Added SonicWall ASIM Network Session parser

Parsers/ASimNetworkSession/ARM/ASimNetworkSessionSonicWallFirewall/README.md

@@ -0,0 +1,18 @@
+# SonicWall Firewall ASIM NetworkSession Normalization Parser
+
+ARM template for ASIM NetworkSession schema parser for SonicWall firewalls.
+
+This ASIM parser supports filtering and normalizing SonicWall SonicOS syslog data (ArcSight format) ingested by Microsoft Sentinel to the ASIM Network Session normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionSonicWallFirewall%2FASimNetworkSessionSonicWallFirewall.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionSonicWallFirewall%2FASimNetworkSessionSonicWallFirewall.json)

Parsers/ASimNetworkSession/ARM/vimNetworkSessionSonicWallFirewall/README.md

@@ -0,0 +1,18 @@
+# SonicWall Firewall ASIM NetworkSession Normalization Parser
+
+ARM template for ASIM NetworkSession schema parser for SonicWall Firewalls.
+
+This ASIM parser supports filtering and normalizing SonicWall SonicOS syslog data (ArcSight format) ingested by Microsoft Sentinel to the ASIM Network Session normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionSonicWallFirewall%2FvimNetworkSessionSonicWallFirewall.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionSonicWallFirewall%2FvimNetworkSessionSonicWallFirewall.json)

Parsers/ASimNetworkSession/Parsers/ASimNetworkSession.yaml

@@ -1,7 +1,7 @@
 Parser:
   Title: Network Session ASIM parser
-  Version: '0.6'
-  LastUpdated: Jul 27, 2023
+  Version: '0.7'
+  LastUpdated: Jan 17, 2024
 Product:
   Name: Source agnostic
 Normalization:
@@ -49,6 +49,7 @@ Parsers:
   - _ASim_NetworkSession_CrowdStrikeFalconHost
   - _ASim_NetworkSession_VMwareCarbonBlackCloud
   - _ASim_NetworkSession_PaloAltoCortexDataLake
+  - _ASim_NetworkSession_SonicWallFirewall
 
 ParserParams:
   - Name: pack
@@ -90,5 +91,6 @@ ParserQuery: |
     , ASimNetworkSessionCrowdStrikeFalconHost         (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionCrowdStrikeFalconHost'      in (DisabledParsers) ))
     , ASimNetworkSessionVMwareCarbonBlackCloud        (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionVMwareCarbonBlackCloud'      in (DisabledParsers) ))
     , ASimNetworkSessionPaloAltoCortexDataLake        (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionPaloAltoCortexDataLake'      in (DisabledParsers) ))
+    , ASimNetworkSessionSonicWallFirewall             (ASimBuiltInDisabled or ('ExcludeASimNetworkSessionSonicWallFirewall'      in (DisabledParsers) ))
   };
   NetworkSessionsGeneric (pack=pack)

Parsers/ASimNetworkSession/Tests/SonicWall_Firewall_ASimNetworkSession_DataTest.csv

@@ -0,0 +1,33 @@
+Result
+(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [EventVendor] of type [Enumerated]: ["SonicWall"] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [DstPackets] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [SrcGeoCountry] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [SrcPackets] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [ThreatCategory] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [ThreatConfidence] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [ThreatIpAddr] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [ThreatName] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [ThreatOriginalConfidence] (Schema:NetworkSession)
+(2) Info: Empty value in 116 records (11.6%)  in optional field [DstAppName] (Schema:NetworkSession)
+(2) Info: Empty value in 116 records (11.6%)  in optional field [DstAppType] (Schema:NetworkSession)
+(2) Info: Empty value in 19 records (1.9%)  in optional field [DvcOutboundInterface] (Schema:NetworkSession)
+(2) Info: Empty value in 197 records (19.7%)  in optional field [DvcAction] (Schema:NetworkSession)
+(2) Info: Empty value in 197 records (19.7%)  in optional field [DvcOriginalAction] (Schema:NetworkSession)
+(2) Info: Empty value in 2 records (0.2%)  in optional field [DstZone] (Schema:NetworkSession)
+(2) Info: Empty value in 210 records (21.0%)  in optional field [SrcAppName] (Schema:NetworkSession)
+(2) Info: Empty value in 210 records (21.0%)  in optional field [SrcAppType] (Schema:NetworkSession)
+(2) Info: Empty value in 4 records (0.4%)  in optional field [DstPortNumber] (Schema:NetworkSession)
+(2) Info: Empty value in 4 records (0.4%)  in optional field [SrcPortNumber] (Schema:NetworkSession)
+(2) Info: Empty value in 807 records (80.7%)  in optional field [ThreatId] (Schema:NetworkSession)
+(2) Info: Empty value in 850 records (85.0%)  in optional field [DstAppId] (Schema:NetworkSession)
+(2) Info: Empty value in 890 records (89.0%)  in optional field [SrcUsername] (Schema:NetworkSession)
+(2) Info: Empty value in 938 records (93.8%)  in optional field [SrcAppId] (Schema:NetworkSession)
+(2) Info: Empty value in 996 records (99.6%)  in optional field [NetworkIcmpCode] (Schema:NetworkSession)
+(2) Info: Empty value in 996 records (99.6%)  in optional field [NetworkIcmpType] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [DstNatIpAddr] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [DstNatPortNumber] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [NetworkRuleName] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [Rule] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [SrcNatIpAddr] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [SrcNatPortNumber] (Schema:NetworkSession)
+(2) Info: Empty value in 999 records (99.9%)  in optional field [DstGeoCountry] (Schema:NetworkSession)

Parsers/ASimNetworkSession/Tests/SonicWall_Firewall_ASimNetworkSession_SchemaTest.csv

@@ -0,0 +1,84 @@
+Result
+(1) Warning: Missing recommended field [DstDomain]
+(1) Warning: Missing recommended field [DstHostname]
+(1) Warning: Missing recommended field [DvcDomain]
+(1) Warning: Missing recommended field [DvcHostname]
+(1) Warning: Missing recommended field [DvcIpAddr]
+(1) Warning: Missing recommended field [SrcDomain]
+(1) Warning: Missing recommended field [SrcHostname]
+(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]
+(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]
+(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]
+(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]
+(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]
+(2) Info: Missing optional field [DstBytes]
+(2) Info: Missing optional field [DstDescription]
+(2) Info: Missing optional field [DstDeviceType]
+(2) Info: Missing optional field [DstDvcId]
+(2) Info: Missing optional field [DstFQDN]
+(2) Info: Missing optional field [DstGeoCity]
+(2) Info: Missing optional field [DstGeoLatitude]
+(2) Info: Missing optional field [DstGeoLongitude]
+(2) Info: Missing optional field [DstGeoRegion]
+(2) Info: Missing optional field [DstInterfaceGuid]
+(2) Info: Missing optional field [DstInterfaceName]
+(2) Info: Missing optional field [DstOriginalUserType]
+(2) Info: Missing optional field [DstProcessGuid]
+(2) Info: Missing optional field [DstProcessId]
+(2) Info: Missing optional field [DstProcessName]
+(2) Info: Missing optional field [DstScopeId]
+(2) Info: Missing optional field [DstUserId]
+(2) Info: Missing optional field [DstUserType]
+(2) Info: Missing optional field [DstUsername]
+(2) Info: Missing optional field [DstVlanId]
+(2) Info: Missing optional field [DvcFQDN]
+(2) Info: Missing optional field [DvcId]
+(2) Info: Missing optional field [DvcInterface]
+(2) Info: Missing optional field [DvcMacAddr]
+(2) Info: Missing optional field [DvcScopeId]
+(2) Info: Missing optional field [DvcScope]
+(2) Info: Missing optional field [DvcZone]
+(2) Info: Missing optional field [EventOriginalResultDetails]
+(2) Info: Missing optional field [EventOriginalSubType]
+(2) Info: Missing optional field [EventOriginalType]
+(2) Info: Missing optional field [EventOriginalUid]
+(2) Info: Missing optional field [EventOwner]
+(2) Info: Missing optional field [EventReportUrl]
+(2) Info: Missing optional field [EventSubType]
+(2) Info: Missing optional field [NetworkConnectionHistory]
+(2) Info: Missing optional field [NetworkDuration]
+(2) Info: Missing optional field [NetworkPackets]
+(2) Info: Missing optional field [NetworkRuleNumber]
+(2) Info: Missing optional field [NetworkSessionId]
+(2) Info: Missing optional field [SrcBytes]
+(2) Info: Missing optional field [SrcDescription]
+(2) Info: Missing optional field [SrcDeviceType]
+(2) Info: Missing optional field [SrcDvcId]
+(2) Info: Missing optional field [SrcFQDN]
+(2) Info: Missing optional field [SrcGeoCity]
+(2) Info: Missing optional field [SrcGeoLatitude]
+(2) Info: Missing optional field [SrcGeoLongitude]
+(2) Info: Missing optional field [SrcGeoRegion]
+(2) Info: Missing optional field [SrcInterfaceGuid]
+(2) Info: Missing optional field [SrcInterfaceName]
+(2) Info: Missing optional field [SrcOriginalUserType]
+(2) Info: Missing optional field [SrcProcessGuid]
+(2) Info: Missing optional field [SrcProcessId]
+(2) Info: Missing optional field [SrcProcessName]
+(2) Info: Missing optional field [SrcScopeId]
+(2) Info: Missing optional field [SrcUserId]
+(2) Info: Missing optional field [SrcUserType]
+(2) Info: Missing optional field [SrcVlanId]
+(2) Info: Missing optional field [TcpFlagsAck]
+(2) Info: Missing optional field [TcpFlagsFin]
+(2) Info: Missing optional field [TcpFlagsPsh]
+(2) Info: Missing optional field [TcpFlagsRst]
+(2) Info: Missing optional field [TcpFlagsSyn]
+(2) Info: Missing optional field [TcpFlagsUrg]
+(2) Info: Missing optional field [ThreatFirstReportedTime]
+(2) Info: Missing optional field [ThreatIsActive]
+(2) Info: Missing optional field [ThreatLastReportedTime]
+(2) Info: Missing optional field [ThreatOriginalRiskLevel]
+(2) Info: Missing optional field [ThreatRiskLevel]
+(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]
+(2) Info: extra unnormalized column [CollectorHostName]

Parsers/ASimNetworkSession/Tests/SonicWall_Firewall_vimNetworkSession_DataTest.csv

@@ -0,0 +1,32 @@
+Result
+(0) Error: 1 invalid value(s) (up to 10 listed) in 1000 records (100.0%) for field [EventVendor] of type [Enumerated]: ["SonicWall"] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [DstPackets] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [SrcPackets] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [SrcUsername] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [ThreatConfidence] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [ThreatIpAddr] (Schema:NetworkSession)
+(2) Info: Empty value in 1000 records (100.0%)  in optional field [ThreatOriginalConfidence] (Schema:NetworkSession)
+(2) Info: Empty value in 2 records (0.2%)  in optional field [DstPortNumber] (Schema:NetworkSession)
+(2) Info: Empty value in 2 records (0.2%)  in optional field [SrcPortNumber] (Schema:NetworkSession)
+(2) Info: Empty value in 221 records (22.1%)  in optional field [DstAppName] (Schema:NetworkSession)
+(2) Info: Empty value in 221 records (22.1%)  in optional field [DstAppType] (Schema:NetworkSession)
+(2) Info: Empty value in 45 records (4.5%)  in optional field [DvcOutboundInterface] (Schema:NetworkSession)
+(2) Info: Empty value in 451 records (45.1%)  in optional field [DvcAction] (Schema:NetworkSession)
+(2) Info: Empty value in 451 records (45.1%)  in optional field [DvcOriginalAction] (Schema:NetworkSession)
+(2) Info: Empty value in 562 records (56.2%)  in optional field [ThreatId] (Schema:NetworkSession)
+(2) Info: Empty value in 575 records (57.5%)  in optional field [SrcAppName] (Schema:NetworkSession)
+(2) Info: Empty value in 575 records (57.5%)  in optional field [SrcAppType] (Schema:NetworkSession)
+(2) Info: Empty value in 670 records (67.0%)  in optional field [DstAppId] (Schema:NetworkSession)
+(2) Info: Empty value in 816 records (81.6%)  in optional field [DstGeoCountry] (Schema:NetworkSession)
+(2) Info: Empty value in 820 records (82.0%)  in optional field [SrcAppId] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [DstNatIpAddr] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [DstNatPortNumber] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [NetworkIcmpCode] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [NetworkIcmpType] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [NetworkRuleName] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [Rule] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [SrcNatIpAddr] (Schema:NetworkSession)
+(2) Info: Empty value in 998 records (99.8%)  in optional field [SrcNatPortNumber] (Schema:NetworkSession)
+(2) Info: Empty value in 999 records (99.9%)  in optional field [SrcGeoCountry] (Schema:NetworkSession)
+(2) Info: Empty value in 999 records (99.9%)  in optional field [ThreatCategory] (Schema:NetworkSession)
+(2) Info: Empty value in 999 records (99.9%)  in optional field [ThreatName] (Schema:NetworkSession)

Parsers/ASimNetworkSession/Tests/SonicWall_Firewall_vimNetworkSession_SchemaTest.csv

@@ -0,0 +1,84 @@
+Result
+(1) Warning: Missing recommended field [DstDomain]
+(1) Warning: Missing recommended field [DstHostname]
+(1) Warning: Missing recommended field [DvcDomain]
+(1) Warning: Missing recommended field [DvcHostname]
+(1) Warning: Missing recommended field [DvcIpAddr]
+(1) Warning: Missing recommended field [SrcDomain]
+(1) Warning: Missing recommended field [SrcHostname]
+(2) Info: Missing optional alias [Duration] aliasing non-existent column [NetworkDuration]
+(2) Info: Missing optional alias [InnerVlanId] aliasing non-existent column [SrcVlanId]
+(2) Info: Missing optional alias [OuterVlanId] aliasing non-existent column [DstVlanId]
+(2) Info: Missing optional alias [SessionId] aliasing non-existent column [NetworkSessionId]
+(2) Info: Missing optional alias [User] aliasing non-existent column [DstUsername]
+(2) Info: Missing optional field [DstBytes]
+(2) Info: Missing optional field [DstDescription]
+(2) Info: Missing optional field [DstDeviceType]
+(2) Info: Missing optional field [DstDvcId]
+(2) Info: Missing optional field [DstFQDN]
+(2) Info: Missing optional field [DstGeoCity]
+(2) Info: Missing optional field [DstGeoLatitude]
+(2) Info: Missing optional field [DstGeoLongitude]
+(2) Info: Missing optional field [DstGeoRegion]
+(2) Info: Missing optional field [DstInterfaceGuid]
+(2) Info: Missing optional field [DstInterfaceName]
+(2) Info: Missing optional field [DstOriginalUserType]
+(2) Info: Missing optional field [DstProcessGuid]
+(2) Info: Missing optional field [DstProcessId]
+(2) Info: Missing optional field [DstProcessName]
+(2) Info: Missing optional field [DstScopeId]
+(2) Info: Missing optional field [DstUserId]
+(2) Info: Missing optional field [DstUserType]
+(2) Info: Missing optional field [DstUsername]
+(2) Info: Missing optional field [DstVlanId]
+(2) Info: Missing optional field [DvcFQDN]
+(2) Info: Missing optional field [DvcId]
+(2) Info: Missing optional field [DvcInterface]
+(2) Info: Missing optional field [DvcMacAddr]
+(2) Info: Missing optional field [DvcScopeId]
+(2) Info: Missing optional field [DvcScope]
+(2) Info: Missing optional field [DvcZone]
+(2) Info: Missing optional field [EventOriginalResultDetails]
+(2) Info: Missing optional field [EventOriginalSubType]
+(2) Info: Missing optional field [EventOriginalType]
+(2) Info: Missing optional field [EventOriginalUid]
+(2) Info: Missing optional field [EventOwner]
+(2) Info: Missing optional field [EventReportUrl]
+(2) Info: Missing optional field [EventSubType]
+(2) Info: Missing optional field [NetworkConnectionHistory]
+(2) Info: Missing optional field [NetworkDuration]
+(2) Info: Missing optional field [NetworkPackets]
+(2) Info: Missing optional field [NetworkRuleNumber]
+(2) Info: Missing optional field [NetworkSessionId]
+(2) Info: Missing optional field [SrcBytes]
+(2) Info: Missing optional field [SrcDescription]
+(2) Info: Missing optional field [SrcDeviceType]
+(2) Info: Missing optional field [SrcDvcId]
+(2) Info: Missing optional field [SrcFQDN]
+(2) Info: Missing optional field [SrcGeoCity]
+(2) Info: Missing optional field [SrcGeoLatitude]
+(2) Info: Missing optional field [SrcGeoLongitude]
+(2) Info: Missing optional field [SrcGeoRegion]
+(2) Info: Missing optional field [SrcInterfaceGuid]
+(2) Info: Missing optional field [SrcInterfaceName]
+(2) Info: Missing optional field [SrcOriginalUserType]
+(2) Info: Missing optional field [SrcProcessGuid]
+(2) Info: Missing optional field [SrcProcessId]
+(2) Info: Missing optional field [SrcProcessName]
+(2) Info: Missing optional field [SrcScopeId]
+(2) Info: Missing optional field [SrcUserId]
+(2) Info: Missing optional field [SrcUserType]
+(2) Info: Missing optional field [SrcVlanId]
+(2) Info: Missing optional field [TcpFlagsAck]
+(2) Info: Missing optional field [TcpFlagsFin]
+(2) Info: Missing optional field [TcpFlagsPsh]
+(2) Info: Missing optional field [TcpFlagsRst]
+(2) Info: Missing optional field [TcpFlagsSyn]
+(2) Info: Missing optional field [TcpFlagsUrg]
+(2) Info: Missing optional field [ThreatFirstReportedTime]
+(2) Info: Missing optional field [ThreatIsActive]
+(2) Info: Missing optional field [ThreatLastReportedTime]
+(2) Info: Missing optional field [ThreatOriginalRiskLevel]
+(2) Info: Missing optional field [ThreatRiskLevel]
+(2) Info: Missing recommended alias [Hostname] aliasing non-existent column [DstHostname]
+(2) Info: extra unnormalized column [CollectorHostName]