[ASIM] Create WebSession parser for SalesforceServiceCloudV2_CL (#14424)

* Commit files

* Fix kql validations

* [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

* Test sample data

* Fix workflow?

* Revert "Fix workflow?"

This reverts commit f02420f.

---------

Co-authored-by: Derrick Lee <derricklee@microsoft.com>
Co-authored-by: github-actions[bot] <>

Author: yummyblabla

Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json

@@ -27,7 +27,7 @@
         "displayName": "Web Session ASIM parser",
         "category": "ASIM",
         "FunctionAlias": "ASimWebSession",
-        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n  vimWebSessionEmpty,\n  ASimWebSessionSquidProxy (ASimBuiltInDisabled or ('ExcludeASimWebSessionSquidProxy' in (DisabledParsers))),\n  ASimWebSessionZscalerZIA (ASimBuiltInDisabled or ('ExcludeASimWebSessionZscalerZIA' in (DisabledParsers))),\n  ASimWebSessionNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionNative' in (DisabledParsers)))),\n  ASimWebSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionVectraAI' in (DisabledParsers)))),\n  ASimWebSessionIIS (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionIIS' in (DisabledParsers)))),\n  ASimWebSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCEF' in (DisabledParsers))),\n  ASimWebSessionApacheHTTPServer (ASimBuiltInDisabled or ('ExcludeASimWebSessionApacheHTTPServer' in (DisabledParsers))),\n  ASimWebSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimWebSessionFortinetFortiGate' in (DisabledParsers))),\n  ASimWebSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoMeraki' in (DisabledParsers))),\n  ASimWebSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaWAF' in (DisabledParsers))),\n  ASimWebSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaCEF' in (DisabledParsers))),\n  ASimWebSessionCitrixNetScaler (ASimBuiltInDisabled or ('ExcludeASimWebSessionCitrixNetScaler' in (DisabledParsers))),\n  ASimWebSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoFirepower' in (DisabledParsers))),\n  ASimWebSessionF5ASM (ASimBuiltInDisabled or ('ExcludeASimWebSessionF5ASM' in (DisabledParsers))),\n  ASimWebSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCortexDataLake' in (DisabledParsers))),\n  ASimWebSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimWebSessionSonicWallFirewall' in (DisabledParsers))),\n  ASimWebSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimWebSessionAzureFirewall' in (DisabledParsers))),\n  ASimWebSessionCiscoUmbrella (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoUmbrella' in (DisabledParsers)),pack=pack)\n}; \nparser(pack=pack)\n",
+        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n  vimWebSessionEmpty,\n  ASimWebSessionSquidProxy (ASimBuiltInDisabled or ('ExcludeASimWebSessionSquidProxy' in (DisabledParsers))),\n  ASimWebSessionZscalerZIA (ASimBuiltInDisabled or ('ExcludeASimWebSessionZscalerZIA' in (DisabledParsers))),\n  ASimWebSessionNative (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionNative' in (DisabledParsers)))),\n  ASimWebSessionVectraAI (pack=pack, disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionVectraAI' in (DisabledParsers)))),\n  ASimWebSessionIIS (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionIIS' in (DisabledParsers)))),\n  ASimWebSessionPaloAltoCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCEF' in (DisabledParsers))),\n  ASimWebSessionApacheHTTPServer (ASimBuiltInDisabled or ('ExcludeASimWebSessionApacheHTTPServer' in (DisabledParsers))),\n  ASimWebSessionFortinetFortiGate (ASimBuiltInDisabled or ('ExcludeASimWebSessionFortinetFortiGate' in (DisabledParsers))),\n  ASimWebSessionCiscoMeraki (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoMeraki' in (DisabledParsers))),\n  ASimWebSessionBarracudaWAF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaWAF' in (DisabledParsers))),\n  ASimWebSessionBarracudaCEF (ASimBuiltInDisabled or ('ExcludeASimWebSessionBarracudaCEF' in (DisabledParsers))),\n  ASimWebSessionCitrixNetScaler (ASimBuiltInDisabled or ('ExcludeASimWebSessionCitrixNetScaler' in (DisabledParsers))),\n  ASimWebSessionCiscoFirepower (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoFirepower' in (DisabledParsers))),\n  ASimWebSessionF5ASM (ASimBuiltInDisabled or ('ExcludeASimWebSessionF5ASM' in (DisabledParsers))),\n  ASimWebSessionPaloAltoCortexDataLake (ASimBuiltInDisabled or ('ExcludeASimWebSessionPaloAltoCortexDataLake' in (DisabledParsers))),\n  ASimWebSessionSonicWallFirewall (ASimBuiltInDisabled or ('ExcludeASimWebSessionSonicWallFirewall' in (DisabledParsers))),\n  ASimWebSessionAzureFirewall (ASimBuiltInDisabled or ('ExcludeASimWebSessionAzureFirewall' in (DisabledParsers))),\n  ASimWebSessionCiscoUmbrella (ASimBuiltInDisabled or ('ExcludeASimWebSessionCiscoUmbrella' in (DisabledParsers)),pack=pack),\n  ASimWebSessionSalesforceServiceCloudV2 (disabled=(ASimBuiltInDisabled or ('ExcludeASimWebSessionSalesforceServiceCloudV2' in (DisabledParsers))), pack=pack)\n}; \nparser(pack=pack)\n",
         "version": 1,
         "functionParameters": "pack:bool=False"
       }

Parsers/ASimWebSession/ARM/ASimWebSessionSalesforceServiceCloudV2/ASimWebSessionSalesforceServiceCloudV2.json

@@ -0,0 +1,36 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2020-08-01",
+      "name": "[concat(parameters('Workspace'), '/ASimWebSessionSalesforceServiceCloudV2')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "properties": {
+        "etag": "*",
+        "displayName": "Web Session ASIM parser for Salesforce Service Cloud",
+        "category": "ASIM",
+        "FunctionAlias": "ASimWebSessionSalesforceServiceCloudV2",
+        "query": "let parser=(disabled:bool=false, pack:bool=false) {\n  let EventTypeLookup = datatable (EventOriginalType: string, EventType: string) [\n      \"ApiTotalUsage\",    \"ApiRequest\",\n      \"RestApi\",          \"ApiRequest\",\n      \"BulkApi2\",         \"ApiRequest\",\n      \"ApexCallout\",      \"ApiRequest\",\n      \"ExternalODataCallout\", \"ApiRequest\",\n      \"MetadataApiOperation\", \"ApiRequest\",\n      \"NamedCredential\",  \"ApiRequest\",\n      \"URI\",              \"WebServerSession\",\n      \"AuraRequest\",      \"WebServerSession\",\n      \"LightningPageView\",\"WebServerSession\",\n      \"LightningPerformance\", \"WebServerSession\",\n      \"LightningInteraction\", \"WebServerSession\",\n      \"UiTelemetryResourceTiming\", \"WebServerSession\",\n      \"UiTelemetryNavigationTiming\", \"WebServerSession\",\n      \"CSPViolation\",     \"WebServerSession\"\n  ];\n  let WebSessionEventTypes = dynamic([\n      \"ApiTotalUsage\", \"RestApi\", \"BulkApi2\", \"ApexCallout\",\n      \"ExternalODataCallout\", \"MetadataApiOperation\", \"NamedCredential\",\n      \"URI\", \"AuraRequest\", \"LightningPageView\", \"LightningPerformance\",\n      \"LightningInteraction\", \"UiTelemetryResourceTiming\",\n      \"UiTelemetryNavigationTiming\", \"CSPViolation\"\n  ]);\n  SalesforceServiceCloudV2_CL\n  | where not(disabled)\n  | where EventType in (WebSessionEventTypes)\n  | project-rename EventOriginalType = EventType\n  | lookup EventTypeLookup on EventOriginalType\n  | extend\n      // -- URL handling\n      Url = coalesce(Url, Uri),\n      _UrlHost = extract(@\"https?://([^/:?#]+)\", 1, Url)\n  | extend\n      DstFQDN = iff(_UrlHost has \".\", _UrlHost, \"\"),\n      DstHostname = iff(isnotempty(_UrlHost), extract(@\"^([^.]+)\", 1, _UrlHost), \"\"),\n      DstDomain = extract(@\"^[^.]+\\.(.*)\", 1, _UrlHost),\n      DstDomainType = iff(_UrlHost has \".\", \"FQDN\", \"\")\n  | extend\n      // -- Event fields\n      Type = \"SalesforceServiceCloudV2_CL\",\n      EventCount              = int(1),\n      EventStartTime          = TimeGenerated,\n      EventEndTime            = TimeGenerated,\n      EventSchema             = \"WebSession\",\n      EventSchemaVersion      = \"0.2.7\",\n      EventVendor             = \"Salesforce\",\n      EventProduct            = \"Salesforce Service Cloud\",\n      EventProductVersion     = ApiVersion,\n      EventSeverity           = \"Informational\",\n      // -- Event result based on HTTP status code\n      EventResultDetails      = StatusCode,\n      EventResult             = case(\n                                  isempty(StatusCode),         \"NA\",\n                                  toint(StatusCode) between (100 .. 399), \"Success\",\n                                  toint(StatusCode) between (400 .. 599), \"Failure\",\n                                  \"NA\"\n                                ),\n      EventOriginalResultDetails = StatusCode\n  | extend\n      // -- HTTP fields\n      HttpRequestMethod       = HttpMethod,\n      HttpStatusCode          = EventResultDetails,\n      HttpUserAgent           = coalesce(HttpUserAgentOriginal, HttpUserAgent, UserAgent),\n      HttpReferrer            = coalesce(HttpReferrerOriginal, ReferrerUri),\n      // -- Source fields\n      SrcIpAddr               = coalesce(ClientIp, SourceIp, SrcIpAddr),\n      SrcUserId               = UserId,\n      SrcUserIdType           = iff(isnotempty(UserId), \"SalesforceId\", \"\"),\n      SrcUsername             = coalesce(UserEmail, User),\n      \n      SrcUserType             = case(\n                                  UserType == \"Standard\" or UserType == \"S\", \"Regular\",\n                                  UserType == \"X\", \"Admin\",\n                                  \"\"\n                                ),\n      SrcBytes                = tolong(RequestSize),\n      SrcDvcId                = coalesce(SrcDvcId, DeviceId),\n      SrcDvcModelName         = coalesce(SrcDvcModelName, DeviceModel),\n      SrcDvcOs                = OsName,\n      // -- Destination fields\n      DstBytes                = tolong(coalesce(DstBytes, ResponseSize)),\n      DstAppName              = \"Salesforce Service Cloud\",\n      DstAppType              = \"SaaS application\",\n      // -- Device fields\n      Dvc                     = \"Salesforce Service Cloud\",\n      DvcScopeId              = OrganizationId,\n      // -- Network fields\n      NetworkDuration         = toint(Duration),\n      NetworkSessionId        = SessionKey,\n      // -- TLS\n      TlsVersion              = TlsProtocol,\n      TlsCipher               = CipherSuite\n  | extend\n    SrcUsernameType         = case(\n                                  isnotempty(SrcUsername) and SrcUsername has \"@\", \"UPN\",\n                                  isnotempty(SrcUsername), \"Simple\",\n                                  \"\"\n                                )\n  | extend\n      // -- Conditional fields\n      SrcDvcIdType            = iff(isnotempty(SrcDvcId), \"Other\", \"\"),\n      // -- Dst alias: use the best available destination identifier\n      Dst                     = coalesce(DstFQDN, DstHostname, DstAppName),\n      // -- Src alias\n      Src                     = SrcIpAddr,\n      // -- Aliases\n      IpAddr                  = SrcIpAddr,\n      User                    = SrcUsername,\n      UserAgent               = HttpUserAgent,\n      Hostname                = DstHostname,\n      Duration                = NetworkDuration,\n      SessionId               = NetworkSessionId\n  | extend\n      // -- AdditionalFields\n      AdditionalFields = iff(\n          pack,\n          bag_pack(\n              \"ApiVersion\",       ApiVersion,\n              \"ApiType\",          ApiType,\n              \"SessionType\",      SessionType,\n              \"BrowserName\",      BrowserName,\n              \"BrowserVersion\",   BrowserVersion,\n              \"OsVersion\",        OsVersion,\n              \"PlatformType\",     PlatformType,\n              \"DevicePlatform\",   DevicePlatform,\n              \"ConnectionType\",   ConnectionType,\n              \"RequestId\",        RequestId,\n              \"Quiddity\",         Quiddity,\n              \"ExecTime\",         ExecTime,\n              \"TotalTime\",        TotalTime,\n              \"CpuTime\",          CpuTime,\n              \"DbTotalTime\",      DbTotalTime,\n              \"DbCpuTime\",        DbCpuTime,\n              \"RowsProcessed\",    RowsProcessed,\n              \"IsLongRunningRequest\", IsLongRunningRequest\n          ),\n          dynamic({})\n      )\n  | project\n      // -- Mandatory\n      TimeGenerated,\n      EventCount,\n      EventStartTime,\n      EventEndTime,\n      EventType,\n      EventResult,\n      EventProduct,\n      EventVendor,\n      EventSchema,\n      EventSchemaVersion,\n      Dvc,\n      Url,\n      Dst,\n      // -- Recommended\n      EventResultDetails,\n      EventSeverity,\n      HttpRequestMethod,\n      HttpStatusCode,\n      DstHostname,\n      DstBytes,\n      SrcIpAddr,\n      SrcBytes,\n      ASimMatchingIpAddr = \"SrcIpAddr\",\n      ASimMatchingHostname = \"DstHostname\",\n      // -- Event optional\n      EventOriginalType,\n      EventOriginalResultDetails,\n      EventProductVersion,\n      // -- HTTP optional\n      HttpUserAgent,\n      HttpReferrer,\n      // -- Destination optional\n      DstFQDN,\n      DstDomain,\n      DstDomainType,\n      DstAppName,\n      DstAppType,\n      // -- Source fields\n      SrcUserId,\n      SrcUserIdType,\n      SrcUsername,\n      SrcUsernameType,\n      SrcUserType,\n      SrcDvcId,\n      SrcDvcIdType,\n      SrcDvcModelName,\n      SrcDvcOs,\n      // -- Device fields\n      DvcScopeId,\n      // -- Network fields\n      NetworkDuration,\n      NetworkSessionId,\n      // -- TLS\n      TlsVersion,\n      TlsCipher,\n      // -- Additional\n      AdditionalFields,\n      // -- Aliases\n      IpAddr,\n      User,\n      UserAgent,\n      Hostname,\n      Duration,\n      SessionId,\n      Src,\n      // -- Source table\n      Type\n};\nparser(disabled=disabled, pack=pack)\n",
+        "version": 1,
+        "functionParameters": "disabled:bool=False,pack:bool=False"
+      }
+    }
+  ]
+}

Parsers/ASimWebSession/ARM/ASimWebSessionSalesforceServiceCloudV2/README.md

@@ -0,0 +1,21 @@
+# Salesforce Service Cloud ASIM WebSession Normalization Parser
+
+ARM template for ASIM WebSession schema parser for Salesforce Service Cloud.
+
+This ASIM parser supports normalizing Salesforce Service Cloud web session and API request logs from the SalesforceServiceCloudV2_CL table to the ASIM Web Session normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM WebSession normalization schema reference](https://aka.ms/ASimWebSessionDoc)
+
+For the changelog, see:
+- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/CHANGELOG/ASimWebSessionSalesforceServiceCloudV2.md)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionSalesforceServiceCloudV2%2FASimWebSessionSalesforceServiceCloudV2.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimWebSession%2FARM%2FASimWebSessionSalesforceServiceCloudV2%2FASimWebSessionSalesforceServiceCloudV2.json)

Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json

@@ -318,6 +318,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimWebSessionSalesforceServiceCloudV2",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/ASimWebSessionSalesforceServiceCloudV2/ASimWebSessionSalesforceServiceCloudV2.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -718,6 +738,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimWebSessionSalesforceServiceCloudV2",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimWebSession/ARM/vimWebSessionSalesforceServiceCloudV2/vimWebSessionSalesforceServiceCloudV2.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",