Skip to content

Commit

Permalink
Update ASimUserManagementSentinelOne.yaml
Browse files Browse the repository at this point in the history
  • Loading branch information
@vakohl
vakohl authored Mar 7, 2024
1 parent 0d08b0a commit 504e326
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions Parsers/ASimUserManagement/Parsers/ASimUserManagementSentinelOne.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,13 @@ ParserQuery: |
| parse description_s with * "with id=" id: string "," restOfMessage
| lookup EventTypeLookup on activityType_d//;
| extend
EventType = iff(activityType_d in (67, 42) and primaryDescription_s has "enabled", "UserEnabled", "UserDisabled"),
EventType = case (
activityType_d in (67, 42) and primaryDescription_s has "enabled",
"UserEnabled",
activityType_d in (67, 42) and primaryDescription_s has "disabled",
"UserDisabled",
EventType
),
PreviousPropertyValue = case(
activityType_d in (67, 42) and primaryDescription_s has "enabled",
"disabled",
Expand Down Expand Up @@ -169,4 +175,4 @@ ParserQuery: |
SourceSystem,
newValue
};
parser(disabled=disabled)
parser(disabled=disabled)

0 comments on commit 504e326

Please sign in to comment.