forked from Azure/Azure-Sentinel
-
Notifications
You must be signed in to change notification settings - Fork 1
/
squid_parser.txt
25 lines (25 loc) · 1.65 KB
/
squid_parser.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
// KQL Squid Access Logs Parser
// Last Updated Date: July 11, 2019
// Squid version 4.7
//
// Parser Notes:
// 1. This parser works against the above mentioned squid version, it may need updates if squid is updated with new events or schema changes.
// 2. This parser presumes that squid access logs are being logged to system syslog rather than being collected as a custom log source.
// 3. This parser does not parse every field in the squid access logs but instead parsers those fields most applicable to security analysis
// 4. This query parser the default squid log format is being used.
//
// Usage Instruction :
// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias (e.g. squid_parser).
// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/functions
//
//
Syslog
| where ProcessName contains "squid"
| extend URL = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :]*)",3,SyslogMessage),
SourceIP = extract("([0-9]+ )(([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3}))",2,SyslogMessage),
Status = extract("(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))",1,SyslogMessage),
HTTP_Status_Code = extract("(TCP_(([A-Z]+)(_[A-Z]+)*)|UDP_(([A-Z]+)(_[A-Z]+)*))/([0-9]{3})",8,SyslogMessage),
User = extract("(CONNECT |GET )([^ ]* )([^ ]+)",3,SyslogMessage),
RemotePort = extract("(CONNECT |GET )([^ ]*)(:)([0-9]*)",4,SyslogMessage),
Domain = extract("(([A-Z]+ [a-z]{4,5}:\\/\\/)|[A-Z]+ )([^ :\\/]*)",3,SyslogMessage)
| extend TLD = extract("\\.[a-z]*$",0,Domain)