Skip to content

Commit

Permalink
Merge pull request #10099 from Azure/Correcting-UserManagement-Parsers
Browse files Browse the repository at this point in the history 
Updating UserManagement Parsers
  • Loading branch information
@v-atulyadav
v-atulyadav committed Mar 13, 2024
2 parents 5c045d7 + 13282b2 commit f0426ae
Show file tree
Hide file tree
Showing 24 changed files with 419 additions and 78 deletions.
31 changes: 23 additions & 8 deletions ASIM/dev/ASimTester/ASimTester.csv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ ActingAppId,string,Optional,UserManagement,,,
ActingAppName,string,Optional,AuditEvent,,,
ActingAppName,string,Optional,Authentication,,,
ActingAppName,string,Optional,FileEvent,,,
ActingAppName,string,Optional,UserManagement,,,
ActingAppType,string,Optional,AuditEvent,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other,
ActingAppType,string,Optional,Authentication,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other,
ActingAppType,string,Optional,FileEvent,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other,
Expand Down Expand Up @@ -42,8 +43,8 @@ ActingProcessSHA1,string,Optional,ProcessEvent,SHA1,,
ActingProcessSHA256,string,Optional,ProcessEvent,SHA256,,
ActingProcessSHA512,string,Optional,ProcessEvent,SHA521,,
ActingProcessTokenElevation,string,Optional,ProcessEvent,,,
ActiveAppName,string,Optional,UserManagement,,,
ActorOriginalUserType,,,UserManagement,,,
ActingAppName,string,Optional,UserManagement,,,
ActorOriginalUserType,string,Optional,UserManagement,,,
ActorOriginalUserType,string,Optional,AuditEvent,,,
ActorOriginalUserType,string,Optional,Authentication,,,
ActorOriginalUserType,string,Optional,FileEvent,,,
Expand All @@ -52,10 +53,12 @@ ActorScope,string,Optional,AuditEvent,,,
ActorScope,string,Optional,Authentication,,,
ActorScope,string,Optional,FileEvent,,,
ActorScope,string,Optional,ProcessEvent,,,
ActorScope,string,Optional,UserManagement,,,
ActorScopeId,string,Optional,AuditEvent,,,
ActorScopeId,string,Optional,Authentication,,,
ActorScopeId,string,Optional,FileEvent,,,
ActorScopeId,string,Optional,ProcessEvent,,,
ActorScopeId,string,Optional,UserManagement,,,
ActorSessionId,string,Optional,AuditEvent,,,
ActorSessionId,string,Optional,Authentication,,,
ActorSessionId,string,Optional,FileEvent,,,
Expand All @@ -66,6 +69,7 @@ ActorUpn,string,Optional,FileEvent,,,
ActorUserAadId,string,Optional,AuditEvent,,,
ActorUserAadId,string,Optional,FileEvent,,,
ActorUserAadId,string,Optional,ProcessEvent,,,
ActorUserAadId,string,Optional,UserManagement,,,
ActorUserId,string,Optional,AuditEvent,,,
ActorUserId,string,Optional,Authentication,,,
ActorUserId,string,Optional,UserManagement,,,
Expand Down Expand Up @@ -94,6 +98,7 @@ ActorUserPuid,string,Optional,FileEvent,,,
ActorUserSid,string,Optional,AuditEvent,,,
ActorUserSid,string,Optional,FileEvent,,,
ActorUserSid,string,Optional,ProcessEvent,,,
ActorUserSid,string,Optional,UserManagement,,,
ActorUserType,string,Optional,AuditEvent,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other,
ActorUserType,string,Optional,Authentication,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other,
ActorUserType,string,Optional,FileEvent,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other,
Expand Down Expand Up @@ -367,7 +372,7 @@ DvcIpAddr,string,Recommended,ProcessEvent,IP Address,,
DvcIpAddr,string,Recommended,RegistryEvent,IP Address,,
DvcIpAddr,string,Recommended,UserManagement,,,
DvcIpAddr,string,Recommended,WebSession,IP Address,,
DvcMacAddr,MAC address,Optional,UserManagement,,,
DvcMacAddr,string,Optional,UserManagement,MAC address,,
DvcMacAddr,string,Optional,AuditEvent,MAC address,,
DvcMacAddr,string,Optional,Authentication,MAC address,,
DvcMacAddr,string,Optional,Common,MAC address,,
Expand Down Expand Up @@ -868,6 +873,7 @@ SrcDescription,string,Optional,FileEvent,,,
SrcDescription,string,Optional,NetworkSession,,,
SrcDescription,string,Optional,RegistryEvent,,,
SrcDescription,string,Optional,WebSession,,,
SrcDescription,string,Optional,UserManagement,,,
SrcDeviceType,string,Optional,AuditEvent,Enumerated,Computer|Mobile Device|IOT Device|Other,
SrcDeviceType,string,Optional,Authentication,Enumerated,Computer|Mobile Device|IOT Device|Other,
SrcDeviceType,string,Optional,Dhcp,Enumerated,Computer|Mobile Device|IOT Device|Other,
Expand Down Expand Up @@ -941,35 +947,35 @@ SrcFQDN,string,Optional,FileEvent,,,
SrcFQDN,string,Optional,NetworkSession,FQDN,,
SrcFQDN,string,Optional,UserManagement,,,
SrcFQDN,string,Optional,WebSession,FQDN,,
SrcGeoCity,City,Optional,UserManagement,,,
SrcGeoCity,string,Optional,UserManagement,City,,
SrcGeoCity,string,Optional,AuditEvent,City,,
SrcGeoCity,string,Optional,Authentication,City,,
SrcGeoCity,string,Optional,Dns,City,,
SrcGeoCity,string,Optional,FileEvent,City,,
SrcGeoCity,string,Optional,NetworkSession,City,,
SrcGeoCity,string,Optional,WebSession,City,,
SrcGeoCountry,Country,Optional,UserManagement,,,
SrcGeoCountry,string,Optional,UserManagement,Country,,
SrcGeoCountry,string,Optional,AuditEvent,Country,,
SrcGeoCountry,string,Optional,Authentication,Country,,
SrcGeoCountry,string,Optional,Dns,Country,,
SrcGeoCountry,string,Optional,FileEvent,Country,,
SrcGeoCountry,string,Optional,NetworkSession,Country,,
SrcGeoCountry,string,Optional,WebSession,Country,,
SrcGeoLatitude,Latitude,Optional,UserManagement,,,
SrcGeoLatitude,real,Optional,UserManagement,,,
SrcGeoLatitude,real,Optional,AuditEvent,,,
SrcGeoLatitude,real,Optional,Authentication,,,
SrcGeoLatitude,real,Optional,Dns,City,,
SrcGeoLatitude,real,Optional,FileEvent,,,
SrcGeoLatitude,real,Optional,NetworkSession,,,
SrcGeoLatitude,real,Optional,WebSession,,,
SrcGeoLongitude,Longitude,Optional,UserManagement,,,
SrcGeoLongitude,real,Optional,UserManagement,,,
SrcGeoLongitude,real,Optional,AuditEvent,,,
SrcGeoLongitude,real,Optional,Authentication,,,
SrcGeoLongitude,real,Optional,Dns,,,
SrcGeoLongitude,real,Optional,FileEvent,,,
SrcGeoLongitude,real,Optional,NetworkSession,,,
SrcGeoLongitude,real,Optional,WebSession,,,
SrcGeoRegion,Region,Optional,UserManagement,,,
SrcGeoRegion,string,Optional,UserManagement,Region,,
SrcGeoRegion,string,Optional,AuditEvent,Region,,
SrcGeoRegion,string,Optional,Authentication,Region,,
SrcGeoRegion,string,Optional,Dns,Region,,
Expand Down Expand Up @@ -1000,13 +1006,15 @@ SrcIsp,string,Optional,Authentication,,,
SrcMacAddr,string,Mandatory,Dhcp,Mac Address,,
SrcMacAddr,string,Optional,NetworkSession,MAC address,,
SrcMacAddr,string,Optional,WebSession,MAC address,,
SrcMacAddr,string,Optional,UserManagement,MAC address,,
SrcNatIpAddr,string,Optional,NetworkSession,IP Address,,
SrcNatIpAddr,string,Optional,WebSession,IP Address,,
SrcNatPortNumber,int,Optional,NetworkSession,,,
SrcNatPortNumber,int,Optional,WebSession,,,
SrcOriginalRiskLevel,string,Optional,AuditEvent,,,
SrcOriginalRiskLevel,string,Optional,Authentication,,,
SrcOriginalRiskLevel,string,Optional,Dns,,,
SrcOriginalRiskLevel,string,Optional,UserManagement,,,
SrcOriginalUserType,string,Optional,Dhcp,,,
SrcOriginalUserType,string,Optional,Dns,,,
SrcOriginalUserType,string,Optional,NetworkSession,,,
Expand All @@ -1019,6 +1027,7 @@ SrcPortNumber,int,Optional,Dns,,,
SrcPortNumber,int,Optional,FileEvent,,,
SrcPortNumber,int,Optional,NetworkSession,,,
SrcPortNumber,int,Optional,WebSession,,,
SrcPortNumber,int,Optional,UserManagement,,,
SrcProcessGuid,string,Optional,Dns,GUID,,
SrcProcessGuid,string,Optional,NetworkSession,,,
SrcProcessId,string,Optional,Dns,,,
Expand All @@ -1028,6 +1037,7 @@ SrcProcessName,string,Optional,NetworkSession,,,
SrcRiskLevel,int,Optional,AuditEvent,,,
SrcRiskLevel,int,Optional,Authentication,,,
SrcRiskLevel,int,Optional,Dns,,,
SrcRiskLevel,int,Optional,UserManagement,,,
SrcScopeId,string,Optional,NetworkSession,,,
SrcUserAadId,string,Optional,Dns,,,
SrcUserAWSId,string,Optional,Dns,,,
Expand Down Expand Up @@ -1162,6 +1172,7 @@ TargetUserAadId,string,Optional,ProcessEvent,,,
TargetUserId,string,Optional,Authentication,,,
TargetUserId,string,Optional,UserManagement,,,
TargetUserId,string,Recommended,ProcessEvent,,,
TargetUserUid,string,Optional,UserManagement,,,
TargetUserIdType,string,Conditional,Authentication,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|GWorkspaceProfileID|Other,TargetUserId
TargetUserIdType,string,Conditional,ProcessEvent,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|Other,TargetUserId
TargetUserIdType,string,Conditional,UserManagement,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|Other,TargetUserId
Expand All @@ -1172,9 +1183,12 @@ TargetUsernameType,string,Conditional,Authentication,Enumerated,UPN|Windows|DN|S
TargetUsernameType,string,Conditional,ProcessEvent,Enumerated,UPN|Windows|DN|Simple,TargetUsername
TargetUsernameType,string,Conditional,UserManagement,Enumerated,UPN|Windows|DN|Simple,TargetUsername
TargetUserScope,string,Optional,Authentication,,,
TargetUserScope,string,Optional,UserManagement,,,
TargetUserScopeId,string,Optional,Authentication,,,
TargetUserScopeId,string,Optional,UserManagement,,,
TargetUserSessionGuid,string,Optional,ProcessEvent,,,
TargetUserSessionId,string,Optional,ProcessEvent,,,
TargetUserSessionId,string,Optional,UserManagement,,,
TargetUserSid,string,Optional,ProcessEvent,,,
TargetUserType,string,Optional,Authentication,,Regular|Guest|Machine|Admin|System|Application|Service|Other,
TargetUserType,string,Optional,ProcessEvent,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other,
Expand Down Expand Up @@ -1313,6 +1327,7 @@ TimeGenerated,datetime,Mandatory,NetworkSession,,,
TimeGenerated,datetime,Mandatory,ProcessEvent,,,
TimeGenerated,datetime,Mandatory,RegistryEvent,,,
TimeGenerated,datetime,Mandatory,WebSession,,,
TimeGenerated,datetime,Mandatory,UserManagement,,,
TransactionIdHex,string,Recommended,Dns,Hexadecimal,,
Type,string,Mandatory,AuditEvent,,,
Type,string,Mandatory,Authentication,,,
Expand Down
2 changes: 1 addition & 1 deletion Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
"displayName": "User Management ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimUserManagement",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack:bool=false\n){\nunion isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n}; \nparser (\n pack=pack\n)",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack: bool=false\n ) {\n union isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers)))\n}; \nparser (\n pack=pack\n)",
"version": 1,
"functionParameters": "pack:bool=False"
}
Expand Down
2 changes: 1 addition & 1 deletion Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json
View file

Large diffs are not rendered by default.

Loading

0 comments on commit f0426ae

Please sign in to comment.