Fortinet FortiGate WebSession Parsers Parsing Fix & Additions

[t-pol]

Required items, please complete

Change(s):

• Update kql ASimWebSessionFortinetFortiGate.yaml
• Update kql vimWebSessionFortinetFortiGate.yaml

Reason for Change(s):

• When there is no User Agent string in AdditionalExtensions, the parsing of HttpRequestMethod fails.
  Incorrect parsing of HttpRequestMethod and HttpUserAgent.
  

• Adding NetworkApplicationProtocol field in the project-rename. (Optional field in the parser, but it exists in FortiGate logs)

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• No

[t-pol]

@microsoft-github-policy-service agree

[v-atulyadav]

Hi @t-pol,
PR is having validation failures please check. Thanks

[v-atulyadav]

Hi @t-pol,
Please investigate the failed validations. Thanks

[t-pol]

The issues have been fixed. Thanks

[v-atulyadav]

Thanks @t-pol.

[t-pol]

Hello, is there any feedback regarding the parser ?

[Alekhya0824]

can you please add tester files after testing
this is the documentation to add schema tester and data tester https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#test-parsers
These schema tester and data tester files can add under Tests files

[v-atulyadav]

Hi @t-pol, please check above comments from @Alekhya0824 and act accordingly. Thanks

[v-atulyadav]

Hi @t-pol,
Please respond on above asks. Thanks

[t-pol]

Hello,
Apologies for the late response.
The only pending error is in the input parameter "eventresultdetails_in".
Based on the documentation https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-web
EventResultDetails field, which typically reports the HTTP Status Code.
However, Fortigate does not populate http status code so far. Due to this EventResultDetails has alreardy been set as N/A to the existing parsers. Unfortunately, i can not fix this issue.
Thanks.

[vakohl]

@t-pol Thankyou for your updates. Can we try below?

1. Remove this mapping from both ASIM and VIM=> | extend EventResultDetails = "NA"
2. Remove this mapping from both ASIM and VIM=> HttpStatusCode = EventResultDetails
3. In the vim file use filter => | where (array_length(eventresultdetails_in) == 0
4. Remove filter=> | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in))

[t-pol]

Changes have been applied.
Thanks

[v-atulyadav]

Hi @t-pol,
The validations associated with this pull request are not progressing. Please ensure you have the latest updates from the master branch. Thanks

[v-atulyadav]

Hi @t-pol,
Thank you for your reply. Please review one of the validations that did not pass. Thanks

[t-pol]

Hello @v-atulyadav , I have fixed the pending issues. Please proceed and check the pr.
Thanks

[t-pol]

Hello @v-atulyadav @vakohl , I have fixed the pending issues. Please proceed and check the pr.
Thanks

[v-atulyadav]

Hi @t-pol,
Please address one of the checks that did not pass. Thanks

[t-pol]

It is not an error to the parser or the changes that i have performed.

 Error: AADSTS7002138: No matching federated identity record found for presented assertion subject 'repo:Azure/Azure-Sentinel:pull_request'. 

Please check the relevant error.
Thanks

[vakohl]

Closing this PR, as same changes are being done using different PR.
#12312