diff --git a/.script/tests/KqlvalidationsTests/CustomTables/ASimAuthenticationEventLogs.json b/.script/tests/KqlvalidationsTests/CustomTables/ASimAuthenticationEventLogs.json index 024d38a5017..e827efa2a6e 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/ASimAuthenticationEventLogs.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/ASimAuthenticationEventLogs.json @@ -5,6 +5,26 @@ "name": "TimeGenerated", "type": "DateTime" }, + { + "name": "_ItemId", + "type": "string" + }, + { + "name": "TenantId", + "type": "string" + }, + { + "name": "SourceSystem", + "type": "string" + }, + { + "name": "_ResourceId", + "type": "string" + }, + { + "name": "_SubscriptionId", + "type": "string" + }, { "name": "AdditionalFields", "type": "Dynamic" diff --git a/.script/tests/asimParsersTest/ExclusionListForASimTests.csv b/.script/tests/asimParsersTest/ExclusionListForASimTests.csv index ac9a15ecefe..27c127d258a 100644 --- a/.script/tests/asimParsersTest/ExclusionListForASimTests.csv +++ b/.script/tests/asimParsersTest/ExclusionListForASimTests.csv @@ -1 +1,2 @@ ParserName +_Im_Authentication_Native \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index c953560b0d2..fcb4c7ffb91 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -27,10 +27,10 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) ))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) ))\n", "version": 1, "functionParameters": "disabled:bool=False" } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json index 024ae7cdead..7b265e73b14 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json index dd4e4545638..ef61277dcf6 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json index f4df060c3ba..18df0f025f9 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json index 5fe295558c4..f8689ef2049 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json index d9fd5480e92..13777836e74 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json index 3af334356a7..4867a681b90 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json index a1e4d0f7ac9..f640cf429f6 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json index 056a53d4d7d..b618269f70a 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json index 0b0ed9ec457..d5d0f5dcf93 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json index 1cbed1b42ae..13d45047a7b 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMerakiSyslog/ASimAuthenticationCiscoMerakiSyslog.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json index 64553522c0d..be29e75e375 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json index 3697fa5d2a7..90f639841a7 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationGoogleWorkspace/ASimAuthenticationGoogleWorkspace.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json index 5f9b3c20cf7..1d689d2c38f 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationIllumioSaaSCore/ASimAuthenticationIllumioSaaSCore.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json index 98e8ae1fd41..f5e46c80e6d 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json index d5a61c3d1b0..82eb2760c78 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json index 958b051f666..b04a9d1abf7 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json @@ -27,10 +27,10 @@ "displayName": "Authentication ASIM parser for Windows Security Events", "category": "ASIM", "FunctionAlias": "ASimAuthenticationMicrosoftWindowsEvent", - "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)[\n 2, 'Interactive',\n 3, 'Remote',\n 4, 'System',\n 5, 'Service',\n 7, 'Interactive',\n 8, 'NetworkCleartext',\n 9, 'AssumeRole',\n 10, 'RemoteInteractive',\n 11, 'Interactive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (\n EventStatus: string,\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(disabled: bool=false) { \n WindowsEvent \n | where not(disabled)\n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\n | extend \n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n EventProduct = \"Security Events\",\n LogonGuid = tostring(EventData.LogonGuid),\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n LogonType = toint(EventData.LogonType),\n SrcHostname = tostring(EventData.WorkstationName),\n SrcIpAddr = tostring(EventData.IpAddress),\n Status = tostring(EventData.Status),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetPortNumber = toint(EventData.IpPort),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n | extend \n EventStatus = iff(SubStatus == '0x0', Status, SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend \n EventMessage = case(\n EventID == 4624,\n \"4624 - An account was successfully logged on.\",\n EventID == 4625,\n \"4625 - An account failed to log on.\",\n EventID == 4634,\n \"4634 - An account was logged off.\", \n \"4647 - User initiated logoff.\"\n ),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId, \n EventUid = _ItemId, \n TargetDvcHostname = Computer\n | extend \n ActorUserIdType = 'SID',\n ActorUsernameType = iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsernameType = iff(TargetDomainName in ('-', ''), 'Simple', 'Windows')\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername,\n IpAddr = SrcIpAddr\n | project-away\n EventData,\n LogonGuid,\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n TargetDomainName,\n TargetDvcHostname\n};\nlet SecEventLogon=(disabled: bool=false) {\n SecurityEvent \n | where not(disabled)\n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project\n SubjectLogonId,\n SubjectUserSid,\n Activity,\n EventID,\n EventOriginId,\n AuthenticationPackageName,\n WorkstationName,\n IpAddress,\n Computer,\n TargetLogonId,\n TargetUserSid,\n SubjectDomainName,\n SubjectUserName,\n SubjectAccount,\n TimeGenerated,\n SubStatus,\n TargetDomainName,\n TargetUserName,\n AccountType,\n TargetAccount,\n Status,\n LogonType,\n Type\n | project-rename \n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n EventMessage = Activity,\n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId,\n LogonProtocol = AuthenticationPackageName,\n SrcHostname = WorkstationName,\n SrcIpAddr = IpAddress,\n TargetDvcHostname = Computer,\n TargetSessionId = TargetLogonId,\n TargetUserId = TargetUserSid\n | extend \n ActorUserIdType = 'SID',\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Security Events\",\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount)),\n TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername,\n IpAddr = SrcIpAddr\n | project-away\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n SubjectAccount,\n SubjectDomainName,\n SubjectUserName,\n EventStatus,\n TargetAccount,\n TargetDomainName,\n TargetDvcHostname\n};\nunion isfuzzy=true \n SecEventLogon(disabled=disabled), \n WinLogon(disabled=disabled)", + "query": "let LogonEvents=dynamic([4624, 4625]);\nlet LogoffEvents=dynamic([4634, 4647]);\nlet LogonTypes=datatable(LogonType: int, EventSubType: string)[\n 2, 'Interactive',\n 3, 'Remote',\n 4, 'System',\n 5, 'Service',\n 7, 'Interactive',\n 8, 'NetworkCleartext',\n 9, 'AssumeRole',\n 10, 'RemoteInteractive',\n 11, 'Interactive'\n];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (\n EventStatus: string,\n EventOriginalResultDetails: string,\n EventResultDetails: string\n)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT', 'Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER', 'No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS', 'Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION', 'Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED', 'Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED', 'User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC', 'Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE', 'Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED', 'Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN', 'Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED', 'Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED', 'Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD', 'Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER', 'Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE', 'Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET', 'Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR', 'Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED', 'Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED', 'Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION', 'Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN', 'Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS', 'Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE', 'Other',\n '0xc0000017', 'STATUS_NO_MEMORY', 'Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED', 'Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND', 'Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS', 'Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD', 'Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE', 'Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION', 'Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED', 'Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE', 'Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES', 'Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE', 'Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG', 'Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE', 'Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED', 'Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT', 'Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE', 'Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT', 'User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED', 'Other'\n];\nlet WinLogon=(disabled: bool=false) { \n WindowsEvent \n | where not(disabled)\n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | project EventData, EventID, EventOriginId, Computer, TimeGenerated, _ItemId, Type\n | extend \n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-', ''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\", EventData.SubjectUserName))),\n EventProduct = \"Security Events\",\n LogonGuid = tostring(EventData.LogonGuid),\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n LogonType = toint(EventData.LogonType),\n SrcHostname = tostring(EventData.WorkstationName),\n SrcIpAddr = tostring(EventData.IpAddress),\n Status = tostring(EventData.Status),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetPortNumber = toint(EventData.IpPort),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-', ''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\", EventData.TargetUserName)))\n | extend \n EventStatus = iff(SubStatus == '0x0', Status, SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend \n EventMessage = case(\n EventID == 4624,\n \"4624 - An account was successfully logged on.\",\n EventID == 4625,\n \"4625 - An account failed to log on.\",\n EventID == 4634,\n \"4634 - An account was logged off.\", \n \"4647 - User initiated logoff.\"\n ),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId, \n EventUid = _ItemId, \n TargetDvcHostname = Computer\n | extend \n ActorUserIdType = 'SID',\n ActorUsernameType = iff(EventData.SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsernameType = iff(TargetDomainName in ('-', ''), 'Simple', 'Windows')\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername,\n IpAddr = SrcIpAddr\n | project-away\n EventData,\n LogonGuid,\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n TargetDomainName,\n TargetDvcHostname\n};\nlet SecEventLogon=(disabled: bool=false) {\n SecurityEvent \n | where not(disabled)\n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project\n SubjectLogonId,\n SubjectUserSid,\n Activity,\n EventID,\n EventOriginId,\n AuthenticationPackageName,\n WorkstationName,\n IpAddress,\n Computer,\n TargetLogonId,\n TargetUserSid,\n SubjectDomainName,\n SubjectUserName,\n SubjectAccount,\n TimeGenerated,\n SubStatus,\n TargetDomainName,\n TargetUserName,\n AccountType,\n TargetAccount,\n Status,\n LogonType,\n Type\n | project-rename \n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n EventMessage = Activity,\n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId,\n LogonProtocol = AuthenticationPackageName,\n SrcHostname = WorkstationName,\n SrcIpAddr = IpAddress,\n TargetDvcHostname = Computer,\n TargetSessionId = TargetLogonId,\n TargetUserId = TargetUserSid\n | extend \n ActorUserIdType = 'SID',\n ActorUsername = iff (SubjectDomainName in ('-', ''), SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName in ('-', ''), 'Simple', 'Windows'),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Security Events\",\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus == '0x0', Status, SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsername = iff (TargetDomainName in ('-', ''), trim(@'\\\\', TargetUserName), trim(@'\\\\', TargetAccount)),\n TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId),\n EventOriginalType = tostring(EventOriginalType)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername,\n IpAddr = SrcIpAddr\n | project-away\n EventStatus,\n LogonType,\n Status,\n SubStatus,\n SubjectAccount,\n SubjectDomainName,\n SubjectUserName,\n EventStatus,\n TargetAccount,\n TargetDomainName,\n TargetDvcHostname\n};\nunion isfuzzy=true \n SecEventLogon(disabled=disabled), \n WinLogon(disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/ASimAuthenticationNative.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/ASimAuthenticationNative.json new file mode 100644 index 00000000000..fd66161e54e --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/ASimAuthenticationNative.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationNative')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Authentication Event ASIM parser for Microsoft Sentinel native Authentication table", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationNative", + "query": "let parser=(disabled:bool=false) \n{\n ASimAuthenticationEventLogs | where not(disabled)\n | extend\n User = TargetUsername,\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n IpAddr=SrcIpAddr,\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n Dvc=EventVendor,\n Application=TargetAppName,\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n Rule = coalesce(RuleName, tostring(RuleNumber)),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Authentication\"\n | project-rename\n EventUid = _ItemId\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/README.md new file mode 100644 index 00000000000..ac8f971323a --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/README.md @@ -0,0 +1,18 @@ +# Native ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Native. + +This ASIM parser supports normalizing the native Microsoft Sentinel Authentication table (ASimAuthenticationEventLogs) to the ASIM Authentication Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationNative%2FASimAuthenticationNative.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationNative%2FASimAuthenticationNative.json) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json index 899a6b5ee95..a0774d1b501 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json index 672fa3081ce..364eeb70579 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaV2/ASimAuthenticationOktaV2.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json index c963395d981..4abb1c7ed7b 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json index cc368e11f20..37a7900bf1c 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index 532bc513756..e3bcdf244e8 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json index 3ffed72291b..2b70070add8 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json index 459c848a9a9..de5be1f9fd5 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json index a02544c60b8..59d3a650310 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json index 3b711fb19b8..42a2840e415 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json index a116ee78fbc..3e4081b1a21 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json index 3edcdb6a2e7..d30af906017 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json index 91294129c1f..2146765c5df 100644 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -358,6 +358,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationNative", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/ASimAuthenticationNative.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -938,6 +958,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationNative", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json index 1a2e8bf4b44..80af53c759c 100644 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json @@ -27,10 +27,10 @@ "displayName": "Authentication ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imAuthentication", - "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", + "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))\n , vimAuthenticationNative (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationNative' in (DisabledParsers) )))\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json index 27831bbafe5..8ced9c304dc 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json index 0ba0304ae2a..417776c5e91 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json index 37eb5245a83..15646573784 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json index 4a9ed414f0b..4117a614225 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json index bd4c03b6727..22608ef4cbf 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json index c129ab1db40..6f6f9e9ede3 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json index 7f66de9ad1c..a3866fdd502 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json index 9f0e6492869..1d8ec46625f 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json index c532545e5fe..02594eb0e2a 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json index 4bc127598cc..f53c326d453 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMerakiSyslog/vimAuthenticationCiscoMerakiSyslog.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json index 173c6524ef2..63ecf7d8f22 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json index 21b838f848b..b57b6c37ae5 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json @@ -32,4 +32,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json index f073b9a025d..74da98a782c 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationGoogleWorkspace/vimAuthenticationGoogleWorkspace.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json index 635ceefbaa0..4c735d246f6 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationIllumioSaaSCore/vimAuthenticationIllumioSaaSCore.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json index b14b9bdfcb5..7bd2e5fc9da 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json index 83501502b45..a686ad335f8 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json index 58322140a30..a984847b1b3 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/README.md new file mode 100644 index 00000000000..41ae338d205 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/README.md @@ -0,0 +1,18 @@ +# Native ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Native. + +This ASIM parser supports filtering and normalizing the native Microsoft Sentinel Authentication table (ASimAuthenticationEventLogs) to the ASIM Authentication Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationNative%2FvimAuthenticationNative.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationNative%2FvimAuthenticationNative.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json new file mode 100644 index 00000000000..57f763f8f38 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationNative')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Authentication Event ASIM filtering parser for Microsoft Sentinel native Authentication table", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationNative", + "query": "let parser=\n(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n)\n{\n ASimAuthenticationEventLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or TargetAppName has_any (targetappname_has_any)) \n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(srchostname_has_any) == 0) or SrcHostname has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n User = TargetUsername,\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n IpAddr=SrcIpAddr,\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n Dvc=EventVendor,\n Application=TargetAppName,\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n Rule = coalesce(RuleName, tostring(RuleNumber)),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Authentication\"\n | project-rename\n EventUid = _ItemId\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json index d43e4d61b3e..5c93edde319 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json index 49461af15b2..687ec291254 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaV2/vimAuthenticationOktaV2.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json index 7832389409e..988eb2719b5 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json index e6237d18a30..6184dd4f6cc 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json index 8d13a801033..c8162d49d58 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json index 7fbb93b589b..8bb40d65ee6 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json index e5e88a4a890..d5f37fc06e8 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json index 88f49e5de0e..f60af1c321d 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json index 1b20464099f..523b17a78d8 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json index b043e73d08b..6cb3f39e8a2 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json index 83339a1ab48..d0154ca6b22 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json @@ -33,4 +33,4 @@ } } ] -} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index 993ef29a56e..8e02bbc5c08 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -1,7 +1,7 @@ Parser: Title: Authentication ASIM parser - Version: '0.2.5' - LastUpdated: June 7, 2024 + Version: '0.2.6' + LastUpdated: Dec 10, 2024 Product: Name: Source agnostic Normalization: @@ -51,7 +51,8 @@ ParserQuery: | ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )), ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )), ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )), - ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )) + ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )), + ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )) Parsers: - _Im_Authentication_Empty - _ASim_Authentication_AADManagedIdentitySignInLogs @@ -82,3 +83,4 @@ Parsers: - _ASim_Authentication_GoogleWorkspace - _ASim_Authentication_SalesforceSC - _ASim_Authentication_IllumioSaaSCore + - _ASim_Authentication_Native \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationNative.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationNative.yaml new file mode 100644 index 00000000000..fbcbb2cdaf7 --- /dev/null +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationNative.yaml @@ -0,0 +1,44 @@ +Parser: + Title: Authentication Event ASIM parser for Microsoft Sentinel native Authentication table + Version: '0.1.0' + LastUpdated: Dec 10, 2024 +Product: + Name: Native +Normalization: + Schema: Authentication + Version: '0.1.3' +References: +- Title: ASIM Authentication Schema + Link: https://aka.ms/ASimAuthenticationDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the native Microsoft Sentinel Authentication table (ASimAuthenticationEventLogs) to the ASIM Authentication Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. +ParserName: ASimAuthenticationNative +EquivalentBuiltInParser: _ASim_Authentication_Native +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser=(disabled:bool=false) + { + ASimAuthenticationEventLogs | where not(disabled) + | extend + User = TargetUsername, + Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr), + IpAddr=SrcIpAddr, + LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname), + Dvc=EventVendor, + Application=TargetAppName, + Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), + Rule = coalesce(RuleName, tostring(RuleNumber)), + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventSchema = "Authentication" + | project-rename + EventUid = _ItemId + | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId + }; + parser (disabled=disabled) + \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml index 745a0f71f22..f9da7bdf8e9 100644 --- a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml @@ -1,7 +1,7 @@ Parser: Title: Authentication ASIM filtering parser - Version: '0.3.2' - LastUpdated: May 20, 2024 + Version: '0.3.3' + LastUpdated: Dec 10, 2024 Product: Name: Source agnostic Normalization: @@ -80,6 +80,7 @@ ParserQuery: | , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) ))) , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) ))) , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) ))) + , vimAuthenticationNative (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationNative' in (DisabledParsers) ))) }; Generic(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack) Parsers: @@ -111,3 +112,4 @@ Parsers: - _Im_Authentication_VMwareCarbonBlackCloud - _Im_Authentication_CrowdStrikeFalconHost - _Im_Authentication_IllumioSaaSCore + - _Im_Authentication_Native \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationNative.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationNative.yaml new file mode 100644 index 00000000000..588cd9528e2 --- /dev/null +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationNative.yaml @@ -0,0 +1,106 @@ +Parser: + Title: Authentication Event ASIM filtering parser for Microsoft Sentinel native Authentication table + Version: '0.1.0' + LastUpdated: Dec 10, 2024 +Product: + Name: Native +Normalization: + Schema: Authentication + Version: '0.1.3' +References: +- Title: ASIM Authentication Schema + Link: https://aka.ms/ASimAuthenticationDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports filtering and normalizing the native Microsoft Sentinel Authentication table (ASimAuthenticationEventLogs) to the ASIM Authentication Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. +ParserName: vimAuthenticationNative +EquivalentBuiltInParser: _Im_Authentication_Native +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetappname_has_any + Type: dynamic + Default: dynamic([]) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: srchostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype_in + Type: dynamic + Default: dynamic([]) + - Name: eventresultdetails_in + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: '*' + - Name: disabled + Type: bool + Default: false + +ParserQuery: | + let parser= + ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + username_has_any: dynamic = dynamic([]), + targetappname_has_any: dynamic = dynamic([]), + srcipaddr_has_any_prefix: dynamic = dynamic([]), + srchostname_has_any: dynamic = dynamic([]), + eventtype_in: dynamic = dynamic([]), + eventresultdetails_in: dynamic = dynamic([]), + eventresult: string = '*', + disabled: bool=false + ) + { + ASimAuthenticationEventLogs | where not(disabled) + // -- Pre-parsing filtering: + | where + (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any)) + and ((array_length(targetappname_has_any) == 0) or TargetAppName has_any (targetappname_has_any)) + and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))) + and ((array_length(srchostname_has_any) == 0) or SrcHostname has_any (srchostname_has_any)) + and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in)) + and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in)) + and (eventresult == "*" or (EventResult == eventresult)) + | extend + User = TargetUsername, + Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr), + IpAddr=SrcIpAddr, + LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname), + Dvc=EventVendor, + Application=TargetAppName, + Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), + Rule = coalesce(RuleName, tostring(RuleNumber)), + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventSchema = "Authentication" + | project-rename + EventUid = _ItemId + | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId + }; + parser + ( + starttime=starttime, + endtime=endtime, + username_has_any=username_has_any, + targetappname_has_any=targetappname_has_any, + srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, + srchostname_has_any=srchostname_has_any, + eventtype_in=eventtype_in, + eventresultdetails_in=eventresultdetails_in, + eventresult=eventresult, + disabled=disabled + ) \ No newline at end of file diff --git a/Sample Data/ASIM/Microsoft_NativeTable_Authentication_IngestedLogs.csv b/Sample Data/ASIM/Microsoft_NativeTable_Authentication_IngestedLogs.csv new file mode 100644 index 00000000000..37c42b30479 --- /dev/null +++ b/Sample Data/ASIM/Microsoft_NativeTable_Authentication_IngestedLogs.csv @@ -0,0 +1,6 @@ +TimeGenerated [UTC],EventProductVersion,TargetSessionId,TargetAppName,ActingAppId,EventOriginalUid,SrcIpAddr,TargetAppId,TargetUserId,TargetUsername,Type,EventUid,EventResultDetails,EventType,EventResult,EventOriginalResultDetails,EventSeverity,Dvc,EventCount,EventProduct,EventSchema,EventSchemaVersion,EventVendor,LogonMethod,TargetAppType,TargetUserIdType,TargetUsernameType,TargetUserType,Application,Dst,EventEndTime [UTC],EventStartTime [UTC],IpAddr,LogonTarget,Src,TargetSimpleUsername,TargetUserAadId,User,TenantId,SourceSystem,OperationName,OperationVersion,Category,ResultType,ResultSignature,ResultDescription,DurationMs,ResourceGroup,Identity,Level,Location,AlternateSignInName,AppDisplayName,AppId,AppliedEventListeners,AuthenticationContextClassReferences,AuthenticationDetails,AuthenticationMethodsUsed,AuthenticationProcessingDetails,AuthenticationProtocol,AuthenticationRequirementPolicies,AutonomousSystemNumber,ClientAppUsed,ConditionalAccessPolicies_string,ConditionalAccessPolicies_dynamic,ConditionalAccessPoliciesV2,ConditionalAccessStatus,CreatedDateTime [UTC],CrossTenantAccessType,DeviceDetail_string,DeviceDetail_dynamic,HomeTenantId,SrcDvcIpAddr,IsInteractive,IsRisky,LocationDetails_string,LocationDetails_dynamic,MfaDetail_string,MfaDetail_dynamic,NetworkLocationDetails,OriginalRequestId,ProcessingTimeInMs,ResourceDisplayName,ResourceIdentity,ResourceServicePrincipalId,ResourceTenantId,RiskDetail,RiskEventTypes,RiskEventTypes_V2,RiskLevelAggregated,RiskLevelDuringSignIn,RiskState,ServicePrincipalId,SessionLifetimePolicies,SignInEventTypes,SignInIdentifierType,Status_string,Status_dynamic,TokenIssuerName,TokenIssuerType,UniqueTokenIdentifier,HttpUserAgent,UserDisplayName,UserType,EventSubType,SrcDvcHostname,SrcDvcId,SrcDvcOs,SrcGeoCity,SrcGeoCountry,SrcGeoLatitude,SrcGeoLongitude,TargetUserUpn,SrcGeoRegion,ResourceId,Resource,ResourceProvider,IPAddress,ProcessingTimeInMilliseconds,ServicePrincipalName,AADTenantId,FlaggedForReview,IPAddressFromResourceProvider,SignInIdentifier,AppliedConditionalAccessPolicies,RiskLevel,SrcHostname,TargetOriginalUserType,TargetUserScopeId,TargeCloudRegion,TlsVersion,CipherSuite,ClientProvidedHostHeader,IpProtocol,SourcePort,DestinationPort,CidrIp,LogonProtocol,SrcDeviceType,TargetUrl,EventOriginalDetails,TargetUserAWSId,_ItemId,_SubscriptionId,SrcPortNumber_int,SrcPortNumber_string,DvcIpAddr,DvcHostname,ActorUsername,ActorUsernameType,ActorUserType,CollectorHostName,EventOriginalType_string,EventOriginalType_int,EventOriginalSeverity,DvcAction,TargetIpAddr,EventMessage,TargetPortNumber,SrcDomainType,SrcFQDN,SrcDomain,ManagementGroupName,RawData,EventTime_t [UTC],Facility_s,HostName_s,SeverityLevel_s,SyslogMessage_s,ProcessID_s,HostIP_s,ProcessName_s,Type_s,_ResourceId_s,logTime_t [UTC],time_taken_s,c_ip_s,cs_userdn_s,cs_auth_groups_s,exception_id_s,sc_filter_result_s,cs_categories_s,cs_referrer_s,sc_status_s,s_action_s,cs_method_s,content_type_s,cs_uri_scheme_s,cs_host_s,cs_uri_port_s,cs_uri_path_s,cs_uri_query_s,cs_uri_extension_s,cs_user_agent_s,s_ip_s,sent_bytes_s,received_bytes_s,virus_id_s,app_name_s,app_operation_s,src_port_s,cs_threat_risk_s,country_s,TimeGenerated_UTC__s,DvcDomainType,DvcFQDN,DvcDomain,DvcMacAddr,AdditionalFields,EventOriginalSubType,RuleName,ThreatField,ThreatFirstReportedTime [UTC],ThreatLastReportedTime [UTC],TargetDvcId,ActorUserAadId,ActorUserId,ActorUserUpn,ActingProcessCommandLine,ActingProcessIntegrityLevel,ActingProcessMD5,ParentProcessName,ActingProcessSHA1,ActingProcessSHA256,ActingProcessTokenElevation,ParentProcessCreationTime [UTC],ActingProcessCreationTime_datetime [UTC],ActingProcessCreationTime_dynamic,InitiatingProcessSessionId,IsInitiatingProcessRemoteSession,InitiatingProcessRemoteSessionDeviceName,InitiatingProcessRemoteSessionIP,ActingProcessName,ActorUserIdType,TargetDvcOs,TargetUserSid,ActorUserSid,TargetWindowsUsername,ActorWindowsUsername,ActingProcessId,ParentProcessId,TargetDvcIdType,Hash,HashType,TargetHostname,TargetDomainType,TargetFQDN,TargetDomain,DvcMDEid,TargetDvcMDEid,ActingAppName,ActingAppType,Prcess,DvcId,DvcIdType,DvcOs,Account,TargetDvcHostname,EventSourceName,Channel,Task,EventData_string,EventData_dynamic,PartitionKey,RowKey,StorageAccount,AzureDeploymentID,AzureTableName,AccessList,AccessMask,AccessReason,AccountDomain,AccountExpires,AccountName,AccountSessionIdentifier,AdditionalInfo,AdditionalInfo2,AllowedToDelegateTo,Attributes,AuditPolicyChanges,AuditsDiscarded,AuthenticationLevel,AuthenticationProvider,AuthenticationServer,AuthenticationService,AuthenticationType,CACertificateHash,CalledStationID,CallerProcessId,CallerProcessName,CallingStationID,CAPublicKeyHash,CategoryId,CertificateDatabaseHash,ClassId,ClassName,ClientAddress,ClientIPAddress,ClientName,CommandLine,CompatibleIds,DCDNSName,DeviceDescription,DeviceId,DisplayName,Disposition,DomainBehaviorVersion,DomainName,DomainPolicyChanged,DomainSid,EAPType,ElevatedToken,ErrorCode,ExtendedQuarantineState,FailureReason,FileHash,FilePath,FilePathNoUser,Filter,ForceLogoff,Fqbn,FullyQualifiedSubjectMachineName,FullyQualifiedSubjectUserName,GroupMembership,HandleId,HardwareIds,HomeDirectory,HomePath,ImpersonationLevel,InterfaceUuid,IpPort,KeyLength,LmPackageName,LocationInformation,LockoutDuration,LockoutObservationWindow,LockoutThreshold,LoggingResult,LogonGuid,LogonHours,LogonID,LogonProcessName,LogonType,LogonTypeName,MachineAccountQuota,MachineInventory,MachineLogon,MandatoryLabel,MaxPasswordAge,MemberName,MemberSid,MinPasswordAge,MinPasswordLength,MixedDomainMode,NASIdentifier,NASIPv4Address,NASIPv6Address,NASPort,NASPortType,NetworkPolicyName,NewDate,NewMaxUsers,NewProcessId,NewProcessName,NewRemark,NewShareFlags,NewTime,NewUacValue,NewValue,NewValueType,ObjectName,ObjectServer,ObjectType,ObjectValueName,OemInformation,OldMaxUsers,OldRemark,OldShareFlags,OldUacValue,OldValue,OldValueType,OperationType,PackageName,PasswordHistoryLength,PasswordLastSet,PasswordProperties,PreviousDate,PreviousTime,PrimaryGroupId,PrivateKeyUsageCount,PrivilegeList,Process,ProcessId,ProcessName,Properties,ProfilePath,ProtocolSequence,ProxyPolicyName,QuarantineHelpURL,QuarantineSessionID,QuarantineSessionIdentifier,QuarantineState,QuarantineSystemHealthResult,RelativeTargetName,RemoteIpAddress,RemotePort,Requester,RequestId,RestrictedAdminMode,RowsDeleted,SamAccountName,ScriptPath,SecurityDescriptor,ServiceAccount,ServiceFileName,ServiceName,ServiceStartType,ServiceType,SessionName,ShareLocalPath,ShareName,SidHistory,SubjectAccount,SubcategoryGuid,SubcategoryId,Subject,SubjectDomainName,SubjectKeyIdentifier,ActorSessionId,SubjectMachineName,SubjectMachineSID,SubjectUserName,SubStatus,TableId,TargetAccount,TargetDomainName,TargetInfo,TargetLinkedLogonId,TargetLogonGuid,TargetOutboundDomainName,TargetOutboundUserName,TargetServerName,TargetSid,TargetUser,TemplateContent,TemplateDSObjectFQDN,TemplateInternalName,TemplateOID,TemplateSchemaVersion,TemplateVersion,TokenElevationType,TransmittedServices,UserAccountControl,UserParameters,UserPrincipalName,UserWorkstations,VirtualAccount,VendorIds,Workstation,EventLevelName,SourceComputerId,MG,TimeCollected [UTC],SystemUserId,Version,Opcode,Keywords,Correlation,SystemProcessId,SystemThreadId,EventRecordId,_ResourceId,EventStatus,Provider,EventLevel,Data,RawEventData,TimeCreated [UTC],Computer,SrcIsp,AuthenticationContext,AuthenticationStep,TlsCipher,LogonMethodOriginal,LogonProtocolOriginal,DvcOsVersion,TargetUserScope,DvcScopeId,Rule,TargetDvcScopeId,EventTime [UTC],Facility,HostName,SeverityLevel,SyslogMessage,ProcessID,HostIP,TTY,PWD,COMMAND,EventOriginalRestultDetails,EventReportUrl,EventOwner,ActorScopeId,ActorOriginalUserType,SrcDvcIdType,SrcDescription,SrcDvcScopeId,SrcRiskLevel,SrcOriginalRiskLevel,ActingOriginalAppType,TargetOriginalAppType,TargetDescription,TargetDeviceType,TargetDvcScope,TargetGeoCity,TargetGeoCountry,TargetGeoRegion,TargetGeoLatitude,TargetGeoLongitude,UserScope,UserScopeId,TargetUserSessionId,SrcDvcHostnameType,DvcDescription,DvcZone,DvcOriginalAction,DvcScope,DvcScopeOd,RuleNumber,ThreatId,ThreatName,ThreatCategory,ThreatOriginalRiskLevel,ThreatOriginalConfidence,ThreatIsActive,ThreatConfidence,ThreatRiskLevel +"09/04/2024, 11:26:37.286",,,Azure Key Vault,,,173.22.12.1,,,username1@contoso.com,ASimAuthenticationEventLogs,,MFA not satisfied,Logon,Failure,,Low,barracuda,1,WAF,Authentication,0.1.3,Barracuda,,,,,,,,,,173.22.12.1,,173.22.12.1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,admin,,,,,,,,,,,,,,,,db1c505f-f59a-11ee-97a7-544c8a4b3105,,,,10.50.7.70,barracuda,username1@contoso.com,Simple,Admin,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +"10/04/2024, 11:26:37.286",,,Microsoft Graph,,,173.21.19.5,,,username2@contoso.com,ASimAuthenticationEventLogs,,Incorrect Password,Logoff,Success,,Low,barracuda,1,WAF,Authentication,0.1.3,Barracuda,,,,,,,,,,173.21.19.5,,173.21.19.5,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LAPTOP-OQGTPR38,,,,,,,,,,,,,,,,db1c5060-f59a-11ee-97a7-544c8a4b3105,,,,10.50.7.71,barracuda,username2@contoso.com,Simple,Admin,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +"11/04/2024, 11:26:37.286",,,Log Analytics API,,,170.26.14.2,,,username3@contoso.com,ASimAuthenticationEventLogs,,Incorrect Password,Logon,Success,,Low,barracuda,1,WAF,Authentication,0.1.3,Barracuda,,,,,,,,,,170.26.14.2,,170.26.14.2,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,daesoopc,,,,,,,,,,,,,,,,db1c5061-f59a-11ee-97a7-544c8a4b3105,,,,10.50.7.72,barracuda,username3@contoso.com,Simple,Admin,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +"12/04/2024, 11:26:37.286",,,Azure Resource Manager,,,175.27.13.104,,,username4@contoso.com,ASimAuthenticationEventLogs,,Password expired,Logon,Success,,Low,barracuda,1,WAF,Authentication,0.1.3,Barracuda,,,,,,,,,,175.27.13.104,,175.27.13.104,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,AY-Laptop,,,,,,,,,,,,,,,,db1c5062-f59a-11ee-97a7-544c8a4b3105,,,,10.50.7.73,barracuda,username4@contoso.com,Simple,Admin,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, +"013/04/2024, 11:26:37.286",,,Microsoft Graph,,,175.23.11.106,,,username5@contoso.com,ASimAuthenticationEventLogs,,Session expired,Logoff,Failure,,Low,barracuda,1,WAF,Authentication,0.1.3,Barracuda,,,,,,,,,,175.23.11.106,,175.23.11.106,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,LAPTOP-OQGTPR38,,,,,,,,,,,,,,,,db1c5063-f59a-11ee-97a7-544c8a4b3105,,,,10.50.7.74,barracuda,username5@contoso.com,Simple,Admin,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,