Merge pull request #186286 from oshezaf/asim/update-for-built-in-network-and-proxy

tamarakhader · web-flow · commit 3ac0ecbfe7a6 · 2022-02-07T11:27:07.000+02:00
Asim/update for built in network and proxy
diff --git a/articles/sentinel/dns-normalization-schema.md b/articles/sentinel/dns-normalization-schema.md
diff --git a/articles/sentinel/network-normalization-schema.md b/articles/sentinel/network-normalization-schema.md
@@ -28,71 +28,37 @@ The network normalization schema can represent any type of an IP network session
 
 ## Parsers
 
-This section discusses parsers, how to add parsers, and how to filter parser parameters. For more information, see [ASIM parsers](normalization-parsers-overview.md) and [Use ASIM parsers](normalization-about-parsers.md).
+For more information about ASIM parsers, see the [ASIM parsers overview](normalization-parsers-overview.md) and [Use ASIM parsers](normalization-about-parsers.md).
 
 ### Unifying parsers
 
-To use the unifying parsers that unify all of the out-of-the-box parsers, and ensure that your analysis runs across all the configured sources, use the following KQL functions as the table name in your query. 
-
-Deploy ASIM parsers from the [Microsoft Sentinel GitHub repository](https://aka.ms/DeployASIM).
-
-#### <a name="imnetworksession"></a>imNetworkSession
-
-Aggregative parser that uses *union* to include normalized events from all *network session* sources.
-
-- Update this parser if you want to add or remove sources from source-agnostic analytics. 
-- Use this function in your source-agnostic queries.
-
-#### ASimNetworkSession
-
-Similar to the [imNetworkSession](#imnetworksession) function, but without parameter support, so it doesn't force the **Logs** page time picker to use the `custom` value. 
-
-- Update these parsers if you want to add or remove sources from source-agnostic analytics.
-- Use this function in your source-agnostic queries if you don't plan to use parameters.
-
-#### vimNetworkSession\<vendor\>\<product\>
-
-Source-specific parsers implement normalization for a specific source.
-
-Example: `vimNetworkSessionSysmonLinux`
-
-- Add a source-specific parser for a source when there's no out-of-the-box normalizing parser. Update the `im` aggregative parser to include reference to your new parser.
-- Update a source-specific parser to resolve parsing and normalization issues.
-- Use a source-specific parser for source-specific analytics.
-
-#### ASimNetworkSession\<vendor\>\<product\>
-
-Source-specific parsers implement normalization for a specific source.
-
-Unlike the `vim*` functions, the `ASim*` functions don't support parameters.
-
-- Add a source-specific parser for a source when there's no out-of-the-box normalizing parser. Update the aggregative `ASim` parser to include reference to your new parser.
-- Update a source-specific parser to resolve parsing and normalization issues.
-- Use an `ASim` source-specific parser for interactive queries when not using parameters.
+To use parsers that unify all ASIM out-of-the-box parsers, and ensure that your analysis runs across all the configured sources, use the `_Im_NetworkSession` filtering parser or the `_ASim_NetworkSession` parameter-less parser.
 
+You can also use workspace-deployed `ImNetworkSession` and `ASimNetworkSession` parsers by deploying them from the [Microsoft Sentinel GitHub repository](https://aka.ms/DeployASIM).
 
+For more information, see [built-in ASIM parsers and workspace-deployed parsers](normalization-parsers-overview.md#built-in-asim-parsers-and-workspace-deployed-parsers).
 
 ### Out-of-the-box, source-specific parsers
 
-Microsoft Sentinel provides the following built-in, product-specific Network Session parsers:
+Microsoft Sentinel provides the following out-of-the-box, product-specific Network Session parsers:
 
-| **Name** | **Description** |
-| --- | --- |
-| **Microsoft 365 Defender for Endpoint** | - Parametrized: `vimNetworkSessionMicrosoft365Defender` <br> - Regular: `ASimNetworkSessionMicrosoft365Defender` | 
-| **Microsoft Defender for IoT - Endpoint (MD4IoT)** | - Parametrized: `vimNetworkSessionMD4IoT` <br> - Regular: `ASimNetworkSessionMD4IoT`  |
-| **Microsoft Sysmon for Linux** | - Parametrized: `vimNetworkSessionSysmonLinux`<br> - Regular: `ASimNetworkSessionSysmonLinux`  |
-| **Windows Events Firewall** | Windows firewall activity as represented by using Windows Events 515x, collected by using either the Log Analytics Agent or the Azure Monitor Agent into either the `Event` table or the `WindowsEvent` table.<br><br> - Parametrized: `vimNetworkSessionMicrosoftWindowsEventFirewall` <br> -  Regular: `ASimNetworkSessionMicrosoftWindowsEventFirewall`
-| | |
+| **Source** | **Built-in parsers** | **Workspace deployed parsers** | 
+| --- | --------------------------- | ------------------------------ | 
+| **Microsoft 365 Defender for Endpoint** | `_ASim_NetworkSession_Microsoft365Defender` (regular)<br><br>`_Im_NetworkSession_Microsoft365Defender` (filtering) | `ASimNetworkSessionMicrosoft365Defender` (regular)<br><br> `vimNetworkSessionMicrosoft365Defender` (filtering) |
+| **Microsoft Defender for IoT - Endpoint** |`_ASim_NetworkSession_MD4IoT` (regular)<br><br>`_Im_NetworkSession_MD4IoT` (filtering) | `ASimNetworkSessionMD4IoT` (regular)<br><br> `vimNetworkSessionMD4IoT` (filtering) |
+| **Sysmon for Linux**  (event 3)<br> Collected using the Log Analytics Agent<br> or the Azure Monitor Agent |`_ASim_NetworkSession_LinuxSysmon` (regular)<br><br>`_Im_NetworkSession_LinuxSysmon` (filtering) | `ASimNetworkSessionLinuxSysmon` (regular)<br><br> `vimNetworkSessionLinuxSysmon` (filtering) |
+| **Windows Firewall**<br>Collected using the Log Analytics Agent (Event table) or Azure Monitor Agent (WindowsEvent table). Supports Windows events 5150 to 5159. |`_ASim_NetworkSession_`<br>`MicrosoftWindowsEventFirewall` (regular)<br><br>`_Im_NetworkSession_`<br>`MicrosoftWindowsEventFirewall` (filtering) | `ASimNetworkSession`<br>`MicrosoftWindowsEventFirewall` (regular)<br><br> `vimNetworkSession`<br>`MicrosoftWindowsEventFirewall` (filtering) |
+| **Palo Alto PanOS** collected using CEF |`_ASim_NetworkSession_PaloAltoCEF` (regular)<br> `_Im_NetworkSession_PaloAltoCEF` (filtering)  | `ASimNetworkSessionPaloAltoCEF` (regular)<br> `vimNetworkSessionPaloAltoCEF` (filtering)  |
+| **Zscaler ZIA** |`_ASim_NetworkSessionZscalerZIA` (regular)<br> `_Im_NetworkSessionZscalerZIA` (filtering)  | `AsimNetworkSessionZscalerZIA` (regular)<br> `vimNetowrkSessionSzcalerZIA` (filtering)  |
+| | | | 
 
 ### Add your own normalized parsers
 
-When you implement custom parsers for the Network Session information model, name your KQL functions by using the following syntax:
+When implementing custom parsers for the Network Session information model, name your KQL functions using the following syntax:
 
 - `vimNetworkSession<vendor><Product>` for parametrized parsers
 - `ASimNetworkSession<vendor><Product>` for regular parsers
 
-Then, add the new parser to `imNetworkSession` or `ASimNetworkSession`, respectively.
-
 ### Filtering parser parameters
 
 The `im` and `vim*` parsers support [filtering parameters](normalization-about-parsers.md#optimized-parsers). While these parsers are optional, they can improve your query performance.
@@ -115,7 +81,7 @@ For example, to filter only web sessions for a specified list of domain names, u
 
 ```kql
 let torProxies=dynamic(["tor2web.org", "tor2web.com", "torlink.co",...]);
-imNetworkSession (hostname_has_any = torProxies)
+_Im_NetworkSession (hostname_has_any = torProxies)
 ```
 
 ## Schema details
@@ -218,7 +184,7 @@ The following fields are common to all network session activity logging:
 | **SrcGeoLongitude** | Optional | Longitude | The longitude of the geographical coordinate associated with the source IP address.<br><br>Example: `73.211944` |
 | **NetworkApplicationProtocol** | Optional | String | The application layer protocol used by the connection or session. If the [DstPortNumber](#dstportnumber) value is provided, we recommend that you include **NetworkApplicationProtocol** too. If the value isn't available from the source, derive the value from the [DstPortNumber](#dstportnumber) value.<br><br>Example: `FTP` |
 | **NetworkProtocol** | Optional | Enumerated | The IP protocol used by the connection or session as listed in [IANA protocol assignment](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml), which is typically `TCP`, `UDP`, or `ICMP`.<br><br>Example: `TCP` |
-| **NetworkDirection** | Optional | Enumerated | The direction of the connection or session, into or out of the organization. Supported values include `Inbound`, `Outbound`, and `Listen`. The `Listen` value indicates that a device has started accepting network connections but isn't actually, necessarily, connected.|
+| **NetworkDirection** | Optional | Enumerated | The direction of the connection or session, into or out of the organization. Supported values include `Inbound`, `Outbound`, `Listen`, and `Unknown`. The `Listen` value indicates that a device has started accepting network connections but isn't actually, necessarily, connected.|
 | <a name="networkduration"></a>**NetworkDuration** | Optional | Integer | The amount of time, in milliseconds, for the completion of the network session or connection.<br><br>Example: `1500` |
 | **Duration** | Alias | | Alias to [NetworkDuration](#networkduration). |
 | **NetworkIcmpCode** | Optional | Integer | For an ICMP message, the ICMP message type numeric value as described in [RFC 2780](https://datatracker.ietf.org/doc/html/rfc2780) for IPv4 network connections, or in [RFC 4443](https://datatracker.ietf.org/doc/html/rfc4443) for IPv6 network connections. If a [NetworkIcmpType](#networkicmptype) value is provided, this field is mandatory. If the value isn't available from the source, derive the value from the [NetworkIcmpType](#networkicmptype) field instead.<br><br>Example: `34` |
diff --git a/articles/sentinel/normalization-about-parsers.md b/articles/sentinel/normalization-about-parsers.md
@@ -47,10 +47,10 @@ The following table lists unifying parsers available:
 | Authentication | | | imAuthentication | ASimAuthentication |
 | Dns | _Im_Dns | _ASim_Dns | imDns | ASimDns |
 | File Event | | |  | imFileEvent |
-| Network Session |  |  | imNetworkSession | ASimNetworkSession |
+| Network Session | _Im_NetworkSession | _ASim_NetworkSession | imNetworkSession | ASimNetworkSession |
 | Process Event | | | | - imProcess<br> - imProcessCreate<br> - imProcessTerminate |
 | Registry Event | | | | imRegistry |
-| Web Session | | | imWebSession | ASimWebSession | 
+| Web Session | _Im_WebSession | _ASim_WebSession | imWebSession | ASimWebSession | 
 | | | | | 
 
 
diff --git a/articles/sentinel/normalization-about-schemas.md b/articles/sentinel/normalization-about-schemas.md
@@ -108,7 +108,7 @@ The following fields are defined by ASIM for all schemas:
 | **EventReportUrl**      | Optional    | String     | A URL provided in the event for a resource that provides more information about the event.|
 | <a name="dvc"></a>**Dvc** | Mandatory       | String     | A unique identifier of the device on which the event occurred or which reported the event, depending on the schema. <br><br>This field might alias the [DvcFQDN](#dvcfqdn), [DvcId](#dvcid), [DvcHostname](#dvchostname), or [DvcIpAddr](#dvcipaddr) fields. For cloud sources, for which there is no apparent device, use the same value as the [Event Product](#eventproduct) field.            |
 | <a name ="dvcipaddr"></a>**DvcIpAddr**           | Recommended | IP address | The IP address of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `45.21.42.12`    |
-| <a name ="dvchostname"></a>**DvcHostname**         | Recommended | Hostname   | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `ContosoDc.Contoso.Azure`               |
+| <a name ="dvchostname"></a>**DvcHostname**         | Recommended | Hostname   | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br>Example: `ContosoDc`               |
 | <a name="dvcdomain"></a>**DvcDomain** | Recommended | String | The domain of the device on which the event occurred or which reported the event, depending on the schema.<br><br>Example: `Contoso` |
 | <a name="dvcdomaintype"></a>**DvcDomainType** | Recommended | Enumerated | The type of  [DvcDomain](#dvcdomain), if known. Possible values include:<br>- `Windows`, such as for `contoso\mypc`<br>- `FQDN`, such as for `docs.microsoft.com`<br><br>**Note**: This field is required if the [DvcDomain](#dvcdomain) field is used. |
 | <a name="dvcfqdn"></a>**DvcFQDN** | Optional | String | The hostname of the device on which the event occurred or which reported the event, depending on the schema. <br><br> Example: `Contoso\DESKTOP-1282V4D`<br><br>**Note**: This field supports both traditional FQDN format and Windows domain\hostname format. The  [DvcDomainType](#dvcdomaintype) field reflects the format used.  |
diff --git a/articles/sentinel/normalization-develop-parsers.md b/articles/sentinel/normalization-develop-parsers.md
@@ -83,6 +83,32 @@ Filtering in KQL is done using the `where` operator. For example, **Sysmon event
 Event | where Source == "Microsoft-Windows-Sysmon" and EventID == 1
 ```
 
+#### Filtering by source type using a Watchlist
+
+In some cases, the event itself does not contain information that would allow filtering for specific source types.
+
+For example, Infoblox DNS events are sent as Syslog messages, and are hard to distinguish from Syslog messages sent from other sources. In such cases, the parser relies on a list of sources that defines the relevant events. This list is maintained in the **ASimSourceType** watchlist.
+
+**To use the ASimSourceType watchlist in your parsers**:
+
+1. Include the following line at the beginning of your parser:
+
+```KQL
+  let Sources_by_SourceType=(sourcetype:string){_GetWatchlist('ASimSourceType') | where SearchKey == tostring(sourcetype) | extend Source=column_ifexists('Source','') | where isnotempty(Source)| distinct Source };
+```
+
+2. Add a filter that uses the watchlist in the parser filtering section. For example, the Infoblox DNS parser includes the following in the filtering section:
+
+```KQL
+  | where Computer in (Sources_by_SourceType('InfobloxNIOS'))
+```
+
+To use this sample in your parser:
+
+ * Replace `Computer` with the name of the field that includes the source information for your source. You can keep this as `Computer` for any parsers based on Syslog.
+
+ * Replace the `InfobloxNIOS` token with a value of your choice for your parser. Inform parser users that they must update the `ASimSourceType` watchlist using your selected value, as well as the list of sources that send events of this type.
+
 #### Filtering based on parser parameters
 
 When developing [filtering parsers](normalization-about-parsers.md#optimized-parsers), make sure that your parser accepts the filtering parameters for the relevant schema, as documented in the reference article for that schema. Using an existing parser as a starting point ensures that your parser includes the correct function signature. In most cases, the actual filtering code is also similar for filtering parsers for the same schema.
diff --git a/articles/sentinel/normalization-manage-parsers.md b/articles/sentinel/normalization-manage-parsers.md
@@ -27,6 +27,8 @@ You may need to manage the source-specific parsers used by each unifying parser
 
   - Use a modified version of a built-in parser.
 
+- **Configure a source-specific parser**, for example to define the sources that send information relevant to the parser.
+
 This article guides you through managing your parsers, whether using built-in, unifying ASIM parsers or workspace-deployed unifying parsers. 
 
 > [!IMPORTANT]
@@ -49,7 +51,9 @@ Microsoft Sentinel users cannot edit built-in unifying parsers. Instead, use the
 
     You can deploy initial, empty, unifying custom parsers to your Microsoft Sentinel workspace for all supported schemas, or individually for specific schemas. For more information, see [Deploy initial ASIM empty custom unifying parsers](https://aka.ms/ASimDeployEmptyCustomUnifyingParsers) in the Microsoft Sentinel GitHub repository.
 
-- **To support excluding built-in source-specific parsers**, ASIM uses a watchlist. Deploy the watchlist to your Microsoft Sentinel workspace from the Microsoft Sentinel [GitHub](https://aka.ms/DeployASimExceptionWatchlist) repository.
+- **To support excluding built-in source-specific parsers**, ASIM uses a watchlist. Deploy the watchlist to your Microsoft Sentinel workspace from the Microsoft Sentinel [GitHub](https://aka.ms/DeployASimWatchlists) repository.
+
+- **To define source type for built-in and custom parsers**, ASIM uses a watchlist. Deploy the watchlist to your Microsoft Sentinel workspace from the Microsoft Sentinel [GitHub](https://aka.ms/DeployASimWatchlists) repository.
 
 ### Add a custom parser to a built-in unifying parser
 
@@ -62,6 +66,8 @@ The syntax of the line to add is different for each schema:
 | Schema | Filtering  parser | Parameter&#8209;less&nbsp;parser | 
 | ------ | ---------------------------------------- | --------------------- |
 | DNS    | **Name**: `Im_DnsCustom`<br><br> **Line to add**:<br> `_parser_name_ (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype)` | **Name**: `ASim_DnsCustom`<br><br> **Line to add**:<br> `_parser_name_` |
+| NetworkSession    | **Name**: `Im_NetworkSessionCustom`<br><br> **Line to add**:<br> `_parser_name_  (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult)` | **Name**: `ASim_NetworkSessionCustom`<br><br> **Line to add**:<br> `_parser_name_` |
+| WebSession    | **Name**: `Im_WebSessionCustom`<br><br> **Line to add**:<br> `_parser_name_ (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult)` | **Name**: `ASim_WebSessionCustom`<br><br> **Line to add**:<br> `_parser_name_` |
 | | |
 
 When adding an additional parser to a unifying custom parser that already references parsers, make sure you add a comma at the end of the previous line. 
@@ -168,6 +174,12 @@ For example, the following code shows a DNS filtering unifying parser, having re
   Generic( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype)
 ```
 
+## Configure the sources relevant to a source-specific parser
+
+Some parsers requires you to update the list of sources that are relevant to the parser. For example, a parser that uses Syslog data, may not be able to determine what Syslog events are relevant to the parser. Such a parser may use the ASimSourceType watchlist to determine which sources send information relevant to the parser. For such parses add a record for each relevant source to the watchlist:
+- Set the `SourceType` field to the parser specific value specified in the parser documentation. 
+- Set the `Source` field to the identifier of the source used in the events. You may need to query the original table, such as Syslog, to determine the correct value.
+
 ## <a name="next-steps"></a>Next steps
 
 This article discusses managing the Advanced SIEM Information Model (ASIM) parsers.
diff --git a/articles/sentinel/web-normalization-schema.md b/articles/sentinel/web-normalization-schema.md
