search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.61k stars 3.02k forks source link

ASimWebSessionSquidProxy issue with data from AMA #11268

Open gitjpk opened 1 month ago

gitjpk commented 1 month ago

Describe the bug The parser does not work correctly with data coming AMA connector.

To Reproduce Execute the parser against Syslog data collected with AMA.

Expected behavior Parse the data

Additional context Basically, we installed Custom logs via AMA data connector on a “default configured” Squid proxy, using AMA version 1.33.1.0, and we planned to use the “Web Session Essentials Workbook”. Data filled in the right table with no issue (Squidproxy_CL) but the workbook did not get any data (and we configured the logic apps, same issue). Troubleshooting the issue, we went through _Asim_WebSession(), then _Im_WebSessionBuiltIn(), then _Im_WebSession_SquidProxyV06, we found a few errors in the last one. On line 32, it’s expecting a computer field which does not exist in the table: Dvc = Computer On line 88, it’s projecting away a few field that don’t exist in the table;: | project-away AccessRawLog, RawData, *_s, MG, ManagementGroupName, SourceSystem, TenantId, DstIpAddrIsHost For testing purpose, we added the following transformation rule in the DCR : source | extend Computer="FakeComputerName", MG="MG", ManagementGroupName="ManagementGroupName", SourceSystem="SourceSystem" We then saw data in the workbook 😊

v-sudkharat commented 3 weeks ago

Hi @gitjpk , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

v-sudkharat commented 3 weeks ago

Hi @gitjpk, Could you please share the sample data with us which is not parsing through the parser. Thanks!

gitjpk commented 3 weeks ago

Hello Sudarshan ,

Sure ! As an MS employee, I'll send you through teams.

Thanks, JP

De : v-sudkharat @.> Envoyé : mercredi 23 octobre 2024 08:49 À : Azure/Azure-Sentinel @.> Cc : gitjpk @.>; Mention @.> Objet : Re: [Azure/Azure-Sentinel] ASimWebSessionSquidProxy issue with data from AMA (Issue #11268)

Hi @gitjpkhttps://github.com/gitjpk, Could you please share the sample data with us which is not parsing through the parser. Thanks!

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Azure-Sentinel/issues/11268#issuecomment-2431065449, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AGGRZPXOTFJI6ZUAZIL2AJDZ45BJBAVCNFSM6AAAAABP4OFUXSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZRGA3DKNBUHE. You are receiving this because you were mentioned.