diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json index 298c3efa5e..2382a38dce 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json @@ -27,7 +27,7 @@ "displayName": "Authentication Event ASIM filtering parser for Microsoft Sentinel native Authentication table", "category": "ASIM", "FunctionAlias": "vimAuthenticationNative", - "query": "let parser=\n(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n)\n{\n ASimAuthenticationEventLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n //and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))\n and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0)\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n User = TargetUsername,\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n IpAddr=SrcIpAddr,\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n Dvc=EventVendor,\n Application=TargetAppName,\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n Rule = coalesce(RuleName, tostring(RuleNumber)),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Authentication\",\n EventVendor='Barracuda',\n EventProduct = \"WAF\"\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "query": "let parser=\n(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n)\n{\n ASimAuthenticationEventLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n //and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))\n and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n //and (array_length(eventresultdetails_in) == 0)\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n User = TargetUsername,\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n IpAddr=SrcIpAddr,\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n Dvc=EventVendor,\n Application=TargetAppName,\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n Rule = coalesce(RuleName, tostring(RuleNumber)),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Authentication\",\n EventVendor='Barracuda',\n EventProduct = \"WAF\"\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" }