Added SonicWall ASIM Web Session parser

[jaimeesc]

Change(s):

• Added SonicWall Firewall Web Session parser.

Reason for Change(s):

• Submitting parsers and other content to the repository.

Version Updated:

• No?
• New ASIM parser submission.

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• Yes. There are some minor errors with expected strings (such as the vendor) that were not in the source data used by the ASIM tester.

[jaimeesc]

Hello, I was trying to figure out why there was validation failure. I was clicking around but haven't found a clear issue on my end. I'd like some help clarifying if I need to make adjustments to the files. Thanks!

[v-atulyadav]

Hi @jaimeesc, validations are cleared now. Thanks

[jaimeesc]

Hi, I was just wondering what happens next and how soon we would see a response on this PR. Unfortunately, it is holding up another PR, They all go together, but I was asked to split them into separate PRs. Thanks.

[vakohl]

@jaimeesc I'll perform the initial review and provide comments by end of this week.

[jaimeesc]

Thank you so much!

[v-atulyadav]

Hi @jaimeesc, There are some changes that Varun has suggested, please take a look at them. Thanks

[v-atulyadav]

Hi @jaimeesc, @vakohl has suggested some changes, please check them out. Thanks

[v-atulyadav]

Hi @jaimeesc, Please look into the open comments. Thanks

[jaimeesc]

Working on the Network Session parser changes before I get to this one. The items I'm trying to clarify on the other PR will help in this one too. Thanks.

[jaimeesc]

Can you please help me understand what failed in imWebSession.yaml?

2024-01-26T23:48:23.4497478Z Error Message: 2024-01-26T23:48:23.4498223Z Template Id: imWebSession is not valid in Line: 40 col: 239 2024-01-26T23:48:23.4500072Z Errors: The argument name does not refer to a declared parameter., Code: 'KS196', Severity: 'Error', Location: '6907..6928',Expected: ), Code: 'KS005', Severity: 'Error', Location: '7072..7072' 2024-01-26T23:48:23.4500515Z Expected: True 2024-01-26T23:48:23.4500737Z Actual: False 2024-01-26T23:48:23.4500891Z Stack Trace: 2024-01-26T23:48:23.4501233Z at Kqlvalidations.Tests.KqlValidationTests.ValidateKql(String id, String queryStr, Boolean ignoreNoTabularExpressionError) in /home/vsts/work/1/s/.script/tests/KqlvalidationsTests/KqlValidationTests.cs:line 461 2024-01-26T23:48:23.4501710Z at Kqlvalidations.Tests.KqlValidationTests.Validate_ParsersFunctions_HaveValidKql(String fileName, String encodedFilePath) in /home/vsts/work/1/s/.script/tests/KqlvalidationsTests/KqlValidationTests.cs:line 282 2024-01-26T23:48:24.9623982Z Results File: /home/vsts/work/_temp/_fv-az114-378_2024-01-26_23_48_21.trx 2024-01-26T23:48:24.9625724Z 2024-01-26T23:48:24.9685363Z Failed! - Failed: 1, Passed: 13, Skipped: 0, Total: 14, Duration: 4 s - /home/vsts/work/1/s/.script/tests/KqlvalidationsTests/bin/Release/net6.0/Kqlvalidations.Tests.dll (net6.0)

[vakohl]

Can you please help me understand what failed in imWebSession.yaml?

2024-01-26T23:48:23.4497478Z Error Message: 2024-01-26T23:48:23.4498223Z Template Id: imWebSession is not valid in Line: 40 col: 239 2024-01-26T23:48:23.4500072Z Errors: The argument name does not refer to a declared parameter., Code: 'KS196', Severity: 'Error', Location: '6907..6928',Expected: ), Code: 'KS005', Severity: 'Error', Location: '7072..7072' 2024-01-26T23:48:23.4500515Z Expected: True 2024-01-26T23:48:23.4500737Z Actual: False 2024-01-26T23:48:23.4500891Z Stack Trace: 2024-01-26T23:48:23.4501233Z at Kqlvalidations.Tests.KqlValidationTests.ValidateKql(String id, String queryStr, Boolean ignoreNoTabularExpressionError) in /home/vsts/work/1/s/.script/tests/KqlvalidationsTests/KqlValidationTests.cs:line 461 2024-01-26T23:48:23.4501710Z at Kqlvalidations.Tests.KqlValidationTests.Validate_ParsersFunctions_HaveValidKql(String fileName, String encodedFilePath) in /home/vsts/work/1/s/.script/tests/KqlvalidationsTests/KqlValidationTests.cs:line 282 2024-01-26T23:48:24.9623982Z Results File: /home/vsts/work/_temp/_fv-az114-378_2024-01-26_23_48_21.trx 2024-01-26T23:48:24.9625724Z 2024-01-26T23:48:24.9685363Z Failed! - Failed: 1, Passed: 13, Skipped: 0, Total: 14, Duration: 4 s - /home/vsts/work/1/s/.script/tests/KqlvalidationsTests/bin/Release/net6.0/Kqlvalidations.Tests.dll (net6.0)

@jaimeesc Can you please try keeping 4 parenthesis at the end of SonicWall entry.

[v-atulyadav]

Hi @jaimeesc, Please check comments above from @vakohl and act accordingly. Thanks

[jaimeesc]

Hi, thank you for the follow up. I am working on the changes and plan to have them done this week. Sorry for the delays from my end.

[v-atulyadav]

Hi @jaimeesc, Can we schedule a call to discuss a few changes on this PR? My Email: [email protected] Could you please share your email ID? I will then send you an invitation link. Please note that we are working in the IST timezone.

[jaimeesc]

Absolutely. My email is [email protected]. I'm on Mountain time, just FYI.

[vakohl]

@jaimeesc I think the changes in Network Parser can be applied in Web as well. Let's first try closing the Network PR, then I'll have another check at this PR.

[jaimeesc]

The Network Session parser has been approved. I will push updates to this PR soon.

[jaimeesc]

Validation passed. If there's any issue with the ASimTester CSV file, please note that the Network Session parser's PR contains the necessary changes for the Web Session parser.

[vakohl]

@jaimeesc Is this PR ready for review?

[jaimeesc]

@jaimeesc Is this PR ready for review?

I saw some updated comments on the Network Session parser, so maybe not. I will review the new comments and update the Web Session parser again after updating the Network Session parser.

[vakohl]

@jaimeesc Is this PR ready for review?

I saw some updated comments on the Network Session parser, so maybe not. I will review the new comments and update the Web Session parser again after updating the Network Session parser.

@jaimeesc Is this parser ready for review?

[jaimeesc]

@jaimeesc Is this PR ready for review?

I saw some updated comments on the Network Session parser, so maybe not. I will review the new comments and update the Web Session parser again after updating the Network Session parser.

@jaimeesc Is this parser ready for review?

I'll update this PR today.

[jaimeesc]

This should be ready for review. Hopefully ASimWebSession.yaml and imWebSession.yaml are okay. The updates to the ASimTester.csv were in the PR for the Network Session parser, so we should be good.

[v-atulyadav]

Thanks @jaimeesc, we will look into this.

[jaimeesc]

Hello, just wondering if anything any changes are needed from my side. Thanks!

[v-atulyadav]

Hi @jaimeesc, Please work on changes suggested by @vakohl. Thanks

[jaimeesc]

Just keeping you in the loop: I'm working on these changes. I'll update the PR soon.

[jaimeesc]

Please take a look at the files below to confirm they look okay:

• Parsers/ASimWebSession/Parsers/ASimWebSession.yaml
• Parsers/ASimWebSession/Parsers/imWebSession.yaml

I synchronized my master branch and merged it into the websession branch. There were no conflicts or anything to resolve. Hopefully the files appear as they should.

[vakohl]

@jaimeesc Thankyou for your efforts in adding two new parsers for Sonic Wall Firewall that would result making Microsoft Sentinel better. FYI, SonicWall Firewall Network Parser is published and live now, you should be seeing in all LA workspace. We'll have this WebSession parser also publish soon. Once again, big thankyou.