Fortinet FortiGate WebSession Parsers Parsing Fix & Additions

[t-pol]

Required items, please complete

Change(s):

• Update kql ASimWebSessionFortinetFortiGate.yaml
• Update kql vimWebSessionFortinetFortiGate.yaml

Reason for Change(s):

• When there is no User Agent string in AdditionalExtensions, the parsing of HttpRequestMethod fails.
  Incorrect parsing of HttpRequestMethod and HttpUserAgent.
  

• Adding NetworkApplicationProtocol field in the project-rename. (Optional field in the parser, but it exists in FortiGate logs)

Testing Completed:

• Yes

Checked that the validations are passing and have addressed any issues that are present:

• No

[t-pol]

@microsoft-github-policy-service agree

[v-atulyadav]

Hi @t-pol,
PR is having validation failures please check. Thanks

[v-atulyadav]

Hi @t-pol,
Please investigate the failed validations. Thanks

[t-pol]

The issues have been fixed. Thanks

[v-atulyadav]

Thanks @t-pol.

[t-pol]

Hello, is there any feedback regarding the parser ?

[Alekhya0824]

can you please add tester files after testing
this is the documentation to add schema tester and data tester https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#test-parsers
These schema tester and data tester files can add under Tests files

[v-atulyadav]

Hi @t-pol, please check above comments from @Alekhya0824 and act accordingly. Thanks

[v-atulyadav]

Hi @t-pol,
Please respond on above asks. Thanks

[v-atulyadav]

Hi @t-pol,
We are keen to hear any updates concerning this PR. Thanks

[v-atulyadav]

Hi @t-pol,
We are anticipating an update concerning this PR. Thanks

[v-atulyadav]

Hi @t-pol,
We would appreciate any updates regarding this PR. Thanks

[v-atulyadav]

Hi @t-pol,
We wanted to check on the status of PR #10865. PR is pending for more than 30 days. Please let us know if you need any assistance to review this PR. Per our standard operating procedures if no response is received in the next 7 business days, we will close this PR. Thank you for your cooperation.

[t-pol]

Hello,
Apologies for the late response.
The only pending error is in the input parameter "eventresultdetails_in".
Based on the documentation https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-web
EventResultDetails field, which typically reports the HTTP Status Code.
However, Fortigate does not populate http status code so far. Due to this EventResultDetails has alreardy been set as N/A to the existing parsers. Unfortunately, i can not fix this issue.
Thanks.

[vakohl]

@t-pol Thankyou for your updates. Can we try below?

1. Remove this mapping from both ASIM and VIM=> | extend EventResultDetails = "NA"
2. Remove this mapping from both ASIM and VIM=> HttpStatusCode = EventResultDetails
3. In the vim file use filter => | where (array_length(eventresultdetails_in) == 0
4. Remove filter=> | where (array_length(eventresultdetails_in) == 0 or tostring(EventResultDetails) has_any(eventresultdetails_in))

[t-pol]

Changes have been applied.
Thanks

[v-atulyadav]

Hi @t-pol,
The validations associated with this pull request are not progressing. Please ensure you have the latest updates from the master branch. Thanks

[v-atulyadav]

Hi @t-pol,
Thank you for your reply. Please review one of the validations that did not pass. Thanks

[t-pol]

Hello @v-atulyadav , I have fixed the pending issues. Please proceed and check the pr.
Thanks

[t-pol]

Hello @v-atulyadav @vakohl , I have fixed the pending issues. Please proceed and check the pr.
Thanks