Update ASimNetworkSessionMicrosoftSysmon.yaml

Azure · goosvorbook · Dec 13, 2022 · Dec 13, 2022 · Dec 13, 2022 · Dec 13, 2022
commit e19f8a135491900c33fe53ec15c8f42392a83f87
diff --git a/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftSysmon.yaml b/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftSysmon.yaml
@@ -46,12 +46,11 @@ ParserQuery: |
                     DestinationPort:int,
                     DestinationPortName:string
                 ) with (regex=@'<Data Name="(\w+)">{?([^>]*)}?</Data>')
+        | parse EventData with * '<Data Name="ProcessGuid">{' ProcessGuid "}" *    
         | project-away EventData
         | project-rename
                 SrcHostname = SourceHostname,
                 DstHostname = DestinationHostname
-        | extend 
-                ProcessGuid = tostring(split(split(ProcessGuid, "{")[-1], "}")[0])
       };
   let Sysmon3_WindowsEvent=(disabled:bool=false){
         WindowsEvent
@@ -64,7 +63,6 @@ ParserQuery: |
                 SrcHostname = tostring(EventData.SrcHostname),
                 RuleName = tostring(EventData.RuleName),
                 UtcTime = todatetime(EventData.UtcTime),
-                ProcessGuid = tostring(split(split(EventData.ProcessGuid, "{")[-1], "}")[0]),
                 ProcessId = tostring(EventData.ProcessId),
                 Image = tostring(EventData.Image),
                 User = tostring(EventData.User),
@@ -76,6 +74,7 @@ ParserQuery: |
                 DestinationIsIpv6 = tobool(EventData.DestinationIsIpv6),
                 DestinationPort = toint(EventData.DestinationPort),
                 DestinationPortName = tostring(EventData.DestinationPortName)
+        | parse EventData.ProcessGuid with * "{" ProcessGuid "}" *  
         | project-away EventData
       };
   union Sysmon3_Event,Sysmon3_WindowsEvent