[ASIM Parsers] Generate deployable ARM templates from KQL function YA…

…ML files.
Azure · Jan 2, 2025 · 829ff57 · 829ff57
1 parent 8b5a0e9
commit 829ff57
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json
@@ -27,7 +27,7 @@
         "displayName": "Authentication Event ASIM filtering parser for Microsoft Sentinel native Authentication table",
         "category": "ASIM",
         "FunctionAlias": "vimAuthenticationNative",
-        "query": "let parser=\n(\n  starttime: datetime=datetime(null), \n  endtime: datetime=datetime(null), \n  username_has_any: dynamic = dynamic([]),\n  targetappname_has_any: dynamic = dynamic([]),\n  srcipaddr_has_any_prefix: dynamic = dynamic([]),\n  srchostname_has_any: dynamic = dynamic([]),\n  eventtype_in: dynamic = dynamic([]),\n  eventresultdetails_in: dynamic = dynamic([]),\n  eventresult: string = '*',\n  disabled: bool=false\n)\n{\n  ASimAuthenticationEventLogs  | where not(disabled)\n  //  -- Pre-parsing filtering:\n  | where\n      (isnull(starttime) or TimeGenerated >= starttime) \n      and (isnull(endtime) or TimeGenerated <= endtime)\n      //and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))\n      and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n      and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n      and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n      and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n      and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n      and (array_length(eventresultdetails_in) == 0)\n      and (eventresult == \"*\" or (EventResult == eventresult))\n  | extend\n        User =  TargetUsername,\n        Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n        IpAddr=SrcIpAddr,\n        LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n        Dvc=EventVendor,\n        Application=TargetAppName,\n        Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n        Rule = coalesce(RuleName, tostring(RuleNumber)),\n        EventStartTime = TimeGenerated,\n        EventEndTime = TimeGenerated,\n        EventSchema = \"Authentication\",\n        EventVendor='Barracuda',\n        EventProduct = \"WAF\"\n  | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser\n  (\n  starttime=starttime,\n  endtime=endtime,\n  username_has_any=username_has_any,\n  targetappname_has_any=targetappname_has_any,\n  srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n  srchostname_has_any=srchostname_has_any,\n  eventtype_in=eventtype_in,\n  eventresultdetails_in=eventresultdetails_in,\n  eventresult=eventresult,\n  disabled=disabled\n)\n",
+        "query": "let parser=\n(\n  starttime: datetime=datetime(null), \n  endtime: datetime=datetime(null), \n  username_has_any: dynamic = dynamic([]),\n  targetappname_has_any: dynamic = dynamic([]),\n  srcipaddr_has_any_prefix: dynamic = dynamic([]),\n  srchostname_has_any: dynamic = dynamic([]),\n  eventtype_in: dynamic = dynamic([]),\n  eventresultdetails_in: dynamic = dynamic([]),\n  eventresult: string = '*',\n  disabled: bool=false\n)\n{\n  ASimAuthenticationEventLogs  | where not(disabled)\n  //  -- Pre-parsing filtering:\n  | where\n      (isnull(starttime) or TimeGenerated >= starttime) \n      and (isnull(endtime) or TimeGenerated <= endtime)\n      //and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))\n      and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n      and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n      and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n      and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n      and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n      //and (array_length(eventresultdetails_in) == 0)\n      and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n      and (eventresult == \"*\" or (EventResult == eventresult))\n  | extend\n        User =  TargetUsername,\n        Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n        IpAddr=SrcIpAddr,\n        LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n        Dvc=EventVendor,\n        Application=TargetAppName,\n        Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n        Rule = coalesce(RuleName, tostring(RuleNumber)),\n        EventStartTime = TimeGenerated,\n        EventEndTime = TimeGenerated,\n        EventSchema = \"Authentication\",\n        EventVendor='Barracuda',\n        EventProduct = \"WAF\"\n  | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser\n  (\n  starttime=starttime,\n  endtime=endtime,\n  username_has_any=username_has_any,\n  targetappname_has_any=targetappname_has_any,\n  srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n  srchostname_has_any=srchostname_has_any,\n  eventtype_in=eventtype_in,\n  eventresultdetails_in=eventresultdetails_in,\n  eventresult=eventresult,\n  disabled=disabled\n)\n",
         "version": 1,
         "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
       }