Skip to content

ASIMCiscoMeraki #12226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
v-atulyadav merged 23 commits into from
Nov 13, 2025
Merged

ASIMCiscoMeraki #12226

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
3c8a2ca
DraftPR-ASIMCiscoMeraki
v-sudkharat May 28, 2025
1f039c1
[ASIM Parsers] Generate deployable ARM templates from KQL function YA…
May 28, 2025
6a7e67a
updated lastupdate dates
v-sudkharat May 29, 2025
370e121
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat May 29, 2025
f80d3c1
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Jun 13, 2025
3c545e9
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Jun 17, 2025
da04d4b
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Jun 17, 2025
606cdfd
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Jun 18, 2025
9c2a383
Testing kql validations
v-sudkharat Jun 24, 2025
ee0ef7e
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Jun 24, 2025
d797ad3
Update Cisco_Meraki_WebSession_IngestedLogs.csv
v-sudkharat Jun 24, 2025
4d4dec7
Update Cisco_Meraki_WebSession_IngestedLogs.csv
v-sudkharat Jun 24, 2025
edb6765
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Jun 24, 2025
131f128
Update Cisco_Meraki_WebSession_IngestedLogs.csv
v-sudkharat Jun 24, 2025
2a223db
Update Cisco_Meraki_WebSession_IngestedLogs.csv
v-sudkharat Jun 26, 2025
5b043a2
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Jun 26, 2025
4b44ca4
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Jun 26, 2025
7d292e3
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Sep 15, 2025
a4c052f
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Oct 14, 2025
efaa3b9
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Oct 14, 2025
7b4e324
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sudkharat Nov 13, 2025
82c2b46
Merge branch 'master' into v-sudkharat/DraftPR-ASIMCiscoMeraki
v-sabiraj Nov 13, 2025
5cd77d1
Update LastUpdated date in Cisco Meraki parsers
v-sabiraj Nov 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Parsers/ASimWebSession/ARM/ASimWebSessionCiscoMeraki/ASimWebSessionCiscoMeraki.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@
"displayName": "Web Session ASIM filtering parser for Cisco Meraki",
"category": "ASIM",
"FunctionAlias": "ASimWebSessionCiscoMeraki",
"query": "let ActionLookup = datatable (action: string, DvcAction: string, EventResult: string, EventSeverity: string) [\n 'allow', 'Allow', 'Success', 'Informational',\n 'log', 'Allow', 'Success', 'Informational',\n 'accept', 'Allow', 'Success', 'Informational',\n 'block', 'Deny', 'Failure', 'Low',\n 'deny', 'Deny', 'Failure', 'Low',\n 'quarantine', 'Deny', 'Failure', 'Low'\n ];\n let parser=(disabled: bool=false) {\n let allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has \"urls\" or LogMessage has_all(\"security_event\", \"security_filtering_file_scanned\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType in (\"security_event\", \"urls\");\n let SecurityEventData = PreFilteredData\n | where LogType == \"security_event\"\n | parse Substring with LogSubType: string \" \" temp_RestMessage: string\n | where LogSubType == \"security_filtering_file_scanned\"\n | parse-kv Substring as (disposition: string, action: string, sha256: string, name: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with * \" sha256\" fsha256: string \" \"restmessage: string\n | extend\n disposition = trim('\"', disposition),\n action = trim('\"', action),\n sha256 = trim('\"', sha256),\n fsha256 = trim('\"', fsha256),\n name = trim('\"', name)\n | lookup ActionLookup on action;\n let UrlsData = PreFilteredData\n | where LogType == \"urls\"\n | parse Substring with * \"request:\" request: string \" \" urls: string;\n union SecurityEventData, UrlsData\n | parse-kv Substring as (src: string, dst: string, url: string, mac: string, agent: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n src = trim('\"', src),\n dst = trim('\"', dst)\n | parse src with * \"[\" temp_srcip: string \"]:\" temp_srcport: string\n | parse dst with * \"[\" temp_dstip: string \"]:\" temp_dstport: string\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(split(Epoch, \".\")[0]))\n | extend agent = trim(\"'\", agent)\n | extend\n agent= trim('\"', agent),\n mac = trim('\"', mac),\n url = trim('\"', url),\n urls = trim('\"', urls)\n | extend Url = coalesce(url, urls)\n | extend\n EventResult=case(\n LogType == \"urls\", \"Success\",\n isempty(EventResult), \"NA\",\n EventResult \n ),\n EventSeverity=case(\n DvcAction == \"Deny\" and disposition == \"malicious\",\n \"Medium\",\n DvcAction == \"Allow\" and disposition == \"malicious\",\n \"High\",\n isnotempty(EventSeverity), EventSeverity,\n \"Informational\"\n )\n | extend SrcIpAddr = iff(\n src has \".\",\n split(src, \":\")[0], \n coalesce(temp_srcip, src)\n )\n | extend SrcPortNumber = toint(\n iff (\n src has \".\",\n split(src, \":\")[1],\n temp_srcport\n )\n )\n | extend DstIpAddr = iff(\n dst has \".\",\n split(dst, \":\")[0], \n coalesce(temp_dstip, dst)\n )\n | extend DstPortNumber = toint(\n iff (\n dst has \".\",\n split(dst, \":\")[1],\n temp_dstport\n )\n )\n | extend\n EventType = \"HTTPsession\",\n HttpUserAgent = agent,\n HttpRequestMethod = request,\n FileSHA256 = coalesce(sha256, fsha256),\n FileName = name,\n DvcMacAddr = mac,\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId \n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\"\n | project-away\n LogMessage,\n Parser,\n LogType,\n LogSubType,\n Epoch,\n Device,\n src,\n dst,\n mac,\n url,\n urls,\n disposition,\n action,\n request,\n name,\n sha256,\n fsha256,\n agent,\n restmessage,\n temp*,\n Substring,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(disabled=disabled)",
"query": "let ActionLookup = datatable (action: string, DvcAction: string, EventResult: string, EventSeverity: string) [\n 'allow', 'Allow', 'Success', 'Informational',\n 'log', 'Allow', 'Success', 'Informational',\n 'accept', 'Allow', 'Success', 'Informational',\n 'block', 'Deny', 'Failure', 'Low',\n 'deny', 'Deny', 'Failure', 'Low',\n 'quarantine', 'Deny', 'Failure', 'Low'\n ];\n let parser=(disabled: bool=false) {\n let allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\n let PreFilteredData = allData\n | where not(disabled) and (LogMessage has \"urls\" or LogMessage has_all(\"security_event\", \"security_filtering_file_scanned\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType in (\"security_event\", \"urls\");\n let SecurityEventData = PreFilteredData\n | where LogType == \"security_event\"\n | parse Substring with LogSubType: string \" \" temp_RestMessage: string\n | where LogSubType == \"security_filtering_file_scanned\"\n | parse-kv Substring as (disposition: string, action: string, sha256: string, name: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | parse Substring with * \" sha256\" fsha256: string \" \"restmessage: string\n | extend\n disposition = trim('\"', disposition),\n action = trim('\"', action),\n sha256 = trim('\"', sha256),\n fsha256 = trim('\"', fsha256),\n name = trim('\"', name)\n | lookup ActionLookup on action;\n let UrlsData = PreFilteredData\n | where LogType == \"urls\"\n | parse Substring with * \"request:\" request: string \" \" urls: string;\n union SecurityEventData, UrlsData\n | parse-kv Substring as (src: string, dst: string, url: string, mac: string, agent: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend\n src = trim('\"', src),\n dst = trim('\"', dst)\n | parse src with * \"[\" temp_srcip: string \"]:\" temp_srcport: string\n | parse dst with * \"[\" temp_dstip: string \"]:\" temp_dstport: string\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend\n EventStartTime = unixtime_seconds_todatetime(tolong(split(Epoch, \".\")[0]))\n | extend agent = trim(\"'\", agent)\n | extend\n agent= trim('\"', agent),\n mac = trim('\"', mac),\n url = trim('\"', url),\n urls = trim('\"', urls)\n | extend Url = coalesce(url, urls)\n | extend\n EventResult=case(\n LogType == \"urls\", \"Success\",\n isempty(EventResult), \"NA\",\n EventResult \n ),\n EventSeverity=case(\n DvcAction == \"Deny\" and disposition == \"malicious\",\n \"Medium\",\n DvcAction == \"Allow\" and disposition == \"malicious\",\n \"High\",\n isnotempty(EventSeverity), EventSeverity,\n \"Informational\"\n )\n | extend SrcIpAddr = iff(\n src has \".\",\n split(src, \":\")[0], \n coalesce(temp_srcip, src)\n )\n | extend SrcPortNumber = toint(\n iff (\n src has \".\",\n split(src, \":\")[1],\n temp_srcport\n )\n )\n | extend DstIpAddr = iff(\n dst has \".\",\n split(dst, \":\")[0], \n coalesce(temp_dstip, dst)\n )\n | extend DstPortNumber = toint(\n iff (\n dst has \".\",\n split(dst, \":\")[1],\n temp_dstport\n )\n )\n | extend\n EventType = \"HTTPsession\",\n HttpUserAgent = agent,\n HttpRequestMethod = request,\n FileSHA256 = coalesce(sha256, fsha256),\n FileName = name,\n DvcMacAddr = mac,\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId \n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dst = DstIpAddr,\n Src = SrcIpAddr,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n EventEndTime = EventStartTime\n | extend\n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"WebSession\",\n EventSchemaVersion = \"0.2.6\"\n | extend \n ManagementGroupName = column_ifexists('ManagementGroupName', ''),\n RawData = column_ifexists('RawData', '')\n | project-away\n LogMessage,\n Parser,\n LogType,\n LogSubType,\n Epoch,\n Device,\n src,\n dst,\n mac,\n url,\n urls,\n disposition,\n action,\n request,\n name,\n sha256,\n fsha256,\n agent,\n restmessage,\n temp*,\n Substring,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(disabled=disabled)\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}
Expand Down
Loading