-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
authentication native parser #11545
base: master
Are you sure you want to change the base?
authentication native parser #11545
Conversation
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
…re/Azure-Sentinel into native_Authentication_parser
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
…re/Azure-Sentinel into native_Authentication_parser
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
…re/Azure-Sentinel into native_Authentication_parser
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
…re/Azure-Sentinel into native_Authentication_parser
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
…re/Azure-Sentinel into native_Authentication_parser
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
…re/Azure-Sentinel into native_Authentication_parser
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
@@ -0,0 +1,43 @@ | |||
Parser: | |||
Title: Authentication Event ASIM parser for Microsoft Sentinel native Authentication table | |||
Version: '0.1.1' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
0.1.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
EventProduct = "WAF" | ||
| project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId | ||
}; | ||
parser (disabled=disabled) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(1) Warning: Missing recommended field [EventUid]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
_ItemId is not there in ASimAuthenticationEventLogs table so when i added project-rename
EventUid = _ItemId this line giving error
(isnull(starttime) or TimeGenerated >= starttime) | ||
and (isnull(endtime) or TimeGenerated <= endtime) | ||
and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any)) | ||
and ((array_length(targetappname_has_any) == 0) or TargetAppName has_any (targetappname_has_any)) // TargetAppName not available in source |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please remove the comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any)) | ||
and ((array_length(targetappname_has_any) == 0) or TargetAppName has_any (targetappname_has_any)) // TargetAppName not available in source | ||
and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))) | ||
and ((array_length(srchostname_has_any) == 0) or SrcHostname has_any (srchostname_has_any))// SrcHostname not available in source |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please remove the comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
…re/Azure-Sentinel into native_Authentication_parser
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. |
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: