Merge branch 'master' into v-tsawant/ASIM-vimAuthenticationSshd

Author: v-sudkharat

Detections/SigninLogs/AnomalousSingleFactorSignin.yaml

@@ -22,16 +22,16 @@ tags:
 query: |
   let known_locations = (SigninLogs
     | where TimeGenerated between(ago(7d)..ago(1d))
-    | where ResultType == 0
+    | where ResultType != 0
     | extend LocationDetail = strcat(Location, "-", LocationDetails.state)
     | summarize by LocationDetail);
   let known_asn = (SigninLogs
     | where TimeGenerated between(ago(7d)..ago(1d))
-    | where ResultType == 0
+    | where ResultType != 0
     | summarize by AutonomousSystemNumber);
   SigninLogs
   | where TimeGenerated > ago(1d)
-  | where ResultType == 0
+  | where ResultType != 0
   | where isempty(DeviceDetail.deviceId)
   | where AuthenticationRequirement == "singleFactorAuthentication"
   | extend LocationParsed = parse_json(LocationDetails), DeviceParsed = parse_json(DeviceDetail)
@@ -60,7 +60,7 @@ entityMappings:
         columnName: AppId
       - identifier: Name
         columnName: AppDisplayName
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled
 metadata:
     source:

Parsers/ASimNetworkSession/ARM/ASimNetworkSessionCiscoMerakiSyslog/ASimNetworkSessionCiscoMerakiSyslog.json

@@ -1,7 +1,7 @@
 Parser:
   Title: Network Session ASIM parser for Cisco Meraki
-  Version: '1.2.1'
-  LastUpdated: Jul 19, 2024
+  Version: '1.2.2'
+  LastUpdated: Nov 23, 2025
 Product:
   Name: Cisco Meraki
 Normalization:
@@ -157,14 +157,20 @@ ParserQuery: |
                 | project-rename LogMessage =  SyslogMessage
                 );
         let PreFilteredData = allData
-            | where not(disabled) and (LogMessage has_any("flows", "firewall", "ids-alerts") or LogMessage has_all("security_event", "ids-alerted") or (LogMessage has "events" and (LogMessage has_any ("Blocked DHCP server response", "association") or (LogMessage has "VRRP packet" and not(LogMessage has_any ("VRRP passive", "VRRP active"))) or (LogMessage has "disassociation" and not(LogMessage has_any ("auth_neg_failed", "dhcp"))))) or (LogMessage has "airmarshal_events" and LogMessage has_any("ssid_spoofing_detected", "rogue_ssid_detected")))
+            | where not(disabled) and (
+                LogMessage has_any("flows", "firewall", "ids-alerts", "cellular_firewall", "vpn_firewall", "ip_flow_start", "ip_flow_end") 
+                or LogMessage has_all("security_event", "ids-alerted") 
+                or LogMessage has_all("security_event", "ids_alerted")
+                or (LogMessage has "events" and (LogMessage has_any ("Blocked DHCP server response", "association") or (LogMessage has "VRRP packet" and not(LogMessage has_any ("VRRP passive", "VRRP active"))) or (LogMessage has "disassociation" and not(LogMessage has_any ("auth_neg_failed", "dhcp"))))) 
+                or (LogMessage has "airmarshal_events" and LogMessage has_any("ssid_spoofing_detected", "rogue_ssid_detected"))
+            )
             | extend Parser = extract_all(@"(\d+.\d+)\s([\w\-\_]+)\s([\w\-\_]+)\s([\S\s]+)$", dynamic([1, 2, 3, 4]), LogMessage)[0]
             | extend
                 LogType = tostring(Parser[2]),
                 Substring = tostring(Parser[3]);
         let FlowsFirewallData = PreFilteredData
-            | where LogType in ("flows", "firewall", "cellular_firewall", "vpn_firewall")
-            | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=" ", kv_delimiter="=", quote="'")
+            | where LogType in ("flows", "firewall", "cellular_firewall", "vpn_firewall", "ip_flow_start", "ip_flow_end")
+            | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int, translated_dst_ip: string, translated_port: string) with (pair_delimiter=" ", kv_delimiter="=", quote="'")
             | parse Substring with pattern1: string " src=" temp_restmessage: string
             | parse Substring with * "pattern: " pattern2: string " " temp_restmessage: string
             | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))
@@ -182,7 +188,7 @@ ParserQuery: |
         let IDSAlertData = PreFilteredData
             | where LogType in ("ids-alerts", "security_event")
             | parse LogMessage with * "security_event " LogSubType: string " " * "message: " message: string 
-            | where LogType == "security_event" and LogSubType == "ids-alerted" or LogType == "ids-alerts"
+            | where LogType == "security_event" and (LogSubType == "ids-alerted" or LogSubType == "ids_alerted") or LogType == "ids-alerts"
             | parse-kv Substring as(priority: string, timestamp: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=" ", kv_delimiter="=", quote="'")
             | extend EventResult = "Success"
             | extend
@@ -285,11 +291,11 @@ ParserQuery: |
                         )
         | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)
         | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has ".", split(temp_srcipport, ":")[1], SrcPortNumber))
-        | extend temp_dstipport = coalesce(dst, dns_server)
+        | extend temp_dstipport = coalesce(dst, dns_server, translated_dst_ip)
         | extend temp_dstipport =  trim('"', temp_dstipport)
         | parse temp_dstipport with * "[" temp_dstip "]:" temp_dstport
         | extend DstIpAddr = iff(temp_dstipport has ".", split(temp_dstipport, ":")[0], coalesce(temp_dstip, temp_dstipport))
-        | extend DstPortNumber = toint(coalesce(dport, temp_dstport))
+        | extend DstPortNumber = toint(coalesce(dport, temp_dstport, translated_port))
         | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has ".", split(temp_dstipport, ":")[1], DstPortNumber))
         | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, "", SrcIpAddr)
         | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, "", DstIpAddr)
@@ -348,6 +354,8 @@ ParserQuery: |
             dns_server,
             sport,
             dport,
+            translated_dst_ip,
+            translated_port,
             *_lookup,
             type*,
             pattern*,
@@ -383,4 +391,5 @@ ParserQuery: |
             HostIP,
             ProcessName,CollectorHostName,NetworkProtocolNumber
     };
-    parser(disabled=disabled)
+    parser(disabled=disabled)
+    

Parsers/ASimNetworkSession/ARM/vimNetworkSessionCiscoMerakiSyslog/vimNetworkSessionCiscoMerakiSyslog.json

@@ -1,7 +1,7 @@
 Parser:
   Title: Network Session ASIM filtering parser for Cisco Meraki
-  Version: '1.2.1'
-  LastUpdated: Jul 19, 2024
+  Version: '1.2.2'
+  LastUpdated: Nov 23, 2025
 Product:
   Name: Cisco Meraki
 Normalization:
@@ -197,7 +197,13 @@ ParserQuery: |
               );
       let PreFilteredData = allData
           | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime)
-              and (isnull(endtime) or TimeGenerated <= endtime) and (LogMessage has_any("flows", "firewall", "ids-alerts") or LogMessage has_all("security_event", "ids-alerted") or (LogMessage has "events" and (LogMessage has_any ("Blocked DHCP server response", "association") or (LogMessage has "VRRP packet" and not(LogMessage has_any ("VRRP passive", "VRRP active"))) or (LogMessage has "disassociation" and not(LogMessage has_any ("auth_neg_failed", "dhcp"))))) or (LogMessage has "airmarshal_events" and LogMessage has_any("ssid_spoofing_detected", "rogue_ssid_detected")))
+              and (isnull(endtime) or TimeGenerated <= endtime) and (
+                  LogMessage has_any("flows", "firewall", "ids-alerts", "cellular_firewall", "vpn_firewall", "ip_flow_start", "ip_flow_end") 
+                  or LogMessage has_all("security_event", "ids-alerted") 
+                  or LogMessage has_all("security_event", "ids_alerted")
+                  or (LogMessage has "events" and (LogMessage has_any ("Blocked DHCP server response", "association") or (LogMessage has "VRRP packet" and not(LogMessage has_any ("VRRP passive", "VRRP active"))) or (LogMessage has "disassociation" and not(LogMessage has_any ("auth_neg_failed", "dhcp"))))) 
+                  or (LogMessage has "airmarshal_events" and LogMessage has_any("ssid_spoofing_detected", "rogue_ssid_detected"))
+              )
           | extend Parser = extract_all(@"(\d+.\d+)\s([\w\-\_]+)\s([\w\-\_]+)\s([\S\s]+)$", dynamic([1, 2, 3, 4]), LogMessage)[0]
           | extend
               LogType = tostring(Parser[2]),
@@ -214,8 +220,8 @@ ParserQuery: |
               and ((isnull(dstportnumber)) or Substring has tostring(dstportnumber))
               and (array_length(dvcaction) == 0 or LogMessage has_any (dvcaction));
       let FlowsFirewallData = PreFilteredData
-          | where LogType in ("flows", "firewall", "cellular_firewall", "vpn_firewall")
-          | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int) with (pair_delimiter=" ", kv_delimiter="=", quote="'")
+          | where LogType in ("flows", "firewall", "cellular_firewall", "vpn_firewall", "ip_flow_start", "ip_flow_end")
+          | parse-kv Substring as(src: string, dst: string, mac: string, sport: string, dport: string, protocol: string, type: int, translated_dst_ip: string, translated_port: string) with (pair_delimiter=" ", kv_delimiter="=", quote="'")
           | parse Substring with pattern1: string " src=" temp_restmessage: string
           | parse Substring with * "pattern: " pattern2: string " " temp_restmessage: string
           | extend NetworkIcmpCode_lookup = iff(protocol == 'icmp6', type, int(null))
@@ -234,7 +240,7 @@ ParserQuery: |
       let IDSAlertData = PreFilteredData
           | where LogType in ("ids-alerts", "security_event")
           | parse LogMessage with * "security_event " LogSubType: string " " * "message: " message: string 
-          | where LogType == "security_event" and LogSubType == "ids-alerted" or LogType == "ids-alerts"
+          | where LogType == "security_event" and (LogSubType == "ids-alerted" or LogSubType == "ids_alerted") or LogType == "ids-alerts"
           | parse-kv Substring as(priority: string, direction: string, protocol: string, src: string, dst: string, signature: string, dhost: string, shost: string) with (pair_delimiter=" ", kv_delimiter="=", quote="'")
           | extend EventResult = "Success"
           | extend
@@ -332,10 +338,10 @@ ParserQuery: |
                       )
       | extend SrcPortNumber = iff(isempty(SrcPortNumber), toint(coalesce(sport, temp_srcport)), SrcPortNumber)
       | extend SrcPortNumber = toint(iff(isempty(SrcPortNumber) and SrcIpAddr has ".", split(temp_srcipport, ":")[1], SrcPortNumber))
-      | extend temp_dstipport = trim('"', coalesce(dst, dns_server))
+      | extend temp_dstipport = trim('"', coalesce(dst, dns_server, translated_dst_ip))
       | parse temp_dstipport with * "[" temp_dstip "]:" temp_dstport
       | extend DstIpAddr = iff(temp_dstipport has ".", split(temp_dstipport, ":")[0], coalesce(temp_dstip, temp_dstipport))
-      | extend DstPortNumber = toint(coalesce(dport, temp_dstport))
+      | extend DstPortNumber = toint(coalesce(dport, temp_dstport, translated_port))
       | extend DstPortNumber = toint(iff(isempty(DstPortNumber) and DstIpAddr has ".", split(temp_dstipport, ":")[1], DstPortNumber))
       | extend SrcIpAddr = iff(SrcIpAddr == SrcMacAddr, "", SrcIpAddr)
       | extend DstIpAddr = iff(DstIpAddr == DstMacAddr, "", DstIpAddr)
@@ -405,6 +411,8 @@ ParserQuery: |
           dns_server,
           sport,
           dport,
+          translated_dst_ip,
+          translated_port,
           *_lookup,
           type*,
           pattern*,