[ASIM] Web Session AWS WAF#14496
Open
manuelhauch wants to merge 6 commits into
Open
Conversation
added 2 commits
June 16, 2026 15:30
…bsession/awswaf to be up to date before creating a pull request.
Author
|
@microsoft-github-policy-service agree company="BlueVoyant" |
manuelhauch
changed the title
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds AWS WAF support to the ASIM WebSession normalization layer by introducing dedicated AWS WAF parsers and wiring them into the top-level WebSession aggregators, with accompanying ARM deployment assets and test artifacts.
Changes:
- Added new AWS WAF WebSession parsers (
ASimWebSessionAWSAWSWAF,vimWebSessionAWSAWSWAF) and associated ARM templates/README/changelogs. - Updated top-level
ASimWebSession/imWebSessionparsers to include the new AWS WAF implementations and bumped versions. - Added sample schema and parser test result CSVs for AWS WAF.
Reviewed changes
Copilot reviewed 20 out of 21 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| Sample Data/ASIM/AWSWAF_schema.csv | Adds AWSWAF table schema sample used for validation/testing. |
| Parsers/ASimWebSession/Tests/AWS_AWS WAF_vimWebSession_SchemaTest.csv | Captures schema-test output for the filtering parser. |
| Parsers/ASimWebSession/Tests/AWS_AWS WAF_vimWebSession_DataTest.csv | Captures data-test output for the filtering parser. |
| Parsers/ASimWebSession/Tests/AWS_AWS WAF_ASimWebSession_SchemaTest.csv | Captures schema-test output for the normalization parser. |
| Parsers/ASimWebSession/Tests/AWS_AWS WAF_ASimWebSession_DataTest.csv | Captures data-test output for the normalization parser. |
| Parsers/ASimWebSession/Parsers/vimWebSessionAWSAWSWAF.yaml | New source-specific filtering + normalization parser for AWS WAF. |
| Parsers/ASimWebSession/Parsers/imWebSession.yaml | Wires AWS WAF filtering parser into the top-level imWebSession union and bumps version/date. |
| Parsers/ASimWebSession/Parsers/ASimWebSessionAWSAWSWAF.yaml | New source-specific normalization parser for AWS WAF. |
| Parsers/ASimWebSession/Parsers/ASimWebSession.yaml | Wires AWS WAF normalization parser into the top-level ASimWebSession union and bumps version/date. |
| Parsers/ASimWebSession/CHANGELOG/vimWebSessionAWSAWSWAF.md | New changelog for the AWS WAF filtering parser. |
| Parsers/ASimWebSession/CHANGELOG/imWebSession.md | Records new AWS WAF parser addition for imWebSession. |
| Parsers/ASimWebSession/CHANGELOG/ASimWebSessionAWSAWSWAF.md | New changelog for the AWS WAF normalization parser. |
| Parsers/ASimWebSession/CHANGELOG/ASimWebSession.md | Records new AWS WAF parser addition for ASimWebSession. |
| Parsers/ASimWebSession/ARM/vimWebSessionAWSAWSWAF/vimWebSessionAWSAWSWAF.json | Adds ARM template to deploy the filtering parser function. |
| Parsers/ASimWebSession/ARM/vimWebSessionAWSAWSWAF/README.md | Adds deployment documentation for the filtering parser. |
| Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json | Updates deployed imWebSession function to union in the AWS WAF filtering parser. |
| Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json | Adds linked deployments for the new AWS WAF parsers in the full deployment template. |
| Parsers/ASimWebSession/ARM/ASimWebSessionAWSAWSWAF/README.md | Adds deployment documentation for the normalization parser. |
| Parsers/ASimWebSession/ARM/ASimWebSessionAWSAWSWAF/ASimWebSessionAWSAWSWAF.json | Adds ARM template to deploy the normalization parser function. |
| Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json | Updates deployed ASimWebSession function to union in the AWS WAF normalization parser. |
Comment on lines
+173
to
+185
| | extend hostIsClean = host matches regex @'^[A-Za-z0-9\.\-\:\[\]_]+$' | ||
| | extend hostIsIp = hostIsClean and (host matches regex @'^\d{1,3}(\.\d{1,3}){3}$' or host contains ':') | ||
| | extend hostHasDomain = hostIsClean and not(hostIsIp) and array_length(split(host, '.')) > 1 | ||
| | extend | ||
| DstIpAddr = iff(isnotnull(parse_ipv4(host)), host, ''), | ||
| DstHostname = case( | ||
| isnotnull(parse_ipv4(host)), host, | ||
| hostIsIp, '', | ||
| hostIsClean, tostring(split(host, '.')[0]), | ||
| '' | ||
| ), | ||
| DstFQDN = iff(hostHasDomain, host, ''), | ||
| DstDomain = iff(hostHasDomain, strcat_array(array_slice(split(host, '.'), 1, -1), '.'), '') |
Comment on lines
+135
to
+147
| | extend hostIsClean = host matches regex @'^[A-Za-z0-9\.\-\:\[\]_]+$' | ||
| | extend hostIsIp = hostIsClean and (host matches regex @'^\d{1,3}(\.\d{1,3}){3}$' or host contains ':') | ||
| | extend hostHasDomain = hostIsClean and not(hostIsIp) and array_length(split(host, '.')) > 1 | ||
| | extend | ||
| DstIpAddr = iff(isnotnull(parse_ipv4(host)), host, ''), | ||
| DstHostname = case( | ||
| isnotnull(parse_ipv4(host)), host, | ||
| hostIsIp, '', | ||
| hostIsClean, tostring(split(host, '.')[0]), | ||
| '' | ||
| ), | ||
| DstFQDN = iff(hostHasDomain, host, ''), | ||
| DstDomain = iff(hostHasDomain, strcat_array(array_slice(split(host, '.'), 1, -1), '.'), '') |
Comment on lines
+1
to
+5
| # AWS WAF ASIM WebSession Normalization Parser | ||
|
|
||
| ARM template for ASIM WebSession schema parser for AWS WAF. | ||
|
|
||
| This ASIM parser supports filtering and normalizing AWS Web Application Firewall (WAF) web session logs from the AWSWAF table to the ASIM Web Session normalized schema. |
Author
There was a problem hiding this comment.
changed in the latest commit
| @@ -0,0 +1,35 @@ | |||
| ColumnName,ColumnOrdinal,DataType,ColumnType | |||
Author
There was a problem hiding this comment.
file removed in latest commit as it's not required. AWSWAF.json was added under .script/tests/kqlvalidationtests/CustomTables
Collaborator
|
Hi @manuelhauch, |
yummyblabla
reviewed
Jun 17, 2026
| This ASIM parser supports normalizing AWS Web Application Firewall (WAF) web session logs from the AWSWAF table to the ASIM Web Session normalized schema. | ||
| ParserName: ASimWebSessionAWSAWSWAF | ||
| EquivalentBuiltInParser: _ASim_WebSession_AWSAWSWAF | ||
| Exceptions: |
Collaborator
There was a problem hiding this comment.
Can remove this Exceptions block
Author
There was a problem hiding this comment.
Just from the ASIM version not the vim version then?
| Link: https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html | ||
| Description: | | ||
| This ASIM parser supports normalizing AWS Web Application Firewall (WAF) web session logs from the AWSWAF table to the ASIM Web Session normalized schema. | ||
| ParserName: ASimWebSessionAWSAWSWAF |
Collaborator
There was a problem hiding this comment.
Having AWSAWSWAF seems redundant to have AWS called twice. In EventProduct, we can have it as just WAF instead of AWS WAF
Author
There was a problem hiding this comment.
Sure, can do, I agree it is redundant, but felt like having just WAF in product might be too unspecific, will change.
| HttpStatusCode, | ||
| DstHostname, | ||
| SrcIpAddr, | ||
| ASimMatchingIpAddr = "SrcIpAddr", |
Collaborator
There was a problem hiding this comment.
Can remove ASimMatchingIpAddr and ASimMAtchingHostname from this parser as it's not used in parameter-less parser
Author
There was a problem hiding this comment.
Will be removed in the latest commit
| Src = tostring(parsedRequest.clientIp), | ||
| SrcGeoCountry = tostring(parsedRequest.country) | ||
| | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)) | ||
| | where (array_length(ipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix)) |
Collaborator
There was a problem hiding this comment.
Can move lines 188-192 to closer to the start of the parser so we do filtering early
Author
There was a problem hiding this comment.
moved up in the latest commit
| HttpStatusCode, | ||
| DstHostname, | ||
| SrcIpAddr, | ||
| ASimMatchingIpAddr = "SrcIpAddr", |
Collaborator
There was a problem hiding this comment.
Line 245+246 will be filled with SrcIpAddr or DstHostname if filtering was done. You can check other parsers for an example of how this is populated
Author
There was a problem hiding this comment.
I adjusted the logic for ASimMatchingIpAddr to the other parsers. As WebSessions doesn't have a filter parameter for hostname, I decided it's probably best to leave it out completly.
Collaborator
|
Failing kql validation because the table is not available during kql checks. Please add it to script/tests/kqlvalidationtests/customTables |
Author
|
@yummyblabla I addressed your comments |
Comment on lines
+141
to
+149
| // -- srcipaddr_has_any_prefix post-filter | ||
| | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)) | ||
| // -- ipaddr_has_any_prefix post-filter | ||
| | extend ASimMatchingIpAddr = case( | ||
| array_length(ipaddr_has_any_prefix) == 0, "-", | ||
| has_any_ipv4_prefix(SrcIpAddr, ipaddr_has_any_prefix), "SrcIpAddr", | ||
| "No match" | ||
| ) | ||
| | where ASimMatchingIpAddr != "No match" |
Author
There was a problem hiding this comment.
This seems to be handled the same for other Web Session parsers. I would prefer to keep this consistent.
| "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n url_has_any:dynamic=dynamic([]), \n httpuseragent_has_any:dynamic=dynamic([]), \n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimWebSessionEmpty,\n vimWebSessionSquidProxy (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSquidProxy' in (DisabledParsers)))),\n vimWebSessionZscalerZIA (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionZscalerZIA' in (DisabledParsers)))),\n vimWebSessionNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionNative' in (DisabledParsers)))),\n vimWebSessionVectraAI (pack=pack, starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionVectraAI' in (DisabledParsers)))),\n vimWebSessionIIS (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionIIS' in (DisabledParsers)))),\n vimWebSessionPaloAltoCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCEF' in (DisabledParsers)))),\n vimWebSessionApacheHTTPServer (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionApacheHTTPServer' in (DisabledParsers)))),\n vimWebSessionFortinetFortiGate (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionFortinetFortiGate' in (DisabledParsers)))),\n vimWebSessionCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoMeraki' in (DisabledParsers)))),\n vimWebSessionBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaWAF' in (DisabledParsers)))),\n vimWebSessionBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaCEF' in (DisabledParsers)))),\n vimWebSessionCitrixNetScaler (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCitrixNetScaler' in (DisabledParsers)))),\n vimWebSessionCiscoFirepower (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoFirepower' in (DisabledParsers)))),\n vimWebSessionF5ASM (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionF5ASM' in (DisabledParsers)))),\n vimWebSessionPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCortexDataLake' in (DisabledParsers)))),\n vimWebSessionSonicWallFirewall (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSonicWallFirewall' in (DisabledParsers)))),\n vimWebSessionAzureFirewall (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionAzureFirewall' in (DisabledParsers)))),\n vimWebSessionCiscoUmbrella (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoUmbrella' in (DisabledParsers))), pack=pack),\n vimWebSessionSalesforceServiceCloudV2 (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSalesforceServiceCloudV2' in (DisabledParsers))), pack=pack)\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", | ||
| "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(\n starttime:datetime=datetime(null),\n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]),\n ipaddr_has_any_prefix:dynamic=dynamic([]),\n url_has_any:dynamic=dynamic([]),\n httpuseragent_has_any:dynamic=dynamic([]),\n eventresultdetails_in:dynamic=dynamic([]),\n eventresult:string='*',\n pack:bool=false)\n{\nunion isfuzzy=true\n vimWebSessionEmpty,\n vimWebSessionSquidProxy (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSquidProxy' in (DisabledParsers)))),\n vimWebSessionZscalerZIA (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionZscalerZIA' in (DisabledParsers)))),\n vimWebSessionNative (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionNative' in (DisabledParsers)))),\n vimWebSessionVectraAI (pack=pack, starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionVectraAI' in (DisabledParsers)))),\n vimWebSessionIIS (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionIIS' in (DisabledParsers)))),\n vimWebSessionPaloAltoCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCEF' in (DisabledParsers)))),\n vimWebSessionApacheHTTPServer (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionApacheHTTPServer' in (DisabledParsers)))),\n vimWebSessionFortinetFortiGate (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionFortinetFortiGate' in (DisabledParsers)))),\n vimWebSessionCiscoMeraki (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoMeraki' in (DisabledParsers)))),\n vimWebSessionBarracudaWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaWAF' in (DisabledParsers)))),\n vimWebSessionBarracudaCEF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionBarracudaCEF' in (DisabledParsers)))),\n vimWebSessionCitrixNetScaler (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCitrixNetScaler' in (DisabledParsers)))),\n vimWebSessionCiscoFirepower (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoFirepower' in (DisabledParsers)))),\n vimWebSessionF5ASM (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionF5ASM' in (DisabledParsers)))),\n vimWebSessionPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionPaloAltoCortexDataLake' in (DisabledParsers)))),\n vimWebSessionSonicWallFirewall (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSonicWallFirewall' in (DisabledParsers)))),\n vimWebSessionAzureFirewall (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionAzureFirewall' in (DisabledParsers)))),\n vimWebSessionCiscoUmbrella (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionCiscoUmbrella' in (DisabledParsers))), pack=pack),\n vimWebSessionSalesforceServiceCloudV2 (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionSalesforceServiceCloudV2' in (DisabledParsers))), pack=pack),\n vimWebSessionAWSWAF (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=(vimBuiltInDisabled or ('ExcludevimWebSessionAWSWAF' in (DisabledParsers))), pack=pack)\n};\nparser (starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, ipaddr_has_any_prefix=ipaddr_has_any_prefix, url_has_any=url_has_any, httpuseragent_has_any=httpuseragent_has_any, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", | ||
| "version": 1, | ||
| "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),ipaddr_has_any_prefix:dynamic=dynamic([]),url_has_any:dynamic=dynamic([]),httpuseragent_has_any:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',eventresultdetails_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" |
Author
There was a problem hiding this comment.
This seems to be a FP? There is no "eventresultdetails_has_any" in my parser. Disabled is present in both.
v-atulyadav
added
the
SafeToRun
Collaborator
|
Hi @manuelhauch, Validation is failing for the sample data file name. Please see the details below and take the necessary action. Thanks In PR: Required file: |
Author
|
@v-atulyadav sorry, missed that file during renaming. Fixed it. |
v-atulyadav
added
SafeToRun
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change(s):
Added WebSession ASIM parser for AWS WAF logs in the AWSWAF table.
Reason for Change(s):
Support AWS WAF logs in WebSession ASIM.
Version Updated:
Yes
Top level Web Session ASIM parsers updated to 0.5.7 (for ASimWebSession) and 0.6.5 (for imWebSession)
Testing Completed:
Yes
Checked that the validations are passing and have addressed any issues that are present:
Yes