Azure-Sentinel
Azure-Sentinel copied to clipboard
Azure
Ubiquiti Unifi Parser
Describe the bug We have firewall logs coming through to sentinel but not all of the logs have "kernel;:" in them so are being missed by the parser.
To Reproduce Steps to reproduce the behavior:
- Go to Ubiquiti_CL table
- Search through logs for firewall logs
- Will have firewall logs that do not have kernel so will not appear whn using parser.
- Example format coming through in logs - does not have "kernel" so is not parsed using parser. 2025-11-10T07:58:56+00:00 network-name XXXX-999999] DESCR="no rule description" IN=br0 OUT= MAC=99:99:99:99:99:99:99:99:99:99:99:a9:9a:9a SRC=00.00.00.24 DST=999.999.999.999 LEN=32 TOS=00 PREC=0x00 TTL=64 ID=8761 DF PROTO=UDP SPT=33260 DPT=10002 LEN=12 MARK=1z0000
Expected behavior Firewall log will be parsed.
Screenshots
Additional context
Hello @katerobson08, thanks for flagging this issue. We will investigate this issue and get back to you with some updates. Thanks!
Updating the UbiquitiAuditEvent function in your workspace to the following parser logic should fix the issue (validated on UniFi Network v10.0.140):
let EventData = Ubiquiti_CL
| extend EventVendor = "Ubiquiti"
| extend Msg = trim(" ", replace_regex(Message, @"[\r\n\t]+", " ")) // flatten multi-line
| extend EventTime = extract(@"^(\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})", 1, Msg)
| extend Hostname = extract(@"^\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}\s+([^\s]+)", 1, Msg)
| extend DvcType = iif(extract(@'\d+\:\d+\:\d+\s(\w+),[A-Fa-f0-9]{12}', 1, Msg) != "", extract(@'\d+\:\d+\:\d+\s(\w+),[A-Fa-f0-9]{12}', 1, Msg), extract(@'\d+\:\d+\:\d+\s[A-Fa-f0-9]{12},([A-Za-z-]+)-', 1, Msg))
| extend DvcMacAddr = coalesce(
tostring(replace(@'(:)$', @'', replace(@'(\w{2})', @'\1:', extract(@'([A-Fa-f0-9]{12}),', 1, Msg)))),
extract(@"([A-Fa-f0-9:]{17})", 1, Msg)
)
| extend FirmwareVersion = coalesce(
extract(@"[A-Fa-f0-9]{12},v(.*?):", 1, Msg),
extract(@"[A-Fa-f0-9]{12},[A-Za-z\-]+([\d\.\+]+)[:\s]", 1, Msg)
);
let ubiquiti_dropbear_events = () {
EventData
| where Msg has "dropbear"
| extend EventCategory = "dropbear"
| extend EventMessage = extract(@" dropbear\[\d+\]\:\s(.*)", 1, Msg)
| extend SrcIpAddr = extract(@"from (\d{1,3}(?:\.\d{1,3}){3})\:\d{1,5}", 1, Msg)
| extend SrcPortNumber = extract(@"from \d{1,3}(?:\.\d{1,3}){3}\:(\d{1,5})", 1, Msg)
};
let ubiquiti_hostapd_events = () {
EventData
| where Msg has "hostapd"
| extend EventCategory = "hostapd"
| extend WlanId = extract(@"hostapd:\s(\w+)", 1, Msg)
| extend SrcType = extract(@":\s(\w+)\s[A-Fa-f0-9:]{17}", 1, Msg)
| extend SrcMacAddr = extract(@":\s(\w+)\s([A-Fa-f0-9:]{17})", 2, Msg)
| extend DstMacAddr = extract(@"addr=([A-Fa-f0-9:]{17})", 1, Msg)
| extend Service = extract(@"[A-Fa-f0-9:]{17}\s(.+):", 2, Msg)
| extend EventMessage = extract(@"[A-Fa-f0-9:]{17}\s(.*):\s(.*)", 2, Msg)
};
let ubiquiti_kernel_fwlog = () {
EventData
| where Msg has "FWLOG:"
| extend EventCategory = "kernel"
| extend WifiIf = extract(@"\[(wifi\d)\]", 1, Msg)
| extend FwlogId = extract(@"FWLOG:\s\[(\d+)\]", 1, Msg)
| extend EventMessage = extract(@"FWLOG:\s\[\d+\]\s(.*)", 1, Msg)
};
let ubiquiti_firewall_events = () {
EventData
| where Msg has_all ("IN=", "OUT=", "PROTO=")
| extend EventCategory = "firewall"
| extend FlowId = extract(@"\bID=(\S+)\b", 1, Msg)
| extend DvcInboundInterface = extract(@"\bIN=(\S+)\b", 1, Msg)
| extend DvcOutboundInterface = extract(@"\bOUT=(\S+)\b", 1, Msg)
| extend RuleDescription = extract(@"DESCR=""([^""]*)""", 1, Msg)
| extend NetworkRuleName = coalesce(RuleDescription, extract(@"\[([^\]]+)\]", 1, Msg)) // e.g., POSTROUTING-SNAT-2
| extend EventMessage = extract(@"\[([^\]]+)\]", 1, Msg)
// --- Action mapping: handle A/D/R plus mid-tokens like RET/ACC/DROP ---
// --- Action mapping: NAT first, then allow/block/reject (RET treated as allowed) ---
| extend _ruleTok = extract(@"\[([^\]]+)\]", 1, Msg)
| extend _midTok = extract(@"^[^-]+-([A-Z_]+)-\d+$", 1, _ruleTok) // e.g., POSTROUTING-SNAT-2, WAN_OUT-RET-20000
| extend _descrNat = extract(@"DESCR=""([^""]*)""", 1, Msg) // e.g., DESCR="SNAT (temp): .133 -> .130"
| extend DvcAction = case(
_midTok == "SNAT" or (_descrNat has "SNAT"),
"snat",
_midTok == "DNAT" or (_descrNat has "DNAT"),
"dnat",
_midTok in ("MASQ", "MASQUERADE") or (_descrNat has "MASQ" or _descrNat has "MASQUERADE"),
"masquerade",
_midTok == "NETMAP" or (_descrNat has "NETMAP"),
"netmap",
_midTok in ("RET", "A", "ACC", "ALLOW", "ACCEPT"),
"allowed",
_midTok in ("D", "DROP", "DENY", "BLK", "BLOCK"),
"blocked",
_midTok in ("R", "REJ", "REJECT"),
"rejected",
"Other"
)
| extend DstMacAddr = extract(@"\bMAC=([A-Fa-f0-9:]{17}):", 1, Msg)
| extend SrcMacAddr = extract(@"\bMAC=[A-Fa-f0-9:]{17}:([A-Fa-f0-9:]{17})\b", 1, Msg)
| extend SrcIpAddr = extract(@"\bSRC=(\S+)\b", 1, Msg)
| extend SrcPortNumber = extract(@"\bSPT=(\S+)\b", 1, Msg)
| extend DstIpAddr = extract(@"\bDST=(\S+)\b", 1, Msg)
| extend DstPortNumber = extract(@"\bDPT=(\S+)\b", 1, Msg)
| extend InIface = DvcInboundInterface, OutIface = DvcOutboundInterface
| extend InVlan = extract(@"\.(\d+)$", 1, InIface)
| extend OutVlan = extract(@"\.(\d+)$", 1, OutIface)
| extend NetworkBytes = extract(@"\bLEN=(\S+)\b", 1, Msg)
| extend Tos = extract(@"\bTOS=(\S+)\b", 1, Msg)
| extend Prec = extract(@"\bPREC=(\S+)\b", 1, Msg)
| extend Ttl = extract(@"\bTTL=(\S+)\b", 1, Msg)
| extend DF = iif(Msg has " DF ", "DF", "")
| extend NetworkProtocol = extract(@"\bPROTO=(\S+)\b", 1, Msg)
| extend TcpFlags = trim(
"|",
strcat(
iif(Msg has " SYN ", "SYN|", ""),
iif(Msg has " ACK ", "ACK|", ""),
iif(Msg has " FIN ", "FIN|", ""),
iif(Msg has " RST ", "RST|", "")
)
)
| extend Seq = extract(@"\bSEQ=(\d+)\b", 1, Msg)
| extend Ack = extract(@"\bACK=(\d+)\b", 1, Msg)
| extend Window = extract(@"\bWINDOW=(\S+)\b", 1, Msg)
| extend Res = extract(@"\bRES=(\S+)\b", 1, Msg)
| extend Mark = extract(@"\bMARK=(\S+)\b", 1, Msg)
};
let ubiquiti_dns_timeout_events = () {
EventData
| where Msg has "DNS request timed out"
| extend EventCategory = "dnstimeout"
| extend EventMessage = "DNS request timed out"
| extend SrcType = extract(@"\[(\w+):\s[A-Fa-f0-9:]{17}\]", 1, Msg)
| extend DvcMacAddr = extract(@"\[\w+:\s([A-Fa-f0-9:]{17})\]", 1, Msg)
| extend DnsQuery = extract(@"QUERY:(.*?)\]", 1, Msg)
| extend DnsServer = extract(@"DNS_SERVER\s?:(.*?)\]", 1, Msg)
};
let ubiquiti_stahtd_events = () {
EventData
| where Msg has "stahtd"
| extend EventCategory = extract(@"""message_type"":""(.*?)""", 1, Msg)
| extend SrcDvcMacAddr = extract(@"""mac"":""(.*?)""", 1, Msg)
| extend WlanId = extract(@"""vap"":""(.*?)""", 1, Msg)
| extend AssocStatus = extract(@"""assoc_status"":""(.*?)""", 1, Msg)
| extend EventResult = extract(@"""event_type"":""(.*?)""", 1, Msg)
| extend EventMessage = extract(@"\}\s-\s(.*)", 1, Msg)
};
let ubiquiti_EVT_AP_STA_ASSOC_TRACKER_DBG = () {
EventData
| where Msg has "EVT_AP_STA_ASSOC_TRACKER_DBG"
| extend EventCategory = "libubnt"
| extend WlanId = extract(@"vap:\s(.*?)", 1, Msg)
| extend SrcMacAddr = extract(@"sta_mac:\s(.*?)", 1, Msg)
| extend EventResult = extract(@"event_type:\s(.*)", 1, Msg)
| extend EventMessage = "Client failed to associate with an AP"
};
let ubiquiti_EVENT_STA_ = () {
EventData
| where Msg has "EVENT_STA_"
| extend EventCategory = "libubnt"
| extend WlanId = extract(@"EVENT_STA_(JOIN|LEAVE|IP)\s(\w+):", 2, Msg)
| extend DvcAction = extract(@"EVENT_STA_(JOIN|LEAVE|IP)", 1, Msg)
| extend EventMessage = case(DvcAction == "JOIN", "Client joined AP", DvcAction == "LEAVE", "Client disconnected from AP", "Client IP info")
| extend SrcMacAddr = extract(@":\s([A-Fa-f0-9:]{17})", 1, Msg)
| extend SrcIpAddr = extract(@"\/\s(\d{1,3}(?:\.\d{1,3}){3})", 1, Msg)
};
let ubiquiti_syswrapper_events = () {
EventData
| where Msg has "syswrapper"
| extend EventCategory = "syswrapper"
| extend EventMessage = extract(@"syswrapper:\s(.*)", 1, Msg)
};
let ubiquiti_logread_events = () {
EventData
| where Msg has "logread"
| extend EventCategory = "logread"
| extend DstIpAddr = extract(@"to\s(\d{1,3}(?:\.\d{1,3}){3})", 1, Msg)
| extend DstPortNumber = extract(@"\d{1,3}(?:\.\d{1,3}){3}:(\d{1,5})", 1, Msg)
| extend EventMessage = extract(@"logread\[\d+\]:\s(.*)", 1, Msg)
};
let ubiquiti_stamgr_events = () {
EventData
| where Msg has "stamgr"
| extend EventCategory = "stamgr"
| extend DstMacAddr = extract(@"\s([A-Fa-f0-9:]{17})", 1, Msg)
| extend WlanId = extract(@"\s[A-Fa-f0-9:]{17}\s(\S+)", 1, Msg)
| extend EventMessage = extract(@"stamgr:(.*?)\(", 1, Msg)
| extend EventResultDetails = extract(@"reason:(.*?)\)", 1, Msg)
};
let ubiquiti_kernel_events = () {
EventData
| where Msg has "kernel" and (Msg has "FWLOG" or Msg has "_set_ratelimit")
| extend EventCategory = "kernel"
| extend EventMessage = case(
Msg matches regex "kernel.*FWLOG",
extract(@"FWLOG:\s\[\d+\]\s(.*)", 1, Msg),
Msg matches regex "kernel.*_set_ratelimit",
extract(@"_set_ratelimit:\s(.*)", 1, Msg),
"Check raw_message for details"
)
};
let ubiquiti_dns_events = () {
EventData
| where Msg matches regex @"dnsmasq\[\d+\]:"
| extend EventCategory = "dns"
| extend DstMacAddr = extract(@"MAC=([A-Fa-f0-9:]{17}):", 1, Msg)
| extend SrcMacAddr = extract(@"MAC=[A-Fa-f0-9:]{17}:([A-Fa-f0-9:]{17})\b", 1, Msg)
| extend DnsQuery = coalesce(extract(@"dnsmasq\[\d+\]:\s(.*?)\[\w+\]", 1, Msg), extract(@"\s(\S+)\sfrom\s\d{1,3}(?:\.\d{1,3}){3}", 1, Msg))
| extend SrcIpAddr = extract(@"\bfrom\s(\d{1,3}(?:\.\d{1,3}){3})", 1, Msg)
};
union isfuzzy=true
ubiquiti_kernel_fwlog,
ubiquiti_firewall_events,
ubiquiti_dns_timeout_events,
ubiquiti_stahtd_events,
ubiquiti_EVT_AP_STA_ASSOC_TRACKER_DBG,
ubiquiti_EVENT_STA_,
ubiquiti_syswrapper_events,
ubiquiti_logread_events,
ubiquiti_stamgr_events,
ubiquiti_kernel_events,
ubiquiti_dns_events
| project
TimeGenerated,
EventVendor,
EventTime,
EventCategory,
Hostname,
DvcType,
DvcMacAddr,
FirmwareVersion,
EventMessage,
WlanId,
SrcType,
WifiIf,
FwlogId,
FlowId,
DvcInboundInterface,
DvcOutboundInterface,
DvcAction,
NetworkRuleName,
SrcMacAddr,
SrcIpAddr,
SrcPortNumber,
DstMacAddr,
DstIpAddr,
DstPortNumber,
NetworkBytes,
Tos,
Prec,
Ttl,
DF,
NetworkProtocol,
TcpFlags,
Seq,
Ack,
Window,
Res,
Mark,
DnsQuery,
DnsServer,
SrcDvcMacAddr,
AssocStatus,
EventResult,
EventResultDetails,
Message,
Msg
Hello @katerobson08, I’m sharing two queries for you to test and verify whether they also include logs where the substring "kernel" is missing.
Additionally, please check the query shared by @genecrouch4 — thank you, @genecrouch4, for your valuable input.
Once you’ve tested all the queries, please provide your confirmation. Thanks!
FunctionQuery 1:
let EventData = Ubiquiti_CL
| extend EventVendor = 'Ubiquiti'
| extend EventTime = extract(@'\<\d+\>(\w+\s+\w+\s+\d+:\d+:\d+)\s\w+,', 1, Message)
| extend DvcType = iif(extract(@'\d+\:\d+\:\d+\s(\w+),[A-Fa-f0-9]{12}', 1, Message)!="", extract(@'\d+\:\d+\:\d+\s(\w+),[A-Fa-f0-9]{12}', 1, Message), extract(@'\d+\:\d+\:\d+\s[A-Fa-f0-9]{12},([A-Za-z-]+)-', 1, Message))
| extend DvcMacAddr = replace(@'(:)$', @'', replace(@'(\w{2})', @'\1:', extract(@'([A-Fa-f0-9]{12}),' , 1, Message)))
| extend FirmwareVersion = iif(extract(@'[A-Fa-f0-9]{12},v(.*?)\:', 1, Message)!="", extract(@'[A-Fa-f0-9]{12},v(.*?)\:', 1, Message), extract(@'[A-Fa-f0-9]{12},[A-Za-z-]+([\d\.\+]+)[\:\s]', 1, Message));
let ubiquiti_dropbear_events =() {
EventData
| where Message contains 'dropbear'
| extend EventCategory = 'dropbear'
| extend EventMessage = extract(@' dropbear\[\d+\]\:\s(.*)', 1, Message)
| extend SrcIpAddr = extract(@'from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:\d{1,5}', 1, Message)
| extend SrcPortNumber = extract(@'from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d{1,5})', 1, Message)
};
let ubiquiti_hostapd_events =() {
EventData
| where Message contains 'hostapd'
| extend EventCategory = 'hostapd'
| extend WlanId = extract(@'hostapd:\s(\w+)', 1, Message)
| extend SrcType = extract(@':\s(\w+)\s[A-Fa-f0-9:]{17}', 1, Message)
| extend SrcMacAddr = extract(@':\s(\w+)\s([A-Fa-f0-9:]{17})', 2, Message)
| extend DstMacAddr = extract(@'addr=([a-fA-F0-9:]{17})', 1, Message)
| extend Service = extract(@'[A-Fa-f0-9:]{17}\s(.+):', 2, Message)
| extend EventMessage = extract(@'[A-Fa-f0-9:]{17}\s(.*):\s(.*)', 2, Message)
};
let ubiquiti_firewall_events =() {
EventData
| where Message matches regex @'(kernel:\s+\[.+\]\s+)?IN=\w+\s+OUT=\w+\s+'
| extend EventCategory = 'firewall'
| extend FlowId = extract(@'ID=(.*?)\s', 1, Message)
| extend DvcInboundInterface = extract(@'IN=(.*?)\s', 1, Message)
| extend DvcOutboundInterface = extract(@'OUT=(.*?)\s', 1, Message)
| extend dvc_action = extract(@'kernel:\s+\[\S+-(\w)\]', 1, Message)
| extend DvcAction = case(dvc_action == "A", "Accepted",
dvc_action == "B", "Blocked",
dvc_action == "R", "Rejected",
"Other")
| extend NetworkRuleName = extract(@'kernel:\s+\[(\S+)-\w\]', 1, Message)
| extend DstMacAddr = extract(@'MAC=([a-fA-F0-9:]{17}):', 1, Message)
| extend SrcMacAddr = extract(@'MAC=[a-fA-F0-9:]{17}:([a-fA-F0-9:]{17})\s', 1, Message)
| extend SrcIpAddr = extract(@'SRC=(.*?)\s', 1, Message)
| extend SrcPortNumber = extract(@'SPT=(.*?)\s', 1, Message)
| extend DstIpAddr = extract(@'DST=(.*?)\s', 1, Message)
| extend DstPortNumber = extract(@'DPT=(.*?)\s', 1, Message)
| extend NetworkBytes = extract(@'LEN=(.*?)\s', 1, Message)
| extend Tos = extract(@'TOS=(.*?)\s', 1, Message)
| extend Prec = extract(@'PREC=(.*?)\s', 1, Message)
| extend Ttl = extract(@'TTL=(.*?)\s', 1, Message)
| extend NetworkProtocol = extract(@'PROTO=(.*?)\s', 1, Message)
| extend Window = extract(@'WINDOW=(.*?)\s', 1, Message)
| extend Res = extract(@'RES=(.*?)\s', 1, Message)
| extend Mark = extract(@'MARK=(.*?)\s', 1, Message)
};
let ubiquiti_dns_timeout_events =() {
EventData
| where Message contains "DNS request timed out"
| extend EventCategory = 'dnstimeout'
| extend EventMessage = 'DNS request timed out'
| extend SrcType = extract(@'\[(\w+):\s[a-fA-F0-9:]{17}\]', 1, Message)
| extend DvcMacAddr = extract(@'\[\w+:\s([a-fA-F0-9:]{17})\]', 1, Message)
| extend DnsQuery = extract(@'QUERY:(.*?)\]', 1, Message)
| extend DnsServer = extract(@'DNS_SERVER\s?:(.*?)\]', 1, Message)
};
let ubiquiti_stahtd_events =() {
EventData
| where Message contains 'stahtd'
| extend EventCategory = extract(@'\"message_type\":\"(.*?)\"', 1, Message)
| extend SrcDvcMacAddr = extract(@'\"mac\":\"(.*?)\"', 1, Message)
| extend WlanId = extract(@'\"vap\":\"(.*?)\"', 1, Message)
| extend AssocStatus = extract(@'\"assoc_status\":\"(.*?)\"', 1, Message)
| extend EventResult = extract(@'\"event_type\":\"(.*?)\"', 1, Message)
| extend EventMessage = extract(@'\}\s-\s(.*)', 1, Message)
};
let ubiquiti_EVT_AP_STA_ASSOC_TRACKER_DBG =() {
EventData
//| where Message contains 'libubnt'
| where Message contains 'EVT_AP_STA_ASSOC_TRACKER_DBG'
| extend EventCategory = 'libubnt'
| extend WlanId = extract(@'vap:\s(.*?)', 1, Message)
| extend SrcMacAddr = extract(@'sta_mac:\s(.*?)', 1, Message)
| extend EventResult = extract(@'event_type:\s(.*)', 1, Message)
| extend EventMessage = 'Client failed to associate with an AP'
};
let ubiquiti_EVENT_STA_ =() {
EventData
//| where Message contains 'libubnt'
| where Message contains 'EVENT_STA_'
| extend EventCategory = 'libubnt'
| extend WlanId = extract(@'EVENT_STA_(JOIN|LEAVE|IP)\s(\w+):', 2, Message)
| extend DvcAction = extract(@'EVENT_STA_(JOIN|LEAVE|IP)', 1, Message)
| extend EventMessage = case(DvcAction == 'JOIN', 'Client joined AP',
DvcAction == 'LEAVE', 'Client disconnected from AP',
'Client IP info')
| extend SrcMacAddr = extract(@':\s([A-Fa-f0-9:]{17})', 1, Message)
| extend SrcIpAddr = extract(@'\/\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, Message)
};
let ubiquiti_syswrapper_events =() {
EventData
| where Message contains 'syswrapper'
| extend EventCategory = 'syswrapper'
| extend EventMessage = extract(@'syswrapper:\s(.*)', 1, Message)
};
let ubiquiti_logread_events =() {
EventData
| where Message contains 'logread'
| extend EventCategory = 'logread'
| extend DstIpAddr = extract(@'to\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, Message)
| extend DstPortNumber = extract(@'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:(\d{1,5})', 1, Message)
| extend EventMessage = extract(@'logread\[\d+\]:\s(.*)', 1, Message)
};
let ubiquiti_stamgr_events =() {
EventData
| where Message contains'stamgr'
| extend EventCategory = 'stamgr'
| extend DstMacAddr = extract(@'\s([A-Fa-f0-9:]{17})', 1, Message)
| extend WlanId = extract(@'\s[A-Fa-f0-9:]{17}\s(\S+)', 1, Message)
| extend EventMessage = extract(@'stamgr:(.*?)\(', 1, Message)
| extend EventResultDetails = extract(@'reason:(.*?)\)', 1, Message)
};
let ubiquiti_kernel_events =() {
EventData
| where Message contains 'kernel'
| where Message contains 'FWLOG' or Message contains 'set_ratelimit'
| extend EventCategory = 'kernel'
| extend EventMessage = case(Message matches regex "kernel.*FWLOG", extract(@'FWLOG:\s\[\d+\]\s(.*)', 1, Message),
Message matches regex "kernel.*_set_ratelimit", extract(@'_set_ratelimit:\s(.*)', 1, Message),
"Check raw_message for details")
};
let ubiquiti_dns_events =() {
EventData
| where Message matches regex @'dnsmasq\[\d+\]:'
| extend DstMacAddr = extract(@'MAC=([a-fA-F0-9:]{17}):', 1, Message)
| extend SrcMacAddr = extract(@'MAC=[a-fA-F0-9:]{17}:([a-fA-F0-9:]{17})\s', 1, Message)
| extend DnsQuery = extract(@'dnsmasq\[\d+\]:\s(.*?)\[\w+\]|\s(\S+)\sfrom\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', 2, Message)
| extend SrcIpAddr = extract(@'dnsmasq\[\d+\]:\s(.*?)\[\w+\]|\s(.*?)from\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 3, Message)
};
union isfuzzy=true ubiquiti_dropbear_events, ubiquiti_hostapd_events, ubiquiti_firewall_events, ubiquiti_dns_timeout_events, ubiquiti_stahtd_events, ubiquiti_EVT_AP_STA_ASSOC_TRACKER_DBG, ubiquiti_EVENT_STA_, ubiquiti_syswrapper_events, ubiquiti_logread_events, ubiquiti_stamgr_events, ubiquiti_kernel_events, ubiquiti_dns_events
| project TimeGenerated
, EventVendor
, EventTime
, EventCategory
, DvcType
, DvcMacAddr
, FirmwareVersion
, EventMessage
, WlanId
, SrcType
, Service
, FlowId
, DvcInboundInterface
, DvcOutboundInterface
, DvcAction
, NetworkRuleName
, SrcMacAddr
, SrcIpAddr
, SrcPortNumber
, DstMacAddr
, DstIpAddr
, DstPortNumber
, NetworkBytes
, Tos
, Prec
, Ttl
, NetworkProtocol
, Window
, Res
, Mark
, DnsQuery
, DnsServer
, SrcDvcMacAddr
, AssocStatus
, EventResult
, EventResultDetails
, Message
FunctionQuery 2:
let EventData = Ubiquiti_CL
| extend EventVendor = 'Ubiquiti'
| extend EventTime = extract(@'\<\d+\>(\w+\s+\w+\s+\d+:\d+:\d+)\s\w+,', 1, Message)
| extend DvcType = iif(extract(@'\d+\:\d+\:\d+\s(\w+),[A-Fa-f0-9]{12}', 1, Message)!="", extract(@'\d+\:\d+\:\d+\s(\w+),[A-Fa-f0-9]{12}', 1, Message), extract(@'\d+\:\d+\:\d+\s[A-Fa-f0-9]{12},([A-Za-z-]+)-', 1, Message))
| extend DvcMacAddr = replace(@'(:)$', @'', replace(@'(\w{2})', @'\1:', extract(@'([A-Fa-f0-9]{12}),' , 1, Message)))
| extend FirmwareVersion = iif(extract(@'[A-Fa-f0-9]{12},v(.*?)\:', 1, Message)!="", extract(@'[A-Fa-f0-9]{12},v(.*?)\:', 1, Message), extract(@'[A-Fa-f0-9]{12},[A-Za-z-]+([\d\.\+]+)[\:\s]', 1, Message));
let ubiquiti_dropbear_events =() {
EventData
| where Message contains 'dropbear'
| extend EventCategory = 'dropbear'
| extend EventMessage = extract(@' dropbear\[\d+\]\:\s(.*)', 1, Message)
| extend SrcIpAddr = extract(@'from (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\:\d{1,5}', 1, Message)
| extend SrcPortNumber = extract(@'from \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:(\d{1,5})', 1, Message)
};
let ubiquiti_hostapd_events =() {
EventData
| where Message contains 'hostapd'
| extend EventCategory = 'hostapd'
| extend WlanId = extract(@'hostapd:\s(\w+)', 1, Message)
| extend SrcType = extract(@':\s(\w+)\s[A-Fa-f0-9:]{17}', 1, Message)
| extend SrcMacAddr = extract(@':\s(\w+)\s([A-Fa-f0-9:]{17})', 2, Message)
| extend DstMacAddr = extract(@'addr=([a-fA-F0-9:]{17})', 1, Message)
| extend Service = extract(@'[A-Fa-f0-9:]{17}\s(.+):', 2, Message)
| extend EventMessage = extract(@'[A-Fa-f0-9:]{17}\s(.*):\s(.*)', 2, Message)
};
let ubiquiti_firewall_events =() {
EventData
| where Message matches regex @'kernel:\s+\[.+\]\s+IN=\w+\s+OUT=\w+\s+' or Message matches regex @'IN=\w+\s+OUT=\w+\s+'
| extend EventCategory = 'firewall'
| extend FlowId = extract(@'ID=(.*?)\s', 1, Message)
| extend DvcInboundInterface = extract(@'IN=(.*?)\s', 1, Message)
| extend DvcOutboundInterface = extract(@'OUT=(.*?)\s', 1, Message)
| extend dvc_action = extract(@'kernel:\s+\[\S+-(\w)\]', 1, Message)
| extend DvcAction = case(dvc_action == "A", "Accepted",
dvc_action == "B", "Blocked",
dvc_action == "R", "Rejected",
"Other")
| extend NetworkRuleName = extract(@'kernel:\s+\[(\S+)-\w\]', 1, Message)
| extend DstMacAddr = extract(@'MAC=([a-fA-F0-9:]{17}):', 1, Message)
| extend SrcMacAddr = extract(@'MAC=[a-fA-F0-9:]{17}:([a-fA-F0-9:]{17})\s', 1, Message)
| extend SrcIpAddr = extract(@'SRC=(.*?)\s', 1, Message)
| extend SrcPortNumber = extract(@'SPT=(.*?)\s', 1, Message)
| extend DstIpAddr = extract(@'DST=(.*?)\s', 1, Message)
| extend DstPortNumber = extract(@'DPT=(.*?)\s', 1, Message)
| extend NetworkBytes = extract(@'LEN=(.*?)\s', 1, Message)
| extend Tos = extract(@'TOS=(.*?)\s', 1, Message)
| extend Prec = extract(@'PREC=(.*?)\s', 1, Message)
| extend Ttl = extract(@'TTL=(.*?)\s', 1, Message)
| extend NetworkProtocol = extract(@'PROTO=(.*?)\s', 1, Message)
| extend Window = extract(@'WINDOW=(.*?)\s', 1, Message)
| extend Res = extract(@'RES=(.*?)\s', 1, Message)
| extend Mark = extract(@'MARK=(.*?)\s', 1, Message)
};
let ubiquiti_dns_timeout_events =() {
EventData
| where Message contains "DNS request timed out"
| extend EventCategory = 'dnstimeout'
| extend EventMessage = 'DNS request timed out'
| extend SrcType = extract(@'\[(\w+):\s[a-fA-F0-9:]{17}\]', 1, Message)
| extend DvcMacAddr = extract(@'\[\w+:\s([a-fA-F0-9:]{17})\]', 1, Message)
| extend DnsQuery = extract(@'QUERY:(.*?)\]', 1, Message)
| extend DnsServer = extract(@'DNS_SERVER\s?:(.*?)\]', 1, Message)
};
let ubiquiti_stahtd_events =() {
EventData
| where Message contains 'stahtd'
| extend EventCategory = extract(@'\"message_type\":\"(.*?)\"', 1, Message)
| extend SrcDvcMacAddr = extract(@'\"mac\":\"(.*?)\"', 1, Message)
| extend WlanId = extract(@'\"vap\":\"(.*?)\"', 1, Message)
| extend AssocStatus = extract(@'\"assoc_status\":\"(.*?)\"', 1, Message)
| extend EventResult = extract(@'\"event_type\":\"(.*?)\"', 1, Message)
| extend EventMessage = extract(@'\}\s-\s(.*)', 1, Message)
};
let ubiquiti_EVT_AP_STA_ASSOC_TRACKER_DBG =() {
EventData
//| where Message contains 'libubnt'
| where Message contains 'EVT_AP_STA_ASSOC_TRACKER_DBG'
| extend EventCategory = 'libubnt'
| extend WlanId = extract(@'vap:\s(.*?)', 1, Message)
| extend SrcMacAddr = extract(@'sta_mac:\s(.*?)', 1, Message)
| extend EventResult = extract(@'event_type:\s(.*)', 1, Message)
| extend EventMessage = 'Client failed to associate with an AP'
};
let ubiquiti_EVENT_STA_ =() {
EventData
//| where Message contains 'libubnt'
| where Message contains 'EVENT_STA_'
| extend EventCategory = 'libubnt'
| extend WlanId = extract(@'EVENT_STA_(JOIN|LEAVE|IP)\s(\w+):', 2, Message)
| extend DvcAction = extract(@'EVENT_STA_(JOIN|LEAVE|IP)', 1, Message)
| extend EventMessage = case(DvcAction == 'JOIN', 'Client joined AP',
DvcAction == 'LEAVE', 'Client disconnected from AP',
'Client IP info')
| extend SrcMacAddr = extract(@':\s([A-Fa-f0-9:]{17})', 1, Message)
| extend SrcIpAddr = extract(@'\/\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, Message)
};
let ubiquiti_syswrapper_events =() {
EventData
| where Message contains 'syswrapper'
| extend EventCategory = 'syswrapper'
| extend EventMessage = extract(@'syswrapper:\s(.*)', 1, Message)
};
let ubiquiti_logread_events =() {
EventData
| where Message contains 'logread'
| extend EventCategory = 'logread'
| extend DstIpAddr = extract(@'to\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, Message)
| extend DstPortNumber = extract(@'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:(\d{1,5})', 1, Message)
| extend EventMessage = extract(@'logread\[\d+\]:\s(.*)', 1, Message)
};
let ubiquiti_stamgr_events =() {
EventData
| where Message contains'stamgr'
| extend EventCategory = 'stamgr'
| extend DstMacAddr = extract(@'\s([A-Fa-f0-9:]{17})', 1, Message)
| extend WlanId = extract(@'\s[A-Fa-f0-9:]{17}\s(\S+)', 1, Message)
| extend EventMessage = extract(@'stamgr:(.*?)\(', 1, Message)
| extend EventResultDetails = extract(@'reason:(.*?)\)', 1, Message)
};
let ubiquiti_kernel_events =() {
EventData
| where Message contains 'kernel'
| where Message contains 'FWLOG' or Message contains 'set_ratelimit'
| extend EventCategory = 'kernel'
| extend EventMessage = case(Message matches regex "kernel.*FWLOG", extract(@'FWLOG:\s\[\d+\]\s(.*)', 1, Message),
Message matches regex "kernel.*_set_ratelimit", extract(@'_set_ratelimit:\s(.*)', 1, Message),
"Check raw_message for details")
};
let ubiquiti_dns_events =() {
EventData
| where Message matches regex @'dnsmasq\[\d+\]:'
| extend DstMacAddr = extract(@'MAC=([a-fA-F0-9:]{17}):', 1, Message)
| extend SrcMacAddr = extract(@'MAC=[a-fA-F0-9:]{17}:([a-fA-F0-9:]{17})\s', 1, Message)
| extend DnsQuery = extract(@'dnsmasq\[\d+\]:\s(.*?)\[\w+\]|\s(\S+)\sfrom\s\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}', 2, Message)
| extend SrcIpAddr = extract(@'dnsmasq\[\d+\]:\s(.*?)\[\w+\]|\s(.*?)from\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 3, Message)
};
union isfuzzy=true ubiquiti_dropbear_events, ubiquiti_hostapd_events, ubiquiti_firewall_events, ubiquiti_dns_timeout_events, ubiquiti_stahtd_events, ubiquiti_EVT_AP_STA_ASSOC_TRACKER_DBG, ubiquiti_EVENT_STA_, ubiquiti_syswrapper_events, ubiquiti_logread_events, ubiquiti_stamgr_events, ubiquiti_kernel_events, ubiquiti_dns_events
| project TimeGenerated
, EventVendor
, EventTime
, EventCategory
, DvcType
, DvcMacAddr
, FirmwareVersion
, EventMessage
, WlanId
, SrcType
, Service
, FlowId
, DvcInboundInterface
, DvcOutboundInterface
, DvcAction
, NetworkRuleName
, SrcMacAddr
, SrcIpAddr
, SrcPortNumber
, DstMacAddr
, DstIpAddr
, DstPortNumber
, NetworkBytes
, Tos
, Prec
, Ttl
, NetworkProtocol
, Window
, Res
, Mark
, DnsQuery
, DnsServer
, SrcDvcMacAddr
, AssocStatus
, EventResult
, EventResultDetails
, Message
Hi, thanks for the quick response.
Query provided by @genecrouch4 works:
Query 1 - didn't work (where Message matches regex @'(kernel:\s+[.+]\s+)?IN=\w+\s+OUT=\w+\s+')
Query 2 - didn't work(| where Message matches regex @'kernel:\s+[.+]\s+IN=\w+\s+OUT=\w+\s+' or Message matches regex @'IN=\w+\s+OUT=\w+\s+')
Hi, I am facing the same issue, where firewall events are being missed. Do you know when this update will be available in the Content Hub? Or do we have to manually update the function?
