What Changed
New ASIM parsers added for six Azure Firewall log types: AZFWNetworkRule, AZFWNatRule, AZFWApplicationRule, AZFWIdpsSignature, AZFWThreatIntel, and AZFWDnsQuery. Creates normalised views across DNS, NetworkSession, and WebSession schemas.
Detection Surface Unlocked
The parsers enable standardised detection across Azure Firewall logs:
- DNS Schema: Domain reputation checks, DNS tunneling detection, C2 beaconing analysis
- Network Session Schema: East-west traffic analysis, lateral movement detection, network segmentation monitoring
- Web Session Schema: HTTP/HTTPS traffic inspection, web application attack detection, data exfiltration monitoring
Each parser includes comprehensive field mapping for source/destination IPs, ports, protocols, and Azure Firewall-specific metadata (rules, actions, threat intelligence verdicts).
ASIM Integration
Parsers integrate with existing ASIM framework:
- Added to master ASimDns, imDns, imWebSession union functions
- Support for disabled parser exclusion lists
- Full ARM deployment templates and schema validation tests included
- Custom table definitions added to KQL validation framework
New parsers follow ASIM v0.1.7 schema compliance with Azure Firewall-specific normalisation logic for timestamps, response codes, and protocol handling.
Affected Files
Parsers/ASimDns/ (6 new parser files, 5 updated)
Parsers/ASimNetworkSession/ (4 new parser files, 4 updated)
Parsers/ASimWebSession/ (6 new parser files, 4 updated)
Sample Data/ASIM/ (3 new test data files)
(.script/tests/ validation config, ARM templates)