tostring(event.alert.signature), AlertAction = tostring(event.alert.action), Category = tostring(event.alert.category), FlowId = tostring(event.flow_id), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Proto = tostring(event.proto), VerdictAction = tostring(event.verdict.action), Sni = tostring(event.tls.sni), Version = tostring(event.tls.version), PktSrc = tostring(event.pkt_src), Direction = tostring(event.direction), EventType",
                     "outputStream": "Microsoft-AWSNetworkFirewallAlert"
                   },
                   {
@@ -430,7 +430,7 @@
                     "destinations": [
                       "clv2ws1"
                     ],
-                    "transformKql": "source | extend TimeGenerated = now(), FirewallName = firewall_name, AvailabilityZone = availability_zone, EventTimestamp = event_timestamp, SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Sni = tostring(event.sni), LeafCertificateFingerprint = tostring(event.leaf_cert_fpr), Status = tostring(event.status), Action = tostring(event.action), ErrorMessage = tostring(event.tls_error.error_message) | project-away event",
+                    "transformKql": "source | extend TimeGenerated = now(), FirewallName = firewall_name, AvailabilityZone = availability_zone, EventTimestamp = todatetime(event_timestamp), SrcIp = tostring(event.src_ip), SrcPort = tostring(event.src_port), DestIp = tostring(event.dest_ip), DestPort = tostring(event.dest_port), Sni = tostring(event.sni), LeafCertificateFingerprint = tostring(event.leaf_cert_fpr), Status = tostring(event.status), Action = tostring(event.action), ErrorMessage = tostring(event.tls_error.error_message)",
                     "outputStream": "Microsoft-AWSNetworkFirewallTls"
                   }
                 ]
@@ -718,6 +718,9 @@
               "defaultValue": "[parameters('workspace')]",
               "type": "securestring"
             },
+            "streamName": {
+              "type": "array"
+            },
             "connectorDefinitionName": {
               "defaultValue": "Amazon Web Services NetworkFirewall (via Codeless Connector Platform) (Preview)",
               "type": "securestring",
@@ -743,11 +746,6 @@
               "defaultValue": "queueUrl",
               "type": "securestring",
               "minLength": 1
-            },
-            "streamName": {
-              "defaultValue": "streamName",
-              "type": "array",
-              "minLength": 1
             }
           },
           "variables": {
@@ -787,14 +785,14 @@
               "kind": "AmazonWebServicesS3",
               "properties": {
                 "connectorDefinitionName": "AwsNetworkFirewallCcpDefinition",
-                "destinationTable": "AWSNetworkFirewallAlert",
+                "destinationTable": "[[concat(parameters('streamName')[0],'_CL')]",
                 "dataTypes": {
                   "logs": {
                     "state": "enabled"
                   }
                 },
                 "dcrConfig": {
-                  "streamName": "Custom-AWSNetworkFirewall-AlertLog",
+                  "streamName": "[[parameters('streamName')[0]]",
                   "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
                   "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
                 },
@@ -817,14 +815,14 @@
               "kind": "AmazonWebServicesS3",
               "properties": {
                 "connectorDefinitionName": "AwsNetworkFirewallCcpDefinition",
-                "destinationTable": "AWSNetworkFirewallFlow",
+                "destinationTable": "[[concat(parameters('streamName')[0],'_CL')]",
                 "dataTypes": {
                   "logs": {
                     "state": "enabled"
                   }
                 },
                 "dcrConfig": {
-                  "streamName": "Custom-AWSNetworkFirewall-FlowLog",
+                  "streamName": "[[parameters('streamName')[0]]",
                   "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
                   "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
                 },
@@ -847,14 +845,14 @@
               "kind": "AmazonWebServicesS3",
               "properties": {
                 "connectorDefinitionName": "AwsNetworkFirewallCcpDefinition",
-                "destinationTable": "AWSNetworkFirewallTls",
+                "destinationTable": "[[concat(parameters('streamName')[0],'_CL')]",
                 "dataTypes": {
                   "logs": {
                     "state": "enabled"
                   }
                 },
                 "dcrConfig": {
-                  "streamName": "Custom-AWSNetworkFirewall-TlsLog",
+                  "streamName": "[[parameters('streamName')[0]]",
                   "dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
                   "dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
                 },
