ASIM WebSession Parser: New Cisco Umbrella Proxy Log Coverage

What Changed

New ASIM WebSession parser for Cisco Umbrella proxy logs from Azure Function connector, adding two new parser functions:

• ASimWebSessionCiscoUmbrella (unfiltered parser)
• vimWebSessionCiscoUmbrella (filtering parser with parameter support)

Parser Impact

The parser normalizes Cisco_Umbrella_proxy_CL table data to ASIM WebSession schema version 0.2.7. Key field mappings include:

• Source identity extraction from PolicyIdentity_s field (UPN or Simple username types)
• HTTP metadata: user agent, content type, referrer, request/response sizes
• Threat intelligence: AMP disposition, SHA-256 hashes, risk scores, blocked categories
• Network context: internal IP, external IP, destination IP addresses
• Request verdict classification (Allowed/Blocked → Success/Failure)

Parser includes filtering capabilities for time windows, IP prefixes, URLs, user agents, and result codes. The pack parameter enables additional fields in AdditionalFields bag for extended visibility.

Detection Surface Unlocked

Organizations using Cisco Umbrella proxy logs can now:

• Query web sessions using source-agnostic ASIM queries across multiple security tools
• Correlate Umbrella proxy activity with other data sources via normalized fields
• Apply existing ASIM-based detections to Umbrella data without modification
• Leverage threat intelligence fields (AMP scores, file hashes, categories) in detections

The parser enables detection of web-based threats, policy violations, and suspicious browsing patterns through the standardized WebSession schema.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/Cisco_Umbrella_proxy_CL.json
ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimWebSession/ARM/ASimWebSession/ASimWebSession.json
Parsers/ASimWebSession/ARM/ASimWebSessionCiscoUmbrella/ASimWebSessionCiscoUmbrella.json
Parsers/ASimWebSession/ARM/ASimWebSessionCiscoUmbrella/README.md
Parsers/ASimWebSession/ARM/FullDeploymentWebSession.json
Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json
Parsers/ASimWebSession/ARM/vimWebSessionCiscoUmbrella/README.md
Parsers/ASimWebSession/ARM/vimWebSessionCiscoUmbrella/vimWebSessionCiscoUmbrella.json
Parsers/ASimWebSession/CHANGELOG/ASimWebSession.md
Parsers/ASimWebSession/CHANGELOG/ASimWebSessionCiscoUmbrella.md
Parsers/ASimWebSession/CHANGELOG/imWebSession.md
Parsers/ASimWebSession/CHANGELOG/vimWebSessionCiscoUmbrella.md
Parsers/ASimWebSession/Parsers/ASimWebSession.yaml
Parsers/ASimWebSession/Parsers/ASimWebSessionCiscoUmbrella.yaml
Parsers/ASimWebSession/Parsers/imWebSession.yaml
Parsers/ASimWebSession/Parsers/vimWebSessionCiscoUmbrella.yaml