Add Halcyon ASIM DNS parser#14606
Open
jwilke-halcyon wants to merge 2 commits into
Open
Conversation
* Add Halcyon's ASIM DNS parser * Add Halcyon sub-parser to Dns union parser ARM templates
Contributor
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds Halcyon support to ASIM DNS by introducing new Halcyon-specific parsers and wiring them into the existing DNS union parsers, along with sample data, ARM deployment artifacts, and validation baselines.
Changes:
- Added Halcyon DNS parsers:
ASimDnsHalcyon(normalization) andvimDnsHalcyon(filtering). - Registered Halcyon parsers in
ASimDnsandimDnsunion parsers (YAML + ARM). - Added sample ingested log data, changelogs, ARM templates/README, and test baseline CSV outputs.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| Sample Data/ASIM/Halcyon_Halcyon_Dns_IngestedLogs.csv | Adds representative Halcyon DNS OCSF events for ASIM parser validation/demo. |
| Parsers/ASimDns/Tests/Halcyon_ASimDns_SchemaTest.csv | Adds schema validation baseline output for Halcyon normalization results. |
| Parsers/ASimDns/Tests/Halcyon_ASimDns_DataTest.csv | Adds data-quality validation baseline output for Halcyon normalization results. |
| Parsers/ASimDns/Parsers/vimDnsHalcyon.yaml | New filtering + normalization parser for Halcyon DNS events (union sub-parser). |
| Parsers/ASimDns/Parsers/ASimDnsHalcyon.yaml | New normalization-only parser for Halcyon DNS events (ASimDns sub-parser). |
| Parsers/ASimDns/Parsers/imDns.yaml | Registers vimDnsHalcyon in the imDns union and bumps version metadata. |
| Parsers/ASimDns/Parsers/ASimDns.yaml | Registers ASimDnsHalcyon in the ASimDns union and bumps version metadata. |
| Parsers/ASimDns/CHANGELOG/vimDnsHalcyon.md | Adds changelog for the new vimDnsHalcyon parser. |
| Parsers/ASimDns/CHANGELOG/ASimDnsHalcyon.md | Adds changelog for the new ASimDnsHalcyon parser. |
| Parsers/ASimDns/ARM/vimDnsHalcyon/vimDnsHalcyon.json | ARM template to deploy vimDnsHalcyon function. |
| Parsers/ASimDns/ARM/vimDnsHalcyon/README.md | Deployment documentation for vimDnsHalcyon ARM template. |
| Parsers/ASimDns/ARM/imDns/imDns.json | Updates imDns ARM deployment to union in vimDnsHalcyon. |
| Parsers/ASimDns/ARM/FullDeploymentDns.json | Adds linked deployments for Halcyon parsers in full DNS deployment template. |
| Parsers/ASimDns/ARM/ASimDnsHalcyon/README.md | Deployment documentation for ASimDnsHalcyon ARM template. |
| Parsers/ASimDns/ARM/ASimDnsHalcyon/ASimDnsHalcyon.json | ARM template to deploy ASimDnsHalcyon function. |
| Parsers/ASimDns/ARM/ASimDns/ASimDns.json | Updates ASimDns ARM deployment to union in ASimDnsHalcyon. |
Comment on lines
+79
to
+82
| | where (array_length(domain_has_any) == 0 or tostring(query.hostname) has_any (domain_has_any)) | ||
| // answers is a single-object dynamic array {rdata,type,class}; read answers[0].rdata (do not serialize the whole array). | ||
| | where (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(tostring(answers[0].rdata), response_has_any_prefix)) | ||
| | where (response_has_ipv4 == '*' or has_ipv4(tostring(answers[0].rdata), response_has_ipv4)) |
Comment on lines
+86
to
+90
| DnsQuery = tostring(query.hostname), // OCSF query.hostname | ||
| DnsQueryTypeName = tostring(answers[0].type), // OPTIONAL: inferred from first answer; query.type is not emitted // validate | ||
| DnsResponseCode = toint(rcode_id), // OCSF rcode_id (constant 0 = NoError; resolution succeeded) | ||
| DnsResponseCodeName = coalesce(tostring(rcode), tostring(_ASIM_LookupDnsResponseCode(toint(rcode_id)))), // Halcyon emits rcode "NoError"; datatable fallback on rcode_id | ||
| DnsResponseName = tostring(answers[0].rdata), |
Comment on lines
+62
to
+66
| // DNS query class name -> numeric class lookup (not hardcoded). | ||
| let DnsClassLookup = datatable(DnsQueryClassName:string, DnsQueryClass:int) | ||
| [ | ||
| "IN", 1, "CH", 3, "HS", 4, "NONE", 254, "ANY", 255 | ||
| ]; |
Comment on lines
+24
to
+28
| - Field: DvcFQDN | ||
| Warning: Empty value in mandatory field | ||
| Exception: Halcyon events provide only a short device hostname; no fully-qualified domain is included in the source data. | ||
| - Field: DvcDomain | ||
| Warning: Empty value in mandatory field |
| SrcProcessName = tostring(actor.process.file.name), | ||
| SrcProcessId = tostring(actor.process.pid), | ||
| SrcProcessCommandLine = tostring(actor.process.cmd_line), | ||
| DvcHostname_raw = tostring(device.hostname), |
| DvcId = tostring(device.uid), | ||
| EventOriginalSeverity = tostring(severity) | ||
| | where (responsecodename == '*' or DnsResponseCodeName =~ responsecodename) | ||
| | invoke _ASIM_ResolveDvcFQDN('DvcHostname_raw') |
Collaborator
|
Hi @jwilke-halcyon, |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Change(s):
Reason for Change(s):
Version updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: