diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv index 513dd1edba7..f1d2fb8a399 100644 --- a/ASIM/dev/ASimTester/ASimTester.csv +++ b/ASIM/dev/ASimTester/ASimTester.csv @@ -6,6 +6,7 @@ ActingAppId,string,Optional,UserManagement,,, ActingAppName,string,Optional,AuditEvent,,, ActingAppName,string,Optional,Authentication,,, ActingAppName,string,Optional,FileEvent,,, +ActingAppName,string,Optional,UserManagement,,, ActingAppType,string,Optional,AuditEvent,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other, ActingAppType,string,Optional,Authentication,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other, ActingAppType,string,Optional,FileEvent,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other, @@ -42,8 +43,8 @@ ActingProcessSHA1,string,Optional,ProcessEvent,SHA1,, ActingProcessSHA256,string,Optional,ProcessEvent,SHA256,, ActingProcessSHA512,string,Optional,ProcessEvent,SHA521,, ActingProcessTokenElevation,string,Optional,ProcessEvent,,, -ActiveAppName,string,Optional,UserManagement,,, -ActorOriginalUserType,,,UserManagement,,, +ActingAppName,string,Optional,UserManagement,,, +ActorOriginalUserType,string,Optional,UserManagement,,, ActorOriginalUserType,string,Optional,AuditEvent,,, ActorOriginalUserType,string,Optional,Authentication,,, ActorOriginalUserType,string,Optional,FileEvent,,, @@ -52,10 +53,12 @@ ActorScope,string,Optional,AuditEvent,,, ActorScope,string,Optional,Authentication,,, ActorScope,string,Optional,FileEvent,,, ActorScope,string,Optional,ProcessEvent,,, +ActorScope,string,Optional,UserManagement,,, ActorScopeId,string,Optional,AuditEvent,,, ActorScopeId,string,Optional,Authentication,,, ActorScopeId,string,Optional,FileEvent,,, ActorScopeId,string,Optional,ProcessEvent,,, +ActorScopeId,string,Optional,UserManagement,,, ActorSessionId,string,Optional,AuditEvent,,, ActorSessionId,string,Optional,Authentication,,, ActorSessionId,string,Optional,FileEvent,,, @@ -66,6 +69,7 @@ ActorUpn,string,Optional,FileEvent,,, ActorUserAadId,string,Optional,AuditEvent,,, ActorUserAadId,string,Optional,FileEvent,,, ActorUserAadId,string,Optional,ProcessEvent,,, +ActorUserAadId,string,Optional,UserManagement,,, ActorUserId,string,Optional,AuditEvent,,, ActorUserId,string,Optional,Authentication,,, ActorUserId,string,Optional,UserManagement,,, @@ -94,6 +98,7 @@ ActorUserPuid,string,Optional,FileEvent,,, ActorUserSid,string,Optional,AuditEvent,,, ActorUserSid,string,Optional,FileEvent,,, ActorUserSid,string,Optional,ProcessEvent,,, +ActorUserSid,string,Optional,UserManagement,,, ActorUserType,string,Optional,AuditEvent,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other, ActorUserType,string,Optional,Authentication,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other, ActorUserType,string,Optional,FileEvent,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other, @@ -367,7 +372,7 @@ DvcIpAddr,string,Recommended,ProcessEvent,IP Address,, DvcIpAddr,string,Recommended,RegistryEvent,IP Address,, DvcIpAddr,string,Recommended,UserManagement,,, DvcIpAddr,string,Recommended,WebSession,IP Address,, -DvcMacAddr,MAC address,Optional,UserManagement,,, +DvcMacAddr,string,Optional,UserManagement,MAC address,, DvcMacAddr,string,Optional,AuditEvent,MAC address,, DvcMacAddr,string,Optional,Authentication,MAC address,, DvcMacAddr,string,Optional,Common,MAC address,, @@ -868,6 +873,7 @@ SrcDescription,string,Optional,FileEvent,,, SrcDescription,string,Optional,NetworkSession,,, SrcDescription,string,Optional,RegistryEvent,,, SrcDescription,string,Optional,WebSession,,, +SrcDescription,string,Optional,UserManagement,,, SrcDeviceType,string,Optional,AuditEvent,Enumerated,Computer|Mobile Device|IOT Device|Other, SrcDeviceType,string,Optional,Authentication,Enumerated,Computer|Mobile Device|IOT Device|Other, SrcDeviceType,string,Optional,Dhcp,Enumerated,Computer|Mobile Device|IOT Device|Other, @@ -941,35 +947,35 @@ SrcFQDN,string,Optional,FileEvent,,, SrcFQDN,string,Optional,NetworkSession,FQDN,, SrcFQDN,string,Optional,UserManagement,,, SrcFQDN,string,Optional,WebSession,FQDN,, -SrcGeoCity,City,Optional,UserManagement,,, +SrcGeoCity,string,Optional,UserManagement,City,, SrcGeoCity,string,Optional,AuditEvent,City,, SrcGeoCity,string,Optional,Authentication,City,, SrcGeoCity,string,Optional,Dns,City,, SrcGeoCity,string,Optional,FileEvent,City,, SrcGeoCity,string,Optional,NetworkSession,City,, SrcGeoCity,string,Optional,WebSession,City,, -SrcGeoCountry,Country,Optional,UserManagement,,, +SrcGeoCountry,string,Optional,UserManagement,Country,, SrcGeoCountry,string,Optional,AuditEvent,Country,, SrcGeoCountry,string,Optional,Authentication,Country,, SrcGeoCountry,string,Optional,Dns,Country,, SrcGeoCountry,string,Optional,FileEvent,Country,, SrcGeoCountry,string,Optional,NetworkSession,Country,, SrcGeoCountry,string,Optional,WebSession,Country,, -SrcGeoLatitude,Latitude,Optional,UserManagement,,, +SrcGeoLatitude,real,Optional,UserManagement,,, SrcGeoLatitude,real,Optional,AuditEvent,,, SrcGeoLatitude,real,Optional,Authentication,,, SrcGeoLatitude,real,Optional,Dns,City,, SrcGeoLatitude,real,Optional,FileEvent,,, SrcGeoLatitude,real,Optional,NetworkSession,,, SrcGeoLatitude,real,Optional,WebSession,,, -SrcGeoLongitude,Longitude,Optional,UserManagement,,, +SrcGeoLongitude,real,Optional,UserManagement,,, SrcGeoLongitude,real,Optional,AuditEvent,,, SrcGeoLongitude,real,Optional,Authentication,,, SrcGeoLongitude,real,Optional,Dns,,, SrcGeoLongitude,real,Optional,FileEvent,,, SrcGeoLongitude,real,Optional,NetworkSession,,, SrcGeoLongitude,real,Optional,WebSession,,, -SrcGeoRegion,Region,Optional,UserManagement,,, +SrcGeoRegion,string,Optional,UserManagement,Region,, SrcGeoRegion,string,Optional,AuditEvent,Region,, SrcGeoRegion,string,Optional,Authentication,Region,, SrcGeoRegion,string,Optional,Dns,Region,, @@ -1000,6 +1006,7 @@ SrcIsp,string,Optional,Authentication,,, SrcMacAddr,string,Mandatory,Dhcp,Mac Address,, SrcMacAddr,string,Optional,NetworkSession,MAC address,, SrcMacAddr,string,Optional,WebSession,MAC address,, +SrcMacAddr,string,Optional,UserManagement,MAC address,, SrcNatIpAddr,string,Optional,NetworkSession,IP Address,, SrcNatIpAddr,string,Optional,WebSession,IP Address,, SrcNatPortNumber,int,Optional,NetworkSession,,, @@ -1007,6 +1014,7 @@ SrcNatPortNumber,int,Optional,WebSession,,, SrcOriginalRiskLevel,string,Optional,AuditEvent,,, SrcOriginalRiskLevel,string,Optional,Authentication,,, SrcOriginalRiskLevel,string,Optional,Dns,,, +SrcOriginalRiskLevel,string,Optional,UserManagement,,, SrcOriginalUserType,string,Optional,Dhcp,,, SrcOriginalUserType,string,Optional,Dns,,, SrcOriginalUserType,string,Optional,NetworkSession,,, @@ -1019,6 +1027,7 @@ SrcPortNumber,int,Optional,Dns,,, SrcPortNumber,int,Optional,FileEvent,,, SrcPortNumber,int,Optional,NetworkSession,,, SrcPortNumber,int,Optional,WebSession,,, +SrcPortNumber,int,Optional,UserManagement,,, SrcProcessGuid,string,Optional,Dns,GUID,, SrcProcessGuid,string,Optional,NetworkSession,,, SrcProcessId,string,Optional,Dns,,, @@ -1028,6 +1037,7 @@ SrcProcessName,string,Optional,NetworkSession,,, SrcRiskLevel,int,Optional,AuditEvent,,, SrcRiskLevel,int,Optional,Authentication,,, SrcRiskLevel,int,Optional,Dns,,, +SrcRiskLevel,int,Optional,UserManagement,,, SrcScopeId,string,Optional,NetworkSession,,, SrcUserAadId,string,Optional,Dns,,, SrcUserAWSId,string,Optional,Dns,,, @@ -1162,6 +1172,7 @@ TargetUserAadId,string,Optional,ProcessEvent,,, TargetUserId,string,Optional,Authentication,,, TargetUserId,string,Optional,UserManagement,,, TargetUserId,string,Recommended,ProcessEvent,,, +TargetUserUid,string,Optional,UserManagement,,, TargetUserIdType,string,Conditional,Authentication,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|GWorkspaceProfileID|Other,TargetUserId TargetUserIdType,string,Conditional,ProcessEvent,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|Other,TargetUserId TargetUserIdType,string,Conditional,UserManagement,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|Other,TargetUserId @@ -1172,9 +1183,12 @@ TargetUsernameType,string,Conditional,Authentication,Enumerated,UPN|Windows|DN|S TargetUsernameType,string,Conditional,ProcessEvent,Enumerated,UPN|Windows|DN|Simple,TargetUsername TargetUsernameType,string,Conditional,UserManagement,Enumerated,UPN|Windows|DN|Simple,TargetUsername TargetUserScope,string,Optional,Authentication,,, +TargetUserScope,string,Optional,UserManagement,,, TargetUserScopeId,string,Optional,Authentication,,, +TargetUserScopeId,string,Optional,UserManagement,,, TargetUserSessionGuid,string,Optional,ProcessEvent,,, TargetUserSessionId,string,Optional,ProcessEvent,,, +TargetUserSessionId,string,Optional,UserManagement,,, TargetUserSid,string,Optional,ProcessEvent,,, TargetUserType,string,Optional,Authentication,,Regular|Guest|Machine|Admin|System|Application|Service|Other, TargetUserType,string,Optional,ProcessEvent,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other, @@ -1313,6 +1327,7 @@ TimeGenerated,datetime,Mandatory,NetworkSession,,, TimeGenerated,datetime,Mandatory,ProcessEvent,,, TimeGenerated,datetime,Mandatory,RegistryEvent,,, TimeGenerated,datetime,Mandatory,WebSession,,, +TimeGenerated,datetime,Mandatory,UserManagement,,, TransactionIdHex,string,Recommended,Dns,Hexadecimal,, Type,string,Mandatory,AuditEvent,,, Type,string,Mandatory,Authentication,,, diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json b/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json index 10d39b407c1..2d22f0ef4ce 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json @@ -35,7 +35,7 @@ "displayName": "User Management ASIM parser", "category": "ASIM", "FunctionAlias": "ASimUserManagement", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack:bool=false\n){\nunion isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n}; \nparser (\n pack=pack\n)", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack: bool=false\n ) {\n union isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers)))\n}; \nparser (\n pack=pack\n)", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json index 37a3cd7cd3f..39d5990645c 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json @@ -35,7 +35,7 @@ "displayName": "User Management ASIM parser for Cisco ISE", "category": "ASIM", "FunctionAlias": "ASimUserManagementCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEUsrMgmtParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n dvcHostname,\n ['User-Name'],\n UserName\n};\nCiscoISEUsrMgmtParser(disabled=disbled)", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEUsrMgmtParser=(disabled: bool=false) {\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n dvcHostname,\n ['User-Name'],\n UserName\n};\nCiscoISEUsrMgmtParser(disabled=disbled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json index 63b2be6179f..fda5ece200a 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json @@ -35,7 +35,7 @@ "displayName": "User Management ASIM parser for Linux Authpriv logs", "category": "ASIM", "FunctionAlias": "ASimUserManagementLinuxAuthpriv", - "query": "let parser = (\n disabled:bool = false\n) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | lookup ActionLookup on Action\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n| project-away Computer, HostIP, HostName\n};\nparser (\n disabled = disabled\n)", + "query": "let parser = (\n disabled:bool = false\n) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | lookup ActionLookup on Action\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n disabled = disabled\n)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json new file mode 100644 index 00000000000..edadff7825a --- /dev/null +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimUserManagementNative", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "User Management activity ASIM parser for Microsoft Sentinel native User Management activity table", + "category": "ASIM", + "FunctionAlias": "ASimUserManagementNative", + "query": "let parser = (\n disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled = disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/README.md b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/README.md new file mode 100644 index 00000000000..8eee29da790 --- /dev/null +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/README.md @@ -0,0 +1,18 @@ +# Native ASIM UserManagement Normalization Parser + +ARM template for ASIM UserManagement schema parser for Native. + +This ASIM parser supports normalizing the native User Management activity table to the ASIM User Management activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM UserManagement normalization schema reference](https://aka.ms/ASimUserManagementDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimUserManagement%2FARM%2FASimUserManagementNative%2FASimUserManagementNative.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimUserManagement%2FARM%2FASimUserManagementNative%2FASimUserManagementNative.json) diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json index c7d71d36b37..c252d8b13dc 100644 --- a/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json +++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json @@ -35,7 +35,7 @@ "displayName": "User Management ASIM parser for SentinelOne", "category": "ASIM", "FunctionAlias": "ASimUserManagementSentinelOne", - "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n];\nlet parser = (disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Activities.\"\n and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011)\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse modifiedFields with 'Modified fields: ' ModifiedFields:string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend \n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser), username, \"\"),\n PreviousPropertyValue = coalesce(oldDescription, oldRole),\n NewPropertyValue = coalesce(description, role)\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId),\"Other\",\"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem\n};\nparser(disabled=disabled)", + "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and activityType_d in (UsermanagementactivityIds)\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n ),\n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(disabled=disabled)\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimUserManagement/ARM/FullDeploymentUserManagement.json b/Parsers/ASimUserManagement/ARM/FullDeploymentUserManagement.json index f1f2bc9839b..e2c945ffff2 100644 --- a/Parsers/ASimUserManagement/ARM/FullDeploymentUserManagement.json +++ b/Parsers/ASimUserManagement/ARM/FullDeploymentUserManagement.json @@ -98,6 +98,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimUserManagementNative", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -218,6 +238,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimUserManagementNative", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json b/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json index dbf2d989331..98364c23d4b 100644 --- a/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json +++ b/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json @@ -35,7 +35,7 @@ "displayName": "User Management ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imUserManagement", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n targetusername_has_any:dynamic=dynamic([]),\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimUserManagementEmpty,\n vimUserManagementMicrosoftSecurityEvent(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers) )),\n vimUserManagementCiscoISE(starttime, endtime, srcipaddr_has_any_prefix, eventresult, eventtype_in, actorusername_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) )),\n vimUserManagementSentinelOne(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers) )),\n vimUserManagementLinuxAuthpriv(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers) ))\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n targetusername_has_any = targetusername_has_any, \n actorusername_has_any = actorusername_has_any, \n pack=pack\n)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser\n | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n pack: bool=false) {\n union isfuzzy=true\n vimUserManagementEmpty,\n vimUserManagementMicrosoftSecurityEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers)))),\n vimUserManagementCiscoISE(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers)))),\n vimUserManagementSentinelOne(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers)))),\n vimUserManagementLinuxAuthpriv(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers)))),\n vimUserManagementNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementNative' in (DisabledParsers))))\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any, \n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n pack=pack\n)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),pack:bool=False" } diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json b/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json index 11c8713e05a..ec869750b60 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json @@ -26,7 +26,7 @@ { "type": "savedSearches", "apiVersion": "2020-08-01", - "name": "ASimUserManagementCiscoISE", + "name": "vimUserManagementCiscoISE", "dependsOn": [ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" ], @@ -34,8 +34,8 @@ "etag": "*", "displayName": "User Management ASIM filtering parser for Cisco ISE", "category": "ASIM", - "FunctionAlias": "ASimUserManagementCiscoISE", - "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet CiscoISEUsrMgmtParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n | summarize make_set(EventOriginalType));\n Syslog\n | where not(disabled)\n //***************************** **************************\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n //***************************** *************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n SyslogMessage,\n HostName,\n HostIP\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n Computer,\n SyslogMessage,\n HostIP,\n NetworkDeviceName,\n HostName,\n dvcHostname,\n ['User-Name'],\n UserName\n}; \nCiscoISEUsrMgmtParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n disabled=disabled\n)\n", + "FunctionAlias": "vimUserManagementCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet CiscoISEUsrMgmtParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n | summarize make_set(EventOriginalType));\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n //***************************** **************************\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0)\n //***************************** *************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n SyslogMessage,\n HostName,\n HostIP\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n Computer,\n SyslogMessage,\n HostIP,\n NetworkDeviceName,\n HostName,\n dvcHostname,\n ['User-Name'],\n UserName\n}; \nCiscoISEUsrMgmtParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n targetusername_has_any = targetusername_has_any,\n disabled=disabled\n)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" } diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json b/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json index 65b9a0ed895..2e7e36b99f4 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json @@ -35,7 +35,7 @@ "displayName": "User Management ASIM parser for Linux Authpriv logs", "category": "ASIM", "FunctionAlias": "vimUserManagementLinuxAuthpriv", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix)) and\n (array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SyslogMessage has_any(actorusername_has_any)))\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserModified\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserAddedToGroup\" in (eventtype_in)))\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDisabled\" in (eventtype_in)) or (\"UserEnabled\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"PasswordChanged\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserLocked\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupDeleted\" in (eventtype_in)))\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(eventtype_in) == 0 or (\"UserAddedToGroup\" in (eventtype_in)) or (\"UserRemovedFromGroup\" in (eventtype_in)))\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any(actorusername_has_any)))\n | lookup ActionLookup on Action\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n| project-away Computer, HostIP, HostName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix)) and\n (array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SyslogMessage has_any(actorusername_has_any)))\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserModified\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserAddedToGroup\" in (eventtype_in)))\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDisabled\" in (eventtype_in)) or (\"UserEnabled\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"PasswordChanged\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserLocked\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupDeleted\" in (eventtype_in)))\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(eventtype_in) == 0 or (\"UserAddedToGroup\" in (eventtype_in)) or (\"UserRemovedFromGroup\" in (eventtype_in)))\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any(actorusername_has_any)))\n | lookup ActionLookup on Action\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" } diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json index 7ea53642513..f6cbdb251b9 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json @@ -26,7 +26,7 @@ { "type": "savedSearches", "apiVersion": "2020-08-01", - "name": "ASimUserManagementMicrosoftSecurityEvent", + "name": "vimUserManagementMicrosoftSecurityEvent", "dependsOn": [ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" ], @@ -34,8 +34,8 @@ "etag": "*", "displayName": "User Management ASIM parser for Microsoft Security Event logs", "category": "ASIM", - "FunctionAlias": "ASimUserManagementMicrosoftSecurityEvent", - "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (TargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (NewTargetUserName has_any (targetusername_has_any)) or (OldTargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (TargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n )", + "FunctionAlias": "vimUserManagementMicrosoftSecurityEvent", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomain has_any (targetusername_has_any)) or (TargetUsername has_any (targetusername_has_any)) or (strcat(TargetDomain,\"\\\\\",TargetUsername) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any)))\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (NewTargetUserName has_any (targetusername_has_any)) or (OldTargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n )", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" } diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementNative/README.md b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/README.md new file mode 100644 index 00000000000..605815b3005 --- /dev/null +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/README.md @@ -0,0 +1,18 @@ +# Native ASIM UserManagement Normalization Parser + +ARM template for ASIM UserManagement schema parser for Native. + +This ASIM parser supports normalizing the native User Management activity table to the ASIM User Management activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM UserManagement normalization schema reference](https://aka.ms/ASimUserManagementDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimUserManagement%2FARM%2FvimUserManagementNative%2FvimUserManagementNative.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimUserManagement%2FARM%2FvimUserManagementNative%2FvimUserManagementNative.json) diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json new file mode 100644 index 00000000000..39cbda3482a --- /dev/null +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimUserManagementNative", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "User Management activity ASIM filtering parser for Microsoft Sentinel native User Management activity table", + "category": "ASIM", + "FunctionAlias": "vimUserManagementNative", + "query": "let parser = (\n starttime:datetime = datetime(null)\n , endtime:datetime = datetime(null)\n , srcipaddr_has_any_prefix:dynamic = dynamic([])\n , targetusername_has_any:dynamic = dynamic([])\n , actorusername_has_any:dynamic = dynamic([])\n , eventtype_in:dynamic = dynamic([])\n , disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , srcipaddr_has_any_prefix = srcipaddr_has_any_prefix\n , targetusername_has_any = targetusername_has_any\n , actorusername_has_any = actorusername_has_any\n , eventtype_in = eventtype_in\n , disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json b/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json index b49cb33dc5a..910a97a20a8 100644 --- a/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json +++ b/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json @@ -35,7 +35,7 @@ "displayName": "User Management ASIM parser for SentinelOne", "category": "ASIM", "FunctionAlias": "vimUserManagementSentinelOne", - "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Activities.\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any))\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix)\n | parse modifiedFields with 'Modified fields: ' ModifiedFields:string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | extend \n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser), username, \"\"),\n PreviousPropertyValue = coalesce(oldDescription, oldRole),\n NewPropertyValue = coalesce(description, role)\n | where (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId),\"Other\",\"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix ,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)", + "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and activityType_d in (UsermanagementactivityIds)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any))\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix)\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | extend \n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | where (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False" } diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml index dba5da6a720..a064eaec27e 100644 --- a/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM parser - Version: '0.1.0' - LastUpdated: 15 Oct, 2023 + Version: '0.1.1' + LastUpdated: 06 Mar, 2024 Product: Name: Source agnostic Normalization: @@ -21,23 +21,28 @@ Parsers: - _ASim_UserManagement_CiscoISE - _ASim_UserManagement_LinuxAuthpriv - _ASim_UserManagement_MicrosoftSecurityEvent - - _ASim_UserManagement_SentinelOne + - _ASim_UserManagement_SentinelOne + - _ASim_UserManagement_Native ParserParams: - Name: pack Type: bool Default: false ParserQuery: | - let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser); + let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') + | where SearchKey in ('Any', 'ExcludeASimUserManagement') + | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '') + | distinct SourceSpecificParser); let ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); let parser=( - pack:bool=false - ){ - union isfuzzy=true - vimUserManagementEmpty, - ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))), - ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers))), - ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne in (DisabledParsers))), - ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))), + pack: bool=false + ) { + union isfuzzy=true + vimUserManagementEmpty, + ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))), + ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))), + ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))), + ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))), + ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers))) }; parser ( pack=pack diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementCiscoISE.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementCiscoISE.yaml index b7ce0066582..3600810338c 100644 --- a/Parsers/ASimUserManagement/Parsers/ASimUserManagementCiscoISE.yaml +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementCiscoISE.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM parser for Cisco ISE - Version: '0.1' - LastUpdated: July 13, 2023 + Version: '0.1.1' + LastUpdated: Mar 06, 2024 Product: Name: Cisco ISE Normalization: @@ -77,6 +77,7 @@ ParserQuery: | | summarize make_set(EventOriginalType)); let CiscoISEUsrMgmtParser=(disabled: bool=false) { Syslog + | where Computer in (_ASIM_GetSourceBySourceType("CiscoISE")) | where not(disabled) | where ProcessName has_any ("CISE", "CSCO") | parse SyslogMessage with * " " longvalue:long " " EventOriginalType:int " " * diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml index d28ae8ebfa5..de7237857e9 100644 --- a/Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM parser for Linux Authpriv logs - Version: '0.1.0' - LastUpdated: 4 Oct, 2023 + Version: '0.1.1' + LastUpdated: Mar 06, 2024 Product: Name: Microsoft Normalization: @@ -310,6 +310,7 @@ ParserQuery: | TargetUsernameType = iif(isnotempty(TargetUsername), "Simple", ""), UpdatedPropertyName = EventSubType, User = ActorUsername + | extend SrcIpAddr = DvcIpAddr | project-away Computer, HostIP, HostName }; parser ( diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementNative.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementNative.yaml new file mode 100644 index 00000000000..f6b2f6e1780 --- /dev/null +++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementNative.yaml @@ -0,0 +1,52 @@ +Parser: + Title: User Management activity ASIM parser for Microsoft Sentinel native User Management activity table + Version: "0.1.0" + LastUpdated: "Mar 07 2024" +Product: + Name: Native +Normalization: + Schema: UserManagement + Version: '0.1.1' +References: +- Title: ASIM User Management Schema + Link: https://aka.ms/ASimUserManagementDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the native User Management activity table to the ASIM User Management activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. +ParserName: ASimUserManagementNative +EquivalentBuiltInParser: _ASim_UserManagement_Native +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = ( + disabled:bool = false + ) + { + ASimUserManagementActivityLogs + | where not(disabled) + | project-rename + EventUid = _ItemId + | extend + EventSchema = "UserManagement", + DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId) + // -- Aliases + | extend + EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime), + EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime), + Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId), + Rule = coalesce(RuleName, tostring(RuleNumber)), + User = ActorUsername, + Hostname = DvcHostname, + IpAddr = SrcIpAddr, + Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId), + UpdatedPropertyName = EventSubType + | project-away + TenantId, + SourceSystem, + _SubscriptionId, + _ResourceId + }; + parser (disabled = disabled) diff --git a/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml index 582e0ae83c3..923e5ae7a7b 100644 --- a/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml +++ b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM filtering parser - Version: '0.1.1' - LastUpdated: 15 Feb, 2024 + Version: '0.1.2' + LastUpdated: 06 Mar, 2024 Product: Name: Source agnostic Normalization: @@ -22,6 +22,7 @@ Parsers: - _Im_UserManagement_LinuxAuthpriv - _Im_UserManagement_MicrosoftSecurityEvent - _Im_UserManagement_SentinelOne + - _Im_UserManagement_Native ParserParams: - Name: starttime Type: datetime @@ -45,31 +46,34 @@ ParserParams: Type: bool Default: false ParserQuery: | - let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser)); + let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') + | where SearchKey in ('Any', 'ExcludevimUserManagement') + | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '') + | distinct SourceSpecificParser + | where isnotempty(SourceSpecificParser)); let ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); let parser=( - starttime:datetime=datetime(null), - endtime:datetime=datetime(null), - srcipaddr_has_any_prefix: dynamic=dynamic([]), - targetusername_has_any:dynamic=dynamic([]), - actorusername_has_any:dynamic=dynamic([]), - eventtype_in: dynamic=dynamic([]), - pack:bool=false) - { - union isfuzzy=true - vimUserManagementEmpty, - vimUserManagementMicrosoftSecurityEvent(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers) )), - vimUserManagementCiscoISE(starttime, endtime, srcipaddr_has_any_prefix, eventresult, eventtype_in, actorusername_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) )), - vimUserManagementSentinelOne(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers) )), - vimUserManagementLinuxAuthpriv(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers) )) + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + srcipaddr_has_any_prefix: dynamic=dynamic([]), + targetusername_has_any: dynamic=dynamic([]), + actorusername_has_any: dynamic=dynamic([]), + eventtype_in: dynamic=dynamic([]), + pack: bool=false) { + union isfuzzy=true + vimUserManagementEmpty, + vimUserManagementMicrosoftSecurityEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers)))), + vimUserManagementCiscoISE(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers)))), + vimUserManagementSentinelOne(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers)))), + vimUserManagementLinuxAuthpriv(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers)))), + vimUserManagementNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementNative' in (DisabledParsers)))) }; parser ( - starttime=starttime, - endtime=endtime, - srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, - eventtype_in = eventtype_in, - eventresult = eventresult, - targetusername_has_any = targetusername_has_any, - actorusername_has_any = actorusername_has_any, - pack=pack + starttime=starttime, + endtime=endtime, + srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, + targetusername_has_any = targetusername_has_any, + actorusername_has_any = actorusername_has_any, + eventtype_in = eventtype_in, + pack=pack ) diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml index 0e845601507..c3492dfe2a8 100644 --- a/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml +++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM filtering parser for Cisco ISE - Version: '0.1.1' - LastUpdated: Feb 15, 2024 + Version: '0.1.2' + LastUpdated: Mar 06, 2024 Product: Name: Cisco ISE Normalization: @@ -16,7 +16,7 @@ References: Link: https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_maintain_monitor.html#ID58 Description: | This ASIM parser supports normalizing user management activity in the Cisco ISE events to the ASIM User Management schema. -ParserName: ASimUserManagementCiscoISE +ParserName: vimUserManagementCiscoISE EquivalentBuiltInParser: _Im_UserManagement_CiscoISE ParserParams: - Name: starttime @@ -97,18 +97,21 @@ ParserQuery: | srcipaddr_has_any_prefix: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), + targetusername_has_any: dynamic=dynamic([]), disabled: bool = false ) { let EventOriginalTypeList = toscalar(EventFieldsLookup | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in)) | summarize make_set(EventOriginalType)); Syslog + | where Computer in (_ASIM_GetSourceBySourceType("CiscoISE")) | where not(disabled) //***************************** ************************** | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix)) and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any)) + and (array_length(targetusername_has_any) == 0) //***************************** ************************* | where ProcessName has_any ("CISE", "CSCO") | parse SyslogMessage with * " " longvalue:long " " EventOriginalType:int " " * @@ -165,5 +168,6 @@ ParserQuery: | srcipaddr_has_any_prefix = srcipaddr_has_any_prefix, eventtype_in = eventtype_in, actorusername_has_any = actorusername_has_any, + targetusername_has_any = targetusername_has_any, disabled=disabled ) diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementLinuxAuthpriv.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementLinuxAuthpriv.yaml index 3f5063f4e3c..afda599b0ca 100644 --- a/Parsers/ASimUserManagement/Parsers/vimUserManagementLinuxAuthpriv.yaml +++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementLinuxAuthpriv.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM parser for Linux Authpriv logs - Version: '0.1.0' - LastUpdated: 4 Oct, 2023 + Version: '0.1.1' + LastUpdated: Mar 06, 2024 Product: Name: Microsoft Normalization: @@ -397,6 +397,7 @@ ParserQuery: | TargetUsernameType = iif(isnotempty(TargetUsername), "Simple", ""), UpdatedPropertyName = EventSubType, User = ActorUsername + | extend SrcIpAddr = DvcIpAddr | project-away Computer, HostIP, HostName }; parser ( diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml index f5a3d3a8055..fd2e2cd32c0 100644 --- a/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml +++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml @@ -1,7 +1,7 @@ Parser: Title: User Management ASIM parser for Microsoft Security Event logs - Version: '0.1.0' - LastUpdated: 16 Jul, 2023 + Version: '0.1.1' + LastUpdated: Mar 07, 2024 Product: Name: Microsoft Normalization: @@ -16,8 +16,8 @@ References: Link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management Description: | This ASIM parser supports normalizing Microsoft Security Event logs delivered using AMA to the ASIM UserManagement normalized schema. -ParserName: ASimUserManagementMicrosoftSecurityEvent -EquivalentBuiltInParser: _ASim_UserManagement_MicrosoftSecurityEvent +ParserName: vimUserManagementMicrosoftSecurityEvent +EquivalentBuiltInParser: _Im_UserManagement_MicrosoftSecurityEvent ParserParams: - Name: starttime Type: datetime @@ -121,8 +121,8 @@ ParserQuery: | TargetUserId = tostring(EventData.TargetSid), TargetUsername = tostring(EventData.TargetUserName), EventMessage = tostring(EventData.Activity) - | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any (targetusername_has_any))) and - (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) + | where (array_length(targetusername_has_any) == 0 or (TargetDomain has_any (targetusername_has_any)) or (TargetUsername has_any (targetusername_has_any)) or (strcat(TargetDomain,"\\",TargetUsername) has_any (targetusername_has_any))) and + (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,"\\",SubjectUserName) has_any (actorusername_has_any))) | project-rename NewPropertyValue = NewTargetUserName, PreviousPropertyValue = OldTargetUserName @@ -139,8 +139,8 @@ ParserQuery: | | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) | where EventID in(UserEventID) - | where (array_length(targetusername_has_any) == 0 or (TargetUserName has_any (targetusername_has_any))) and - (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and + | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,"\\",TargetUserName) has_any (targetusername_has_any))) and + (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,"\\",SubjectUserName) has_any (actorusername_has_any))) and (array_length(srcipaddr_has_any_prefix) == 0) | project-rename ActorOriginalUserType = AccountType, @@ -206,7 +206,7 @@ ParserQuery: | | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763)) | where EventID in(GroupEventID) | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and - (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and + (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,"\\",SubjectUserName) has_any (actorusername_has_any))) and (array_length(srcipaddr_has_any_prefix) == 0) | project-rename ActorOriginalUserType = AccountType, @@ -251,8 +251,8 @@ ParserQuery: | SubjectUserName:string ) with (regex=@'{?([^<]*?)}?') - | where (array_length(targetusername_has_any) == 0 or (TargetUserName has_any (targetusername_has_any))) and - (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and + | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,"\\",TargetUserName) has_any (targetusername_has_any))) and + (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,"\\",SubjectUserName) has_any (actorusername_has_any))) and (array_length(srcipaddr_has_any_prefix) == 0) | project-rename ActorOriginalUserType = AccountType, diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementNative.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementNative.yaml new file mode 100644 index 00000000000..0e8a98aa8e4 --- /dev/null +++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementNative.yaml @@ -0,0 +1,90 @@ +Parser: + Title: User Management activity ASIM filtering parser for Microsoft Sentinel native User Management activity table + Version: "0.1.0" + LastUpdated: "Mar 07 2024" +Product: + Name: Native +Normalization: + Schema: UserManagement + Version: '0.1.1' +References: +- Title: ASIM User Management Schema + Link: https://aka.ms/ASimUserManagementDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the native User Management activity table to the ASIM User Management activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. +ParserName: vimUserManagementNative +EquivalentBuiltInParser: _Im_UserManagement_Native +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: actorusername_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetusername_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype_in + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = ( + starttime:datetime = datetime(null) + , endtime:datetime = datetime(null) + , srcipaddr_has_any_prefix:dynamic = dynamic([]) + , targetusername_has_any:dynamic = dynamic([]) + , actorusername_has_any:dynamic = dynamic([]) + , eventtype_in:dynamic = dynamic([]) + , disabled:bool = false + ) + { + ASimUserManagementActivityLogs + | where not(disabled) + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix)) + and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) + and (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any)) + and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)) + | project-rename + EventUid = _ItemId + | extend + EventSchema = "UserManagement", + DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId) + // -- Aliases + | extend + EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime), + EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime), + Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId), + Rule = coalesce(RuleName, tostring(RuleNumber)), + User = ActorUsername, + Hostname = DvcHostname, + IpAddr = SrcIpAddr, + Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId), + UpdatedPropertyName = EventSubType + | project-away + TenantId, + SourceSystem, + _SubscriptionId, + _ResourceId + }; + parser ( + starttime = starttime + , endtime = endtime + , srcipaddr_has_any_prefix = srcipaddr_has_any_prefix + , targetusername_has_any = targetusername_has_any + , actorusername_has_any = actorusername_has_any + , eventtype_in = eventtype_in + , disabled = disabled + )