Added SonicWall ASIM Network Session parser

[jaimeesc]

Change(s):

• Added SonicWall Firewall Network Session parser.

Reason for Change(s):

• Submitting parsers and other content to the repository.

Version Updated:

• No?
• New ASIM parser submission.

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes. There are some minor errors with expected strings (such as the vendor) that were not in the source data used by the ASIM tester.

[jaimeesc]

Hi, I was just wondering what happens next and how soon we would see a response on this PR. Unfortunately, it is holding up another PR, They all go together, but I was asked to split them into separate PRs. Thanks.

[vakohl]

@jaimeesc I'll perform the initial review and provide comments by end of this week.

[jaimeesc]

Thank you!

[v-atulyadav]

Hi @jaimeesc,
There are some changes that Varun has suggested, please take a look at them. Thanks

[v-atulyadav]

Hi @jaimeesc,
Please look into the open comments. Thanks

[jaimeesc]

Hi, I added some comments to some of the requested changes. Can you please help take a look? Thanks!

[jaimeesc]

I see new comments. Looking at them now. Thank you!

[vakohl]

@jaimeesc sorry for more comments, but I feel further changes are needed in the 'AdditionalFields'. Can you take a look?

[jaimeesc]

With the assumption there will be more of my fields in question, I am looking for ways to fit the data into relevant fields.

One field in particular in AdditionalFields is "AppID". This field contains the Application's ID from our App Control service. App Control has Signatures (each with a name and ID) which are grouped into Applications (each with a name and ID), and are further grouped under Categories (each with a name and ID). There are not enough relevant fields in the schema to fit these and I am already using the most relevant fields. Additionally, some fields like AppID are populated along with a Signature ID so I cannot coalesce() some of them without causing confusion or losing some data.

Much of the same can apply to the AppRule* fields I added to AdditionalFields. There are not enough relevant rule-related fields in the schema for 1) the different rule types and 2) the data related to the rule. The firewall access rule information currently uses the "NetworkRuleName" field. This field can be populated at the same time as the AppRule* fields, so I can't just choose one or the other.

[jaimeesc]

I see that ASimTester.csv shows one large change again. The file in the master branch had been updated recently, so I copied the content of the file and pasted it into my copy of ASimTester.csv. I then made my changes before committing the file. Most of the changes shown are actually from the master file's changes--not my changes.

You should be able to see all of the changes here:
jaimeesc@4bfb1bb

That file was updated today so I will re-do the process I outlined in hopes that it corrects conflict by being in sync with the current master copy.

[jaimeesc]

It still says there's a conflict. I made 3 changes for SonicWall. Any other changes are not mine. They are the result of the updates in the master file.

Here are my changes:
EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki|Web Security Gateway|Zeek|Dataminr Pulse|HTTP Server|Fortigate|WAF|ASM|NetScaler|Firepower|Cortex Data Lake|Firewall,

EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|CrowdStrike|VMware|SonicWall,

EventVendor,string,Mandatory,WebSession,Enumerated,Apache|Barracuda|Fortinet|Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr|Citrix|F5|SonicWall,

[jaimeesc]

Hello, just checking in. Please let me know what I can do to address this conflict. Thanks!

[vakohl]

Hello, just checking in. Please let me know what I can do to address this conflict. Thanks!

@jaimeesc will take this tomorrow.

[vakohl]

@jaimeesc did you create any mapping sheet to map SonicWall to ASIM fields mapping? Can you help sharing it if possible? Would help in supporting this parser for future updates. thanks, please let me know

[jaimeesc]

@jaimeesc did you create any mapping sheet to map SonicWall to ASIM fields mapping? Can you help sharing it if possible? Would help in supporting this parser for future updates. thanks, please let me know

I did, but will need to update it. It's got all the field names from before the requested changes. I'll update it and will share it when ready.

[vakohl]

@jaimeesc did you create any mapping sheet to map SonicWall to ASIM fields mapping? Can you help sharing it if possible? Would help in supporting this parser for future updates. thanks, please let me know

I did, but will need to update it. It's got all the field names from before the requested changes. I'll update it and will share it when ready.

Thanks @jaimeesc once ready, please share at [email protected]