Also, based on the documentation the fields NetworkIcmpType, NetworkIcmpCode should be the corresponding number of the ICMP type and code. On this parser, the NetworkIcmpCode has the value of the ICMP type and the NetworkIcmpType contains the description of the numeric value of the ICMP Type which is a bit misleading.
I think its more appropriate to store the numeric value of the ICMP type on the NetworkIcmpType field.
cgiamp
commented
3 days ago
Hello,
It appears that there is a small bug on the following line which extracts the ICMP code: https://github.com/Azure/Azure-Sentinel/blob/a0a2d1d4b3fe5caf51a73963497950af9d18a9c1/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAzureFirewall.yaml#L43C11-L43C137 Based on what I see on azure firewall logging and the sample logs here: https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/AzureFirewall/AzureFirewallNetworkRuleLogs_sample-dataset.kql#L7 the Type keyword has a capital 'T' which causes the regular expression to fail.
I propose changing the regular expression to (not case-sensitive for failsafe):
Also, based on the documentation the fields NetworkIcmpType, NetworkIcmpCode should be the corresponding number of the ICMP type and code. On this parser, the NetworkIcmpCode has the value of the ICMP type and the NetworkIcmpType contains the description of the numeric value of the ICMP Type which is a bit misleading.
I think its more appropriate to store the numeric value of the ICMP type on the NetworkIcmpType field.