From 77ca8b8400dd1f85243b9795af987519166db409 Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Wed, 6 Mar 2024 14:58:51 +0530
Subject: [PATCH 01/15] fixing ASIM Union Parser
---
.../Parsers/ASimUserManagement.yaml | 25 +++++++++++--------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
index dba5da6a72..a0eb23c7df 100644
--- a/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
+++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
@@ -1,7 +1,7 @@
Parser:
Title: User Management ASIM parser
- Version: '0.1.0'
- LastUpdated: 15 Oct, 2023
+ Version: '0.1.1'
+ LastUpdated: 06 Mar, 2024
Product:
Name: Source agnostic
Normalization:
@@ -27,17 +27,20 @@ ParserParams:
Type: bool
Default: false
ParserQuery: |
- let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
+ let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
+ | where SearchKey in ('Any', 'ExcludeASimUserManagement')
+ | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')
+ | distinct SourceSpecificParser);
let ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=(
- pack:bool=false
- ){
- union isfuzzy=true
- vimUserManagementEmpty,
- ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),
- ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers))),
- ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne in (DisabledParsers))),
- ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),
+ pack: bool=false
+ ) {
+ union isfuzzy=true
+ vimUserManagementEmpty,
+ ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),
+ ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),
+ ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),
+ ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers)))
};
parser (
pack=pack
From 3ac4774b6ce768a39abcd291b6306698c11185f6 Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Wed, 6 Mar 2024 15:19:09 +0530
Subject: [PATCH 02/15] updating im union parser
---
.../ASimUserManagement/Parsers/imUserManagement.yaml | 11 +++++------
.../Parsers/vimUserManagementCiscoISE.yaml | 2 +-
.../vimUserManagementMicrosoftSecurityEvent.yaml | 4 ++--
3 files changed, 8 insertions(+), 9 deletions(-)
diff --git a/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
index 582e0ae83c..6d5efc526c 100644
--- a/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
+++ b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
@@ -1,7 +1,7 @@
Parser:
Title: User Management ASIM filtering parser
- Version: '0.1.1'
- LastUpdated: 15 Feb, 2024
+ Version: '0.1.2'
+ LastUpdated: 06 Mar, 2024
Product:
Name: Source agnostic
Normalization:
@@ -59,7 +59,7 @@ ParserQuery: |
union isfuzzy=true
vimUserManagementEmpty,
vimUserManagementMicrosoftSecurityEvent(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers) )),
- vimUserManagementCiscoISE(starttime, endtime, srcipaddr_has_any_prefix, eventresult, eventtype_in, actorusername_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) )),
+ vimUserManagementCiscoISE(starttime, endtime, srcipaddr_has_any_prefix, eventtype_in, actorusername_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) )),
vimUserManagementSentinelOne(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers) )),
vimUserManagementLinuxAuthpriv(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers) ))
};
@@ -67,9 +67,8 @@ ParserQuery: |
starttime=starttime,
endtime=endtime,
srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,
- eventtype_in = eventtype_in,
- eventresult = eventresult,
targetusername_has_any = targetusername_has_any,
- actorusername_has_any = actorusername_has_any,
+ actorusername_has_any = actorusername_has_any,
+ eventtype_in = eventtype_in,
pack=pack
)
diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml
index 0e84560150..171b66ee05 100644
--- a/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml
+++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml
@@ -16,7 +16,7 @@ References:
Link: https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/admin_guide/b_ise_admin_3_2/b_ISE_admin_32_maintain_monitor.html#ID58
Description: |
This ASIM parser supports normalizing user management activity in the Cisco ISE events to the ASIM User Management schema.
-ParserName: ASimUserManagementCiscoISE
+ParserName: vimUserManagementCiscoISE
EquivalentBuiltInParser: _Im_UserManagement_CiscoISE
ParserParams:
- Name: starttime
diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml
index f5a3d3a805..44e7998b7f 100644
--- a/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml
+++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml
@@ -16,8 +16,8 @@ References:
Link: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-user-account-management
Description: |
This ASIM parser supports normalizing Microsoft Security Event logs delivered using AMA to the ASIM UserManagement normalized schema.
-ParserName: ASimUserManagementMicrosoftSecurityEvent
-EquivalentBuiltInParser: _ASim_UserManagement_MicrosoftSecurityEvent
+ParserName: vimUserManagementMicrosoftSecurityEvent
+EquivalentBuiltInParser: _Im_UserManagement_MicrosoftSecurityEvent
ParserParams:
- Name: starttime
Type: datetime
From 81d808307bc4a53666704886bde143585c0d1a48 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Wed, 6 Mar 2024 09:33:52 +0000
Subject: [PATCH 03/15] [ASIM Parsers] Generate deployable ARM templates from
KQL function YAML files.
---
.../ARM/ASimUserManagement/ASimUserManagement.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json b/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json
index 10d39b407c..2e099fa477 100644
--- a/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json
+++ b/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimUserManagement",
- "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack:bool=false\n){\nunion isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n}; \nparser (\n pack=pack\n)",
+ "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack: bool=false\n ) {\n union isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers)))\n}; \nparser (\n pack=pack\n)",
"version": 1,
"functionParameters": "pack:bool=False"
}
From 37c2927b9780f8f917c5dd5ca6e660a6478cf11c Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Wed, 6 Mar 2024 17:06:14 +0530
Subject: [PATCH 04/15] Update CiscoISE
---
.../Parsers/ASimUserManagementCiscoISE.yaml | 5 +++--
.../Parsers/vimUserManagementCiscoISE.yaml | 8 ++++++--
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementCiscoISE.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementCiscoISE.yaml
index b7ce006658..3600810338 100644
--- a/Parsers/ASimUserManagement/Parsers/ASimUserManagementCiscoISE.yaml
+++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementCiscoISE.yaml
@@ -1,7 +1,7 @@
Parser:
Title: User Management ASIM parser for Cisco ISE
- Version: '0.1'
- LastUpdated: July 13, 2023
+ Version: '0.1.1'
+ LastUpdated: Mar 06, 2024
Product:
Name: Cisco ISE
Normalization:
@@ -77,6 +77,7 @@ ParserQuery: |
| summarize make_set(EventOriginalType));
let CiscoISEUsrMgmtParser=(disabled: bool=false) {
Syslog
+ | where Computer in (_ASIM_GetSourceBySourceType("CiscoISE"))
| where not(disabled)
| where ProcessName has_any ("CISE", "CSCO")
| parse SyslogMessage with * " " longvalue:long " " EventOriginalType:int " " *
diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml
index 171b66ee05..c3492dfe2a 100644
--- a/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml
+++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementCiscoISE.yaml
@@ -1,7 +1,7 @@
Parser:
Title: User Management ASIM filtering parser for Cisco ISE
- Version: '0.1.1'
- LastUpdated: Feb 15, 2024
+ Version: '0.1.2'
+ LastUpdated: Mar 06, 2024
Product:
Name: Cisco ISE
Normalization:
@@ -97,18 +97,21 @@ ParserQuery: |
srcipaddr_has_any_prefix: dynamic=dynamic([]),
eventtype_in: dynamic=dynamic([]),
actorusername_has_any: dynamic=dynamic([]),
+ targetusername_has_any: dynamic=dynamic([]),
disabled: bool = false
) {
let EventOriginalTypeList = toscalar(EventFieldsLookup
| where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))
| summarize make_set(EventOriginalType));
Syslog
+ | where Computer in (_ASIM_GetSourceBySourceType("CiscoISE"))
| where not(disabled)
//***************************** **************************
| where (isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))
and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))
+ and (array_length(targetusername_has_any) == 0)
//***************************** *************************
| where ProcessName has_any ("CISE", "CSCO")
| parse SyslogMessage with * " " longvalue:long " " EventOriginalType:int " " *
@@ -165,5 +168,6 @@ ParserQuery: |
srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,
eventtype_in = eventtype_in,
actorusername_has_any = actorusername_has_any,
+ targetusername_has_any = targetusername_has_any,
disabled=disabled
)
From c5bfc3573d02b2ff1aec66cc4872a8c9e1da7ee8 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Wed, 6 Mar 2024 09:52:31 +0000
Subject: [PATCH 05/15] [ASIM Parsers] Generate deployable ARM templates from
KQL function YAML files.
---
.../ARM/imUserManagement/imUserManagement.json | 2 +-
.../vimUserManagementCiscoISE/vimUserManagementCiscoISE.json | 4 ++--
.../vimUserManagementMicrosoftSecurityEvent.json | 4 ++--
3 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json b/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json
index dbf2d98933..b49a046c3c 100644
--- a/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json
+++ b/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM filtering parser",
"category": "ASIM",
"FunctionAlias": "imUserManagement",
- "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n targetusername_has_any:dynamic=dynamic([]),\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimUserManagementEmpty,\n vimUserManagementMicrosoftSecurityEvent(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers) )),\n vimUserManagementCiscoISE(starttime, endtime, srcipaddr_has_any_prefix, eventresult, eventtype_in, actorusername_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) )),\n vimUserManagementSentinelOne(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers) )),\n vimUserManagementLinuxAuthpriv(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers) ))\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n targetusername_has_any = targetusername_has_any, \n actorusername_has_any = actorusername_has_any, \n pack=pack\n)\n",
+ "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n targetusername_has_any:dynamic=dynamic([]),\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimUserManagementEmpty,\n vimUserManagementMicrosoftSecurityEvent(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers) )),\n vimUserManagementCiscoISE(starttime, endtime, srcipaddr_has_any_prefix, eventtype_in, actorusername_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) )),\n vimUserManagementSentinelOne(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers) )),\n vimUserManagementLinuxAuthpriv(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers) ))\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any, \n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n pack=pack\n)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),pack:bool=False"
}
diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json b/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json
index 11c8713e05..dd7b65837b 100644
--- a/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json
+++ b/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json
@@ -26,7 +26,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
- "name": "ASimUserManagementCiscoISE",
+ "name": "vimUserManagementCiscoISE",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
@@ -34,7 +34,7 @@
"etag": "*",
"displayName": "User Management ASIM filtering parser for Cisco ISE",
"category": "ASIM",
- "FunctionAlias": "ASimUserManagementCiscoISE",
+ "FunctionAlias": "vimUserManagementCiscoISE",
"query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet CiscoISEUsrMgmtParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n | summarize make_set(EventOriginalType));\n Syslog\n | where not(disabled)\n //***************************** **************************\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n //***************************** *************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n SyslogMessage,\n HostName,\n HostIP\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n Computer,\n SyslogMessage,\n HostIP,\n NetworkDeviceName,\n HostName,\n dvcHostname,\n ['User-Name'],\n UserName\n}; \nCiscoISEUsrMgmtParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n disabled=disabled\n)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False"
diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json
index 7ea5364251..0825bf47d3 100644
--- a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json
+++ b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json
@@ -26,7 +26,7 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
- "name": "ASimUserManagementMicrosoftSecurityEvent",
+ "name": "vimUserManagementMicrosoftSecurityEvent",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
@@ -34,7 +34,7 @@
"etag": "*",
"displayName": "User Management ASIM parser for Microsoft Security Event logs",
"category": "ASIM",
- "FunctionAlias": "ASimUserManagementMicrosoftSecurityEvent",
+ "FunctionAlias": "vimUserManagementMicrosoftSecurityEvent",
"query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (TargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (NewTargetUserName has_any (targetusername_has_any)) or (OldTargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (TargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n )",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False"
From 5b18092afef1488a755c2aa4595311d4954d62e1 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Wed, 6 Mar 2024 11:39:33 +0000
Subject: [PATCH 06/15] [ASIM Parsers] Generate deployable ARM templates from
KQL function YAML files.
---
.../ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json | 2 +-
.../vimUserManagementCiscoISE/vimUserManagementCiscoISE.json | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json
index 37a3cd7cd3..39d5990645 100644
--- a/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json
+++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementCiscoISE/ASimUserManagementCiscoISE.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM parser for Cisco ISE",
"category": "ASIM",
"FunctionAlias": "ASimUserManagementCiscoISE",
- "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEUsrMgmtParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n dvcHostname,\n ['User-Name'],\n UserName\n};\nCiscoISEUsrMgmtParser(disabled=disbled)",
+ "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEUsrMgmtParser=(disabled: bool=false) {\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n dvcHostname,\n ['User-Name'],\n UserName\n};\nCiscoISEUsrMgmtParser(disabled=disbled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json b/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json
index dd7b65837b..ec869750b6 100644
--- a/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json
+++ b/Parsers/ASimUserManagement/ARM/vimUserManagementCiscoISE/vimUserManagementCiscoISE.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM filtering parser for Cisco ISE",
"category": "ASIM",
"FunctionAlias": "vimUserManagementCiscoISE",
- "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet CiscoISEUsrMgmtParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n | summarize make_set(EventOriginalType));\n Syslog\n | where not(disabled)\n //***************************** **************************\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n //***************************** *************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n SyslogMessage,\n HostName,\n HostIP\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n Computer,\n SyslogMessage,\n HostIP,\n NetworkDeviceName,\n HostName,\n dvcHostname,\n ['User-Name'],\n UserName\n}; \nCiscoISEUsrMgmtParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n disabled=disabled\n)\n",
+ "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventResult: string,\nEventType: string,\nEventResultDetails: string,\nEventSubType: string,\nEventSeverity: string,\nEventOriginalSeverity: string,\nEventMessage: string\n)[\n\"25000\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"ISE server password update succeeded\",\n\"25001\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"AD: ISE account password update failed.\",\n\"51101\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password is too short\",\n\"51102\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Too many repeating characters\",\n\"51103\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Missing required character type\",\n\"51104\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains username\",\n\"51105\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Contains reserved word\",\n\"51107\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password\",\n\"51115\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"The new password is invalid. This password has been previously used.\",\n\"51116\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Invalid new password. Password must not contain dictionary words or their characters in reverse order\",\n\"58019\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"ISE administrator password reset\",\n\"60460\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to inactivity\",\n\"60461\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to user level date expiry\",\n\"60462\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level date expiry\",\n\"60463\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Account disabled due to global level days expiry\",\n\"10013\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set as 'never disabled'\",\n\"10014\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Admin account set to change password on next login\",\n\"5415\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"NOTICE\", \"Change password failed\",\n\"86002\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has suspended a guest user account\",\n\"86003\", \"Success\", \"UserEnabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Sponsor has enabled a guest user account\",\n\"86004\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user has changed the password\",\n\"86006\", \"Success\", \"UserCreated\", \"\", \"UserCreated\", \"Informational\", \"INFO\", \"Guest user account is created\",\n\"86007\", \"Success\", \"UserModified\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is updated\",\n\"86008\", \"Success\", \"UserDeleted\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Guest user account is deleted\",\n\"86015\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"INFO\", \"Invalid Password Change\",\n\"24059\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User password change ended with an error\",\n\"24064\", \"Failure\", \"PasswordChanged\", \"NotAuthorized\", \"UserModified\", \"Low\", \"WARN\", \"The user doesn't have sufficient rights to change password\",\n\"24065\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"WARN\", \"The new password does not conform to LDAP password policy\",\n\"24066\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User password change succeeded\",\n\"24205\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Could not change password to new password\",\n\"24206\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User disabled\",\n\"24347\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account disabled\",\n\"24348\", \"Success\", \"UserLocked\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"Account locked\",\n\"24370\", \"Success\", \"UserDisabled\", \"\", \"UserModified\", \"Informational\", \"ERROR\", \"User credentials have been revoked.\",\n\"24425\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"User change password against Active Directory succeeded\",\n\"24426\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"User change password against Active Directory failed\",\n\"24455\", \"Failure\", \"PasswordChanged\", \"Other\", \"UserModified\", \"Low\", \"ERROR\", \"Change password against Active Directory failed because of a timeout error\",\n\"33108\", \"Success\", \"PasswordReset\", \"\", \"UserModified\", \"Informational\", \"INFO\", \"Reset admin password to its default value\",\n\"5204\", \"Success\", \"PasswordChanged\", \"\", \"UserModified\", \"Informational\", \"NOTICE\", \"Change password succeeded\"\n];\nlet CiscoISEUsrMgmtParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\n let EventOriginalTypeList = toscalar(EventFieldsLookup\n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n | summarize make_set(EventOriginalType));\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType(\"CiscoISE\"))\n | where not(disabled)\n //***************************** **************************\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0)\n //***************************** *************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n | where EventOriginalType in (EventOriginalTypeList)\n | project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n SyslogMessage,\n HostName,\n HostIP\n | lookup EventFieldsLookup on EventOriginalType\n | parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n SrcIpAddr=['Remote-Address']\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n | extend dvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend ActorUsername = coalesce(['User-Name'], UserName, User)\n | extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername)\n | where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any)) \n | extend\n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"UserManagement\"\n , EventSchemaVersion = \"0.1.1\"\n // ***************** ********************\n | invoke _ASIM_ResolveDvcFQDN('dvcHostname')\n | extend \n Hostname = DvcHostname\n , IpAddr = SrcIpAddr\n , Src = SrcIpAddr\n , UpdatedPropertyName = EventSubType\n , User = ActorUsername\n // ***************** *******************\n | project-away\n Computer,\n SyslogMessage,\n HostIP,\n NetworkDeviceName,\n HostName,\n dvcHostname,\n ['User-Name'],\n UserName\n}; \nCiscoISEUsrMgmtParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n eventtype_in = eventtype_in,\n actorusername_has_any = actorusername_has_any,\n targetusername_has_any = targetusername_has_any,\n disabled=disabled\n)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False"
}
From e94815c88589f4f156b474a767e4ad7f4544730d Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Thu, 7 Mar 2024 18:17:59 +0530
Subject: [PATCH 07/15] Adding Native Parser
---
.../Parsers/ASimUserManagementNative.yaml | 52 +++++++++++
.../Parsers/vimUserManagementNative.yaml | 90 +++++++++++++++++++
2 files changed, 142 insertions(+)
create mode 100644 Parsers/ASimUserManagement/Parsers/ASimUserManagementNative.yaml
create mode 100644 Parsers/ASimUserManagement/Parsers/vimUserManagementNative.yaml
diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementNative.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementNative.yaml
new file mode 100644
index 0000000000..f6b2f6e178
--- /dev/null
+++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementNative.yaml
@@ -0,0 +1,52 @@
+Parser:
+ Title: User Management activity ASIM parser for Microsoft Sentinel native User Management activity table
+ Version: "0.1.0"
+ LastUpdated: "Mar 07 2024"
+Product:
+ Name: Native
+Normalization:
+ Schema: UserManagement
+ Version: '0.1.1'
+References:
+- Title: ASIM User Management Schema
+ Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+ Link: https://aka.ms/AboutASIM
+Description: |
+ This ASIM parser supports normalizing the native User Management activity table to the ASIM User Management activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time.
+ParserName: ASimUserManagementNative
+EquivalentBuiltInParser: _ASim_UserManagement_Native
+ParserParams:
+ - Name: disabled
+ Type: bool
+ Default: false
+ParserQuery: |
+ let parser = (
+ disabled:bool = false
+ )
+ {
+ ASimUserManagementActivityLogs
+ | where not(disabled)
+ | project-rename
+ EventUid = _ItemId
+ | extend
+ EventSchema = "UserManagement",
+ DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)
+ // -- Aliases
+ | extend
+ EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),
+ EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),
+ Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),
+ Rule = coalesce(RuleName, tostring(RuleNumber)),
+ User = ActorUsername,
+ Hostname = DvcHostname,
+ IpAddr = SrcIpAddr,
+ Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),
+ UpdatedPropertyName = EventSubType
+ | project-away
+ TenantId,
+ SourceSystem,
+ _SubscriptionId,
+ _ResourceId
+ };
+ parser (disabled = disabled)
diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementNative.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementNative.yaml
new file mode 100644
index 0000000000..0e8a98aa8e
--- /dev/null
+++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementNative.yaml
@@ -0,0 +1,90 @@
+Parser:
+ Title: User Management activity ASIM filtering parser for Microsoft Sentinel native User Management activity table
+ Version: "0.1.0"
+ LastUpdated: "Mar 07 2024"
+Product:
+ Name: Native
+Normalization:
+ Schema: UserManagement
+ Version: '0.1.1'
+References:
+- Title: ASIM User Management Schema
+ Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+ Link: https://aka.ms/AboutASIM
+Description: |
+ This ASIM parser supports normalizing the native User Management activity table to the ASIM User Management activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time.
+ParserName: vimUserManagementNative
+EquivalentBuiltInParser: _Im_UserManagement_Native
+ParserParams:
+ - Name: starttime
+ Type: datetime
+ Default: datetime(null)
+ - Name: endtime
+ Type: datetime
+ Default: datetime(null)
+ - Name: srcipaddr_has_any_prefix
+ Type: dynamic
+ Default: dynamic([])
+ - Name: actorusername_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: targetusername_has_any
+ Type: dynamic
+ Default: dynamic([])
+ - Name: eventtype_in
+ Type: dynamic
+ Default: dynamic([])
+ - Name: disabled
+ Type: bool
+ Default: false
+ParserQuery: |
+ let parser = (
+ starttime:datetime = datetime(null)
+ , endtime:datetime = datetime(null)
+ , srcipaddr_has_any_prefix:dynamic = dynamic([])
+ , targetusername_has_any:dynamic = dynamic([])
+ , actorusername_has_any:dynamic = dynamic([])
+ , eventtype_in:dynamic = dynamic([])
+ , disabled:bool = false
+ )
+ {
+ ASimUserManagementActivityLogs
+ | where not(disabled)
+ | where (isnull(starttime) or TimeGenerated >= starttime)
+ and (isnull(endtime) or TimeGenerated <= endtime)
+ and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))
+ and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))
+ and (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))
+ and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))
+ | project-rename
+ EventUid = _ItemId
+ | extend
+ EventSchema = "UserManagement",
+ DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)
+ // -- Aliases
+ | extend
+ EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),
+ EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),
+ Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),
+ Rule = coalesce(RuleName, tostring(RuleNumber)),
+ User = ActorUsername,
+ Hostname = DvcHostname,
+ IpAddr = SrcIpAddr,
+ Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),
+ UpdatedPropertyName = EventSubType
+ | project-away
+ TenantId,
+ SourceSystem,
+ _SubscriptionId,
+ _ResourceId
+ };
+ parser (
+ starttime = starttime
+ , endtime = endtime
+ , srcipaddr_has_any_prefix = srcipaddr_has_any_prefix
+ , targetusername_has_any = targetusername_has_any
+ , actorusername_has_any = actorusername_has_any
+ , eventtype_in = eventtype_in
+ , disabled = disabled
+ )
From 24efb902627ae27cd05b3bd7e203691c799e04bf Mon Sep 17 00:00:00 2001
From: Varun Kohli
Date: Wed, 6 Mar 2024 18:41:57 +0530
Subject: [PATCH 08/15] AuthPriv Update
---
.../Parsers/ASimUserManagementLinuxAuthpriv.yaml | 5 +++--
.../Parsers/vimUserManagementLinuxAuthpriv.yaml | 5 +++--
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml
index d28ae8ebfa..de7237857e 100644
--- a/Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml
+++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml
@@ -1,7 +1,7 @@
Parser:
Title: User Management ASIM parser for Linux Authpriv logs
- Version: '0.1.0'
- LastUpdated: 4 Oct, 2023
+ Version: '0.1.1'
+ LastUpdated: Mar 06, 2024
Product:
Name: Microsoft
Normalization:
@@ -310,6 +310,7 @@ ParserQuery: |
TargetUsernameType = iif(isnotempty(TargetUsername), "Simple", ""),
UpdatedPropertyName = EventSubType,
User = ActorUsername
+ | extend SrcIpAddr = DvcIpAddr
| project-away Computer, HostIP, HostName
};
parser (
diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementLinuxAuthpriv.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementLinuxAuthpriv.yaml
index 3f5063f4e3..afda599b0c 100644
--- a/Parsers/ASimUserManagement/Parsers/vimUserManagementLinuxAuthpriv.yaml
+++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementLinuxAuthpriv.yaml
@@ -1,7 +1,7 @@
Parser:
Title: User Management ASIM parser for Linux Authpriv logs
- Version: '0.1.0'
- LastUpdated: 4 Oct, 2023
+ Version: '0.1.1'
+ LastUpdated: Mar 06, 2024
Product:
Name: Microsoft
Normalization:
@@ -397,6 +397,7 @@ ParserQuery: |
TargetUsernameType = iif(isnotempty(TargetUsername), "Simple", ""),
UpdatedPropertyName = EventSubType,
User = ActorUsername
+ | extend SrcIpAddr = DvcIpAddr
| project-away Computer, HostIP, HostName
};
parser (
From 645389c28cb8afbe7761ed8a6bda153d8c5fb5bb Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Wed, 6 Mar 2024 13:15:37 +0000
Subject: [PATCH 09/15] [ASIM Parsers] Generate deployable ARM templates from
KQL function YAML files.
---
.../ASimUserManagementLinuxAuthpriv.json | 2 +-
.../vimUserManagementLinuxAuthpriv.json | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json
index 63b2be6179..fda5ece200 100644
--- a/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json
+++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementLinuxAuthpriv/ASimUserManagementLinuxAuthpriv.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM parser for Linux Authpriv logs",
"category": "ASIM",
"FunctionAlias": "ASimUserManagementLinuxAuthpriv",
- "query": "let parser = (\n disabled:bool = false\n) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | lookup ActionLookup on Action\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n| project-away Computer, HostIP, HostName\n};\nparser (\n disabled = disabled\n)",
+ "query": "let parser = (\n disabled:bool = false\n) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | lookup ActionLookup on Action\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n disabled = disabled\n)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json b/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json
index 65b9a0ed89..2e7e36b99f 100644
--- a/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json
+++ b/Parsers/ASimUserManagement/ARM/vimUserManagementLinuxAuthpriv/vimUserManagementLinuxAuthpriv.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM parser for Linux Authpriv logs",
"category": "ASIM",
"FunctionAlias": "vimUserManagementLinuxAuthpriv",
- "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix)) and\n (array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SyslogMessage has_any(actorusername_has_any)))\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserModified\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserAddedToGroup\" in (eventtype_in)))\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDisabled\" in (eventtype_in)) or (\"UserEnabled\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"PasswordChanged\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserLocked\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupDeleted\" in (eventtype_in)))\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(eventtype_in) == 0 or (\"UserAddedToGroup\" in (eventtype_in)) or (\"UserRemovedFromGroup\" in (eventtype_in)))\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any(actorusername_has_any)))\n | lookup ActionLookup on Action\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n| project-away Computer, HostIP, HostName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)",
+ "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\nlet ActionLookup = datatable (Action:string, EventType:string)\n[\n \"added\", \"UserAddedToGroup\",\n \"removed\",\"UserRemovedFromGroup\"\n];\nlet SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)\n[\n \"info\", \"Informational\",\n \"warn\", \"Low\",\n \"err\", \"Medium\",\n \"crit\", \"High\"\n]; \nlet ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {\n T\n | lookup SeverityLookup on SeverityLevel\n | extend ActingAppId = tostring(ProcessID)\n | project-away SyslogMessage,SeverityLevel, ProcessID\n};\nlet SyslogParsed = (\n Syslog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix)) and\n (array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SyslogMessage has_any(actorusername_has_any)))\n | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))\n | where Facility == \"authpriv\"\n and ProcessName in (\"useradd\",\"usermod\",\"userdel\",\"groupadd\",\"groupmod\",\"groupdel\",\"gpasswd\")\n | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId\n);\nunion (\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new user: name=\"\n | parse SyslogMessage with \"new user: name=\" TargetUsername \", UID=\" TargetUserId \", GID=\" GroupId \", \" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"failed adding user '\"\n | parse SyslogMessage with \"failed adding user '\" TargetUsername \"', exit code: \" EventOriginalResultDetails\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"Other\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new user: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and\n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"useradd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName ==\"useradd\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserModified\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user name '\"\n | parse SyslogMessage with \"change user name '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserAddedToGroup\" in (eventtype_in)))\n | where ProcessName ==\"usermod\" \n and SyslogMessage startswith \"add '\"\n | parse SyslogMessage with \"add '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" \n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserAddedToGroup\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDisabled\" in (eventtype_in)) or (\"UserEnabled\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and not (SyslogMessage endswith \"' password\")\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType \" from '\" PreviousPropertyValue \"' to '\" NewPropertyValue \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = case (\n EventSubType == \"expiration\" and PreviousPropertyValue == \"never\", \"UserDisabled\",\n EventSubType == \"expiration\" and NewPropertyValue == \"never\", \"UserEnabled\",\n \"UserModified\"\n ),\n EventResult = \"Success\"\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserCreated\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"UserCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"PasswordChanged\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"change user '\"\n and SyslogMessage endswith \"password\"\n | parse SyslogMessage with \"change user '\" TargetUsername \"' \" EventSubType\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"PasswordChanged\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserLocked\" in (eventtype_in)))\n | where ProcessName == \"usermod\"\n and SyslogMessage startswith \"lock user '\"\n and SyslogMessage endswith \"' password\"\n | parse SyslogMessage with \"lock user '\" TargetUsername \"' password\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserLocked\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete '\"\n | parse SyslogMessage with \"delete '\" TargetUsername \"'\" * \"group '\" GroupName \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and SyslogMessage startswith \"delete user '\"\n | parse SyslogMessage with \"delete user '\" TargetUsername \"'\" *\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"UserDeleted\" in (eventtype_in)))\n | where ProcessName == \"userdel\"\n and (SyslogMessage startswith \"removed group '\" \n or SyslogMessage startswith \"removed shadow group '\")\n | parse SyslogMessage with \"removed\" * \"group '\" GroupName \"' owned by '\" TargetUsername \"'\"\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any)))\n | extend \n EventType = \"UserDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and SyslogMessage has \"GID=\"\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"group added to \"\n and not(SyslogMessage has \"GID=\")\n | parse SyslogMessage with \"group added to \" * \"name=\" GroupName\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"new group: name=\"\n | parse SyslogMessage with \"new group: name=\" GroupName \", GID=\" GroupId\n | extend \n EventType = \"GroupCreated\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupCreated\" in (eventtype_in)))\n | where ProcessName == \"groupadd\"\n and SyslogMessage startswith \"cannot open login definitions\"\n | extend \n EventType = \"GroupCreated\", \n EventResult = \"Failure\",\n EventResultDetails = \"NotAuthorized\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"group changed in \"\n | parse SyslogMessage with \"group changed in \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend \n split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupModified\" in (eventtype_in)))\n | where ProcessName == \"groupmod\"\n and SyslogMessage startswith \"failed to change \"\n | parse SyslogMessage with \"failed to change \" * \" (group \" Temp_GroupName \", new name: \" *\n | extend split(Temp_GroupName, \"/\")\n | extend \n GroupName = tostring(Temp_GroupName[0]),\n GroupId = tostring(Temp_GroupName[1])\n | project-away Temp_GroupName\n | extend \n EventType = \"GroupModified\",\n EventResult = \"Failure\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(actorusername_has_any) == 0 and \n (array_length(eventtype_in) == 0 or \"GroupDeleted\" in (eventtype_in)))\n | where ProcessName == \"groupdel\"\n | parse SyslogMessage with \"group '\" GroupName \"' removed\" *\n | extend \n EventType = \"GroupDeleted\",\n EventResult = \"Success\"\n | invoke ItemParser()\n),(\n SyslogParsed\n | where (array_length(eventtype_in) == 0 or (\"UserAddedToGroup\" in (eventtype_in)) or (\"UserRemovedFromGroup\" in (eventtype_in)))\n | where ProcessName == \"gpasswd\"\n | parse SyslogMessage with \"user \" TargetUsername \" \" Action \" by \" ActorUsername \" \" * \" group \" GroupName\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (ActorUsername has_any(actorusername_has_any)))\n | lookup ActionLookup on Action\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | project-away Action\n | extend \n EventResult = \"Success\"\n | invoke ItemParser()\n)\n| invoke _ASIM_ResolveDvcFQDN (\"HostName\")\n| project-rename \n ActingAppName = ProcessName,\n DvcId = _ResourceId,\n EventUid = _ItemId\n| extend\n ActingAppType = \"Process\",\n ActorUsernameType = iif(isnotempty(ActorUsername), \"Simple\", \"\"),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n DvcIpAddr = iif(HostIP == \"Unknown IP\",\"\",HostIP),\n DvcOs = \"Linux\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Authpriv\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventStartTime = TimeGenerated,\n EventVendor = \"Linux\",\n GroupIdType = iif(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iif(isnotempty(GroupName), \"Simple\", \"\"),\n Hostname = DvcHostname,\n TargetUserIdType = iif(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = iif(isnotempty(TargetUsername), \"Simple\", \"\"),\n UpdatedPropertyName = EventSubType,\n User = ActorUsername\n | extend SrcIpAddr = DvcIpAddr\n| project-away Computer, HostIP, HostName\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False"
}
From 4112c4c329e0f67da3165d12129f030e53371846 Mon Sep 17 00:00:00 2001
From: Varun Kohli
Date: Thu, 7 Mar 2024 14:50:46 +0530
Subject: [PATCH 10/15] Updating UserManagement
---
...imUserManagementMicrosoftSecurityEvent.yaml | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml b/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml
index 44e7998b7f..fd2e2cd32c 100644
--- a/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml
+++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementMicrosoftSecurityEvent.yaml
@@ -1,7 +1,7 @@
Parser:
Title: User Management ASIM parser for Microsoft Security Event logs
- Version: '0.1.0'
- LastUpdated: 16 Jul, 2023
+ Version: '0.1.1'
+ LastUpdated: Mar 07, 2024
Product:
Name: Microsoft
Normalization:
@@ -121,8 +121,8 @@ ParserQuery: |
TargetUserId = tostring(EventData.TargetSid),
TargetUsername = tostring(EventData.TargetUserName),
EventMessage = tostring(EventData.Activity)
- | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any (targetusername_has_any))) and
- (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))
+ | where (array_length(targetusername_has_any) == 0 or (TargetDomain has_any (targetusername_has_any)) or (TargetUsername has_any (targetusername_has_any)) or (strcat(TargetDomain,"\\",TargetUsername) has_any (targetusername_has_any))) and
+ (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,"\\",SubjectUserName) has_any (actorusername_has_any)))
| project-rename
NewPropertyValue = NewTargetUserName,
PreviousPropertyValue = OldTargetUserName
@@ -139,8 +139,8 @@ ParserQuery: |
| where (isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
| where EventID in(UserEventID)
- | where (array_length(targetusername_has_any) == 0 or (TargetUserName has_any (targetusername_has_any))) and
- (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and
+ | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,"\\",TargetUserName) has_any (targetusername_has_any))) and
+ (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,"\\",SubjectUserName) has_any (actorusername_has_any))) and
(array_length(srcipaddr_has_any_prefix) == 0)
| project-rename
ActorOriginalUserType = AccountType,
@@ -206,7 +206,7 @@ ParserQuery: |
| where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))
| where EventID in(GroupEventID)
| where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and
- (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and
+ (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,"\\",SubjectUserName) has_any (actorusername_has_any))) and
(array_length(srcipaddr_has_any_prefix) == 0)
| project-rename
ActorOriginalUserType = AccountType,
@@ -251,8 +251,8 @@ ParserQuery: |
SubjectUserName:string
)
with (regex=@'{?([^<]*?)}?')
- | where (array_length(targetusername_has_any) == 0 or (TargetUserName has_any (targetusername_has_any))) and
- (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and
+ | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,"\\",TargetUserName) has_any (targetusername_has_any))) and
+ (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,"\\",SubjectUserName) has_any (actorusername_has_any))) and
(array_length(srcipaddr_has_any_prefix) == 0)
| project-rename
ActorOriginalUserType = AccountType,
From 295a971f1f29d04bbaaf277a3df2f5d376e6abf9 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Thu, 7 Mar 2024 09:23:54 +0000
Subject: [PATCH 11/15] [ASIM Parsers] Generate deployable ARM templates from
KQL function YAML files.
---
.../vimUserManagementMicrosoftSecurityEvent.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json
index 0825bf47d3..f6cbdb251b 100644
--- a/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json
+++ b/Parsers/ASimUserManagement/ARM/vimUserManagementMicrosoftSecurityEvent/vimUserManagementMicrosoftSecurityEvent.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM parser for Microsoft Security Event logs",
"category": "ASIM",
"FunctionAlias": "vimUserManagementMicrosoftSecurityEvent",
- "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (TargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (NewTargetUserName has_any (targetusername_has_any)) or (OldTargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (TargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n )",
+ "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n let EventIDLookup = datatable(EventID:int, EventType:string, EventSubType:string, GroupType:string)\n [ \n \"4720\", \"UserCreated\", \"UserCreated\", \"\", \n \"4722\", \"UserEnabled\", \"UserModified\", \"\", \n \"4723\", \"PasswordChanged\", \"UserModified\", \"\", \n \"4724\", \"PasswordReset\", \"UserModified\", \"\", \n \"4725\", \"UserDisabled\", \"UserModified\", \"\", \n \"4726\", \"UserDeleted\", \"UserModified\", \"\", \n \"4727\", \"GroupCreated\", \"GroupCreated\", \"Global Security Enabled\", \n \"4728\", \"UserAddedToGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4729\", \"UserRemovedFromGroup\", \"GroupModified\", \"Global Security Enabled\", \n \"4730\", \"GroupDeleted\", \"GroupModified\", \"Global Security Enabled\", \n \"4731\", \"GroupCreated\", \"GroupCreated\", \"Local Security Enabled\", \n \"4732\", \"UserAddedToGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4733\", \"UserRemovedFromGroup\", \"GroupModified\", \"Local Security Enabled\", \n \"4734\", \"GroupDeleted\", \"GroupModified\", \"Local Security Enabled\", \n \"4738\", \"UserModified\", \"UserModified\", \"\", \n \"4740\", \"UserLocked\", \"UserModified\", \"\", \n \"4744\", \"GroupCreated\", \"GroupCreated\", \"Local Distribution\", \n \"4748\", \"GroupDeleted\", \"GroupModified\", \"Local Distribution\", \n \"4749\", \"GroupCreated\", \"GroupCreated\", \"Global Distribution\", \n \"4753\", \"GroupDeleted\", \"GroupModified\", \"Global Distribution\", \n \"4754\", \"GroupCreated\", \"GroupCreated\", \"Universal Security Enabled\", \n \"4756\", \"UserAddedToGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4757\", \"UserRemovedFromGroup\", \"GroupModified\", \"Universal Security Enabled\", \n \"4758\", \"GroupDeleted\", \"GroupModified\", \"Universal Security Enabled\", \n \"4759\", \"GroupCreated\", \"GroupCreated\", \"Universal Distribution\", \n \"4763\", \"GroupDeleted\", \"GroupModified\", \"Universal Distribution\", \n \"4767\", \"UserLocked\", \"UserModified\", \"\", \n \"4781\", \"UserModified\", \"UserModified\", \"\" \n ];\n let UserTypeLookup = datatable (ActorOriginalUserType:string, ActorUserType:string)\n [\n 'Machine', 'Machine',\n 'User', 'Regular'\n ]; \n let UserEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"UserCreated\",\"UserModified\") \n | summarize make_set(EventID)\n );\n let GroupEventID = toscalar(\n EventIDLookup\n | where not(disabled)\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | where EventSubType in(\"GroupCreated\",\"GroupModified\") \n | summarize make_set(EventID)\n );\n union (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend\n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n TargetDomain = tostring(EventData.TargetDomainName),\n TargetUserId = tostring(EventData.TargetSid),\n TargetUsername = tostring(EventData.TargetUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomain has_any (targetusername_has_any)) or (TargetUsername has_any (targetusername_has_any)) or (strcat(TargetDomain,\"\\\\\",TargetUsername) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any)))\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where EventID in(UserEventID)\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n TargetDomain = TargetDomainName,\n TargetUserId = TargetSid,\n TargetUsername = TargetUserName,\n EventMessage = Activity\n | parse-kv EventData as \n (\n OldTargetUserName:string,\n NewTargetUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-rename\n NewPropertyValue = NewTargetUserName,\n PreviousPropertyValue = OldTargetUserName\n | extend \n TargetUsername = coalesce(TargetUsername, PreviousPropertyValue)\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, TargetDomain, TargetUserId, TargetUsername, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, NewPropertyValue, PreviousPropertyValue, SourceComputerId, EventMessage\n | extend\n TargetUserIdType = iif(isnotempty(TargetUserId), \"SID\",\"\"),\n TargetUsername = iff (TargetDomain == \"\", TargetUsername, strcat (TargetDomain, '\\\\', TargetUsername))\n | project-away TargetDomain\n ),(\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | extend \n ActorOriginalUserType = tostring(EventData.AccountType),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n GroupDomain = tostring(EventData.TargetDomainName),\n GroupId = tostring(EventData.TargetSid),\n GroupName = tostring(EventData.TargetUserName),\n MemberName = tostring(EventData.MemberName),\n MemberSid = tostring(EventData.MemberSid),\n NewTargetUserName = tostring(EventData.NewTargetUserName),\n OldTargetUserName = tostring(EventData.OldTargetUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectUserName = tostring(EventData.SubjectUserName),\n EventMessage = tostring(EventData.Activity)\n | where (array_length(targetusername_has_any) == 0 or (NewTargetUserName has_any (targetusername_has_any)) or (OldTargetUserName has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectUserName has_any (actorusername_has_any)))\n | extend \n GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName)),\n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where not (EventID in (4744, 4748, 4749, 4753, 4759, 4763))\n | where EventID in(GroupEventID)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n ),(\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n | where EventID in (4744, 4748, 4749, 4753, 4759, 4763)\n | where (array_length(targetusername_has_any) == 0 or (EventData has_any (targetusername_has_any))) and \n (array_length(actorusername_has_any) == 0 or (EventData has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | parse-kv EventData as \n (\n TargetUserName:string,\n TargetDomainName:string,\n TargetSid:string,\n SubjectUserSid:string,\n AccountType:string,\n SubjectLogonId:string,\n SubjectDomainName:string,\n SubjectUserName:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (TargetDomainName has_any (targetusername_has_any)) or (TargetUserName has_any (targetusername_has_any)) or (strcat(TargetDomainName,\"\\\\\",TargetUserName) has_any (targetusername_has_any))) and\n (array_length(actorusername_has_any) == 0 or (SubjectDomainName has_any (actorusername_has_any)) or (SubjectUserName has_any (actorusername_has_any)) or ( strcat(SubjectDomainName,\"\\\\\",SubjectUserName) has_any (actorusername_has_any))) and\n (array_length(srcipaddr_has_any_prefix) == 0)\n | project-rename \n ActorOriginalUserType = AccountType,\n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n GroupDomain = TargetDomainName,\n GroupId = TargetSid,\n GroupName = TargetUserName,\n EventMessage = Activity\n | extend GroupName = iff (GroupDomain == \"\", GroupName, strcat (GroupDomain, \"\\\\\" ,GroupName))\n | parse-kv EventData as \n (\n MemberName:string,\n MemberSid:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where (array_length(targetusername_has_any) == 0 or (MemberName has_any (targetusername_has_any)))\n | project-rename \n TargetUserId = MemberSid,\n TargetUsername = MemberName\n | project TimeGenerated, EventID, Computer, _ResourceId, _ItemId, GroupId, GroupName, ActorUserId, SubjectDomainName, SubjectUserName, ActorOriginalUserType, ActorSessionId, TargetUsername, TargetUserId, SourceComputerId, EventMessage\n | extend \n GroupIdType = iif(isnotempty(GroupId), \"SID\",\"\")\n )\n| lookup EventIDLookup on EventID\n| extend UpdatedPropertyName = EventSubType\n| invoke _ASIM_ResolveDvcFQDN (\"Computer\")\n| lookup UserTypeLookup on ActorOriginalUserType\n| extend \n DvcId = coalesce(_ResourceId, SourceComputerId),\n EventOriginalType = tostring(EventID)\n| project-rename \n EventUid = _ItemId\n| extend \n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n Dvc = DvcHostname,\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceID\", \"\"),\n DvcOs = \"Windows\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Security Events',\n EventResult = \"Success\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventSeverity = \"Informational\",\n EventStartTime = TimeGenerated,\n EventVendor = 'Microsoft',\n Hostname = DvcHostname\n| project-away Subject*, Computer, _ResourceId, SourceComputerId,EventID\n| extend\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n GroupNameType = _ASIM_GetUsernameType(GroupName),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername,TargetUserId),\n User = ActorUsername\n};\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n )",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False"
}
From 90b43477934a844eb9928292059103d92543705c Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Thu, 7 Mar 2024 12:51:00 +0000
Subject: [PATCH 12/15] [ASIM Parsers] Generate deployable ARM templates from
KQL function YAML files.
---
.../ASimUserManagementNative.json | 46 +++++++++++++++++++
.../ARM/ASimUserManagementNative/README.md | 18 ++++++++
.../ASimUserManagementSentinelOne.json | 2 +-
.../ARM/FullDeploymentUserManagement.json | 40 ++++++++++++++++
.../ARM/vimUserManagementNative/README.md | 18 ++++++++
.../vimUserManagementNative.json | 46 +++++++++++++++++++
.../vimUserManagementSentinelOne.json | 2 +-
7 files changed, 170 insertions(+), 2 deletions(-)
create mode 100644 Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json
create mode 100644 Parsers/ASimUserManagement/ARM/ASimUserManagementNative/README.md
create mode 100644 Parsers/ASimUserManagement/ARM/vimUserManagementNative/README.md
create mode 100644 Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json
diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json
new file mode 100644
index 0000000000..edadff7825
--- /dev/null
+++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "ASimUserManagementNative",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "User Management activity ASIM parser for Microsoft Sentinel native User Management activity table",
+ "category": "ASIM",
+ "FunctionAlias": "ASimUserManagementNative",
+ "query": "let parser = (\n disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (disabled = disabled)\n",
+ "version": 1,
+ "functionParameters": "disabled:bool=False"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/README.md b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/README.md
new file mode 100644
index 0000000000..8eee29da79
--- /dev/null
+++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/README.md
@@ -0,0 +1,18 @@
+# Native ASIM UserManagement Normalization Parser
+
+ARM template for ASIM UserManagement schema parser for Native.
+
+This ASIM parser supports normalizing the native User Management activity table to the ASIM User Management activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM UserManagement normalization schema reference](https://aka.ms/ASimUserManagementDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimUserManagement%2FARM%2FASimUserManagementNative%2FASimUserManagementNative.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimUserManagement%2FARM%2FASimUserManagementNative%2FASimUserManagementNative.json)
diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json b/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json
index c7d71d36b3..c252d8b13d 100644
--- a/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json
+++ b/Parsers/ASimUserManagement/ARM/ASimUserManagementSentinelOne/ASimUserManagementSentinelOne.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM parser for SentinelOne",
"category": "ASIM",
"FunctionAlias": "ASimUserManagementSentinelOne",
- "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n];\nlet parser = (disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Activities.\"\n and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011)\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse modifiedFields with 'Modified fields: ' ModifiedFields:string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend \n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser), username, \"\"),\n PreviousPropertyValue = coalesce(oldDescription, oldRole),\n NewPropertyValue = coalesce(description, role)\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId),\"Other\",\"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem\n};\nparser(disabled=disabled)",
+ "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (disabled: bool=false) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and activityType_d in (UsermanagementactivityIds)\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n ),\n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(disabled=disabled)\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimUserManagement/ARM/FullDeploymentUserManagement.json b/Parsers/ASimUserManagement/ARM/FullDeploymentUserManagement.json
index f1f2bc9839..e2c945ffff 100644
--- a/Parsers/ASimUserManagement/ARM/FullDeploymentUserManagement.json
+++ b/Parsers/ASimUserManagement/ARM/FullDeploymentUserManagement.json
@@ -98,6 +98,26 @@
}
}
},
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedASimUserManagementNative",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimUserManagement/ARM/ASimUserManagementNative/ASimUserManagementNative.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@@ -218,6 +238,26 @@
}
}
},
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedvimUserManagementNative",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementNative/README.md b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/README.md
new file mode 100644
index 0000000000..605815b300
--- /dev/null
+++ b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/README.md
@@ -0,0 +1,18 @@
+# Native ASIM UserManagement Normalization Parser
+
+ARM template for ASIM UserManagement schema parser for Native.
+
+This ASIM parser supports normalizing the native User Management activity table to the ASIM User Management activity normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM UserManagement normalization schema reference](https://aka.ms/ASimUserManagementDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimUserManagement%2FARM%2FvimUserManagementNative%2FvimUserManagementNative.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimUserManagement%2FARM%2FvimUserManagementNative%2FvimUserManagementNative.json)
diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json
new file mode 100644
index 0000000000..39cbda3482
--- /dev/null
+++ b/Parsers/ASimUserManagement/ARM/vimUserManagementNative/vimUserManagementNative.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "vimUserManagementNative",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "User Management activity ASIM filtering parser for Microsoft Sentinel native User Management activity table",
+ "category": "ASIM",
+ "FunctionAlias": "vimUserManagementNative",
+ "query": "let parser = (\n starttime:datetime = datetime(null)\n , endtime:datetime = datetime(null)\n , srcipaddr_has_any_prefix:dynamic = dynamic([])\n , targetusername_has_any:dynamic = dynamic([])\n , actorusername_has_any:dynamic = dynamic([])\n , eventtype_in:dynamic = dynamic([])\n , disabled:bool = false\n)\n{\n ASimUserManagementActivityLogs\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr,srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n and (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n | project-rename\n EventUid = _ItemId\n | extend \n EventSchema = \"UserManagement\",\n DvcScopeId = iff(isempty(DvcScopeId), _SubscriptionId, DvcScopeId)\n // -- Aliases\n | extend\n EventEndTime = iff (isnull(EventEndTime), TimeGenerated, EventEndTime),\n EventStartTime = iff (isnull(EventEndTime), TimeGenerated, EventStartTime),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId),\n Rule = coalesce(RuleName, tostring(RuleNumber)),\n User = ActorUsername,\n Hostname = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = coalesce (SrcHostname,SrcIpAddr, SrcDvcId),\n UpdatedPropertyName = EventSubType\n | project-away\n TenantId,\n SourceSystem,\n _SubscriptionId,\n _ResourceId\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , srcipaddr_has_any_prefix = srcipaddr_has_any_prefix\n , targetusername_has_any = targetusername_has_any\n , actorusername_has_any = actorusername_has_any\n , eventtype_in = eventtype_in\n , disabled = disabled\n)\n",
+ "version": 1,
+ "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json b/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json
index b49cb33dc5..910a97a20a 100644
--- a/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json
+++ b/Parsers/ASimUserManagement/ARM/vimUserManagementSentinelOne/vimUserManagementSentinelOne.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM parser for SentinelOne",
"category": "ASIM",
"FunctionAlias": "vimUserManagementSentinelOne",
- "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled:bool=false\n ) {\n SentinelOne_CL\n | where not(disabled)\n and event_name_s == \"Activities.\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and activityType_d in (23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any))\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix)\n | parse modifiedFields with 'Modified fields: ' ModifiedFields:string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | extend \n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser), username, \"\"),\n PreviousPropertyValue = coalesce(oldDescription, oldRole),\n NewPropertyValue = coalesce(description, role)\n | where (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId),\"Other\",\"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername,ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix ,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)",
+ "query": "let EventTypeLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventOriginalType: string,\n EventSubType: string\n)[\n 23, \"UserCreated\", \"User Added\", \"\",\n 24, \"UserModified\", \"User Modified\", \"MultipleProperties\",\n 25, \"UserDeleted\", \"User Deleted\", \"\",\n 37, \"UserModified\", \"User modified\", \"MultipleProperties\",\n 102, \"UserDeleted\", \"User Deleted\", \"\",\n 110, \"UserModified\", \"Enable API Token Generation\", \"NewPermissions\",\n 111, \"UserModified\", \"Disable API Token Generation\", \"PreviousPermissions\",\n 140, \"UserCreated\", \"Service User creation\", \"\",\n 141, \"UserModified\", \"Service User modification\", \"MultipleProperties\",\n 142, \"UserDeleted\", \"Service User deletion\", \"\",\n 3522, \"GroupCreated\", \"Ranger Deploy - Credential Group Created\", \"\",\n 3523, \"GroupModified\", \"Ranger Deploy -Credential Group Edited\", \"MultipleProperties\",\n 3524, \"GroupDeleted\", \"Ranger Deploy - Credential Group Deleted\", \"\",\n 3710, \"PasswordReset\", \"User Reset Password with Forgot Password from the Login\", \"\",\n 3711, \"PasswordChanged\", \"User Changed Their Password\", \"\",\n 3715, \"PasswordReset\", \"User Reset Password by Admin Request\", \"\",\n 5006, \"GroupDeleted\", \"Group Deleted\", \"\",\n 5008, \"GroupCreated\", \"User created a Manual or Pinned Group\", \"\",\n 5011, \"GroupModified\", \"Group Policy Reverted\", \"Newpolicy\",\n 67, \"\", \"User 2FA Modified\", \"\",\n 145, \"UserModified\", \"Enroll 2FA\", \"\",\n 146, \"UserModified\", \"Reset 2FA\", \"\",\n 42, \"\", \"Global 2FA modified\", \"\",\n 147, \"UserModified\", \"User Configured 2FA\", \"\"\n];\nlet UsermanagementactivityIds = dynamic([23, 24, 25, 37, 102, 110, 111, 140, 141, 142, 3522, 3523, 3524, 3710, 3711, 3715, 5006, 5008, 5011, 67, 145, 146, 42, 147]);\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n SentinelOne_CL\n | where not(disabled)\n | where event_name_s == \"Activities.\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and activityType_d in (UsermanagementactivityIds)\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n and (array_length(targetusername_has_any) == 0 or DataFields_s has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or DataFields_s has_any (actorusername_has_any))\n | parse-kv DataFields_s as (byUser: string, username: string, email: string, ipAddress: string, group: string, groupName: string, name: string, oldDescription: string, oldRole: string, description: string, role: string, userScope: string, scopeLevelName: string, scopeName: string, roleName: string, modifiedFields: string, deactivationPeriodInDays: string, descriptionChanged: string, groupType: string, newValue: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | where array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix)\n | parse modifiedFields with 'Modified fields: ' ModifiedFields: string\n | parse description_s with * \"with id=\" id: string \",\" restOfMessage\n | lookup EventTypeLookup on activityType_d\n | extend\n EventType = case (\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"UserEnabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"UserDisabled\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or (EventType in (eventtype_in)))\n | extend \n PreviousPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"disabled\",\n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"enabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n oldDescription, \n activityType_d == 141 and descriptionChanged == \"false\",\n oldRole,\n \"\"\n ),\n NewPropertyValue = case(\n activityType_d in (67, 42) and primaryDescription_s has \"enabled\",\n \"enabled\", \n activityType_d in (67, 42) and primaryDescription_s has \"disabled\",\n \"disabled\",\n activityType_d == 141 and descriptionChanged == \"true\",\n description, \n activityType_d == 141 and descriptionChanged == \"false\",\n role,\n \"\"\n ),\n ActorUsername = iff(activityType_d == 102, \"SentinelOne\", coalesce(byUser, username, email)), \n GroupName = coalesce(group, groupName, name),\n TargetUsername = iff(isnotempty(byUser) or activityType_d in (147, 42), username, \"\")\n | where (array_length(targetusername_has_any) == 0 or TargetUsername has_any (targetusername_has_any))\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n | extend GroupName = iff(GroupName == \"null\", \"\", GroupName)\n | project-rename\n EventStartTime = createdAt_t,\n SrcIpAddr = ipAddress,\n EventUid = _ItemId,\n ActorUserId = id,\n GroupId = groupId_s,\n EventMessage = primaryDescription_s,\n EventOriginalUid = activityUuid_g\n | extend\n EventCount = int(1),\n EventResult = \"Success\",\n DvcAction = \"Allowed\",\n EventSeverity = \"Informational\",\n EventSchema = \"UserManagement\",\n EventSchemaVersion = \"0.1.1\",\n EventProduct = \"SentinelOne\",\n EventVendor = \"SentinelOne\",\n EventResultDetails = \"Other\"\n | extend\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n IpAddr = SrcIpAddr,\n User = ActorUsername,\n UpdatedPropertyName = EventSubType,\n ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n GroupIdType = iff(isnotempty(GroupId), \"UID\", \"\"),\n GroupNameType = iff(isnotempty(GroupName), \"Simple\", \"\"),\n GroupType = iff(isnotempty(groupType), \"Other\", \"\"),\n GroupOriginalType = groupType,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n AdditionalFields = bag_pack(\n \"userScope\", userScope,\n \"scopeLevelName\", scopeLevelName,\n \"scopeName\", scopeName,\n \"modifiedFields\", modifiedFields,\n \"roleName\", roleName,\n \"deactivationPeriodInDays\", deactivationPeriodInDays,\n \"descriptionChanged\", descriptionChanged\n )\n | project-away \n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n byUser,\n username,\n email,\n group,\n groupName,\n groupType,\n name,\n oldDescription,\n oldRole,\n description,\n role,\n userScope,\n scopeLevelName,\n scopeName,\n roleName,\n modifiedFields,\n ModifiedFields,\n deactivationPeriodInDays,\n descriptionChanged,\n restOfMessage,\n _ResourceId,\n TenantId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceSystem,\n newValue\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n disabled = disabled\n)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),disabled:bool=False"
}
From 2b3152db2e52b1054bfc3e80fec42e0ec3f240fb Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Fri, 8 Mar 2024 13:58:35 +0530
Subject: [PATCH 13/15] union parser and tester.csv
---
.../Parsers/ASimUserManagement.yaml | 6 ++-
.../Parsers/imUserManagement.yaml | 49 ++++++++++---------
2 files changed, 31 insertions(+), 24 deletions(-)
diff --git a/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
index a0eb23c7df..a064eaec27 100644
--- a/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
+++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
@@ -21,7 +21,8 @@ Parsers:
- _ASim_UserManagement_CiscoISE
- _ASim_UserManagement_LinuxAuthpriv
- _ASim_UserManagement_MicrosoftSecurityEvent
- - _ASim_UserManagement_SentinelOne
+ - _ASim_UserManagement_SentinelOne
+ - _ASim_UserManagement_Native
ParserParams:
- Name: pack
Type: bool
@@ -40,7 +41,8 @@ ParserQuery: |
ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),
ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),
ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),
- ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers)))
+ ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),
+ ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers)))
};
parser (
pack=pack
diff --git a/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
index 6d5efc526c..923e5ae7a7 100644
--- a/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
+++ b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
@@ -22,6 +22,7 @@ Parsers:
- _Im_UserManagement_LinuxAuthpriv
- _Im_UserManagement_MicrosoftSecurityEvent
- _Im_UserManagement_SentinelOne
+ - _Im_UserManagement_Native
ParserParams:
- Name: starttime
Type: datetime
@@ -45,30 +46,34 @@ ParserParams:
Type: bool
Default: false
ParserQuery: |
- let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));
+ let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')
+ | where SearchKey in ('Any', 'ExcludevimUserManagement')
+ | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')
+ | distinct SourceSpecificParser
+ | where isnotempty(SourceSpecificParser));
let ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers));
let parser=(
- starttime:datetime=datetime(null),
- endtime:datetime=datetime(null),
- srcipaddr_has_any_prefix: dynamic=dynamic([]),
- targetusername_has_any:dynamic=dynamic([]),
- actorusername_has_any:dynamic=dynamic([]),
- eventtype_in: dynamic=dynamic([]),
- pack:bool=false)
- {
- union isfuzzy=true
- vimUserManagementEmpty,
- vimUserManagementMicrosoftSecurityEvent(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers) )),
- vimUserManagementCiscoISE(starttime, endtime, srcipaddr_has_any_prefix, eventtype_in, actorusername_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) )),
- vimUserManagementSentinelOne(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers) )),
- vimUserManagementLinuxAuthpriv(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers) ))
+ starttime: datetime=datetime(null),
+ endtime: datetime=datetime(null),
+ srcipaddr_has_any_prefix: dynamic=dynamic([]),
+ targetusername_has_any: dynamic=dynamic([]),
+ actorusername_has_any: dynamic=dynamic([]),
+ eventtype_in: dynamic=dynamic([]),
+ pack: bool=false) {
+ union isfuzzy=true
+ vimUserManagementEmpty,
+ vimUserManagementMicrosoftSecurityEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers)))),
+ vimUserManagementCiscoISE(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers)))),
+ vimUserManagementSentinelOne(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers)))),
+ vimUserManagementLinuxAuthpriv(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers)))),
+ vimUserManagementNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementNative' in (DisabledParsers))))
};
parser (
- starttime=starttime,
- endtime=endtime,
- srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,
- targetusername_has_any = targetusername_has_any,
- actorusername_has_any = actorusername_has_any,
- eventtype_in = eventtype_in,
- pack=pack
+ starttime=starttime,
+ endtime=endtime,
+ srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,
+ targetusername_has_any = targetusername_has_any,
+ actorusername_has_any = actorusername_has_any,
+ eventtype_in = eventtype_in,
+ pack=pack
)
From c306bad44f217cf38af2434b95a14c7261b8211c Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Fri, 8 Mar 2024 08:31:44 +0000
Subject: [PATCH 14/15] [ASIM Parsers] Generate deployable ARM templates from
KQL function YAML files.
---
.../ARM/ASimUserManagement/ASimUserManagement.json | 2 +-
.../ARM/imUserManagement/imUserManagement.json | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json b/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json
index 2e099fa477..2d22f0ef4c 100644
--- a/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json
+++ b/Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimUserManagement",
- "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack: bool=false\n ) {\n union isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers)))\n}; \nparser (\n pack=pack\n)",
+ "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n pack: bool=false\n ) {\n union isfuzzy=true\n vimUserManagementEmpty,\n ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers)))\n}; \nparser (\n pack=pack\n)",
"version": 1,
"functionParameters": "pack:bool=False"
}
diff --git a/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json b/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json
index b49a046c3c..98364c23d4 100644
--- a/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json
+++ b/Parsers/ASimUserManagement/ARM/imUserManagement/imUserManagement.json
@@ -35,7 +35,7 @@
"displayName": "User Management ASIM filtering parser",
"category": "ASIM",
"FunctionAlias": "imUserManagement",
- "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimUserManagement') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n targetusername_has_any:dynamic=dynamic([]),\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimUserManagementEmpty,\n vimUserManagementMicrosoftSecurityEvent(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers) )),\n vimUserManagementCiscoISE(starttime, endtime, srcipaddr_has_any_prefix, eventtype_in, actorusername_has_any, ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers) )),\n vimUserManagementSentinelOne(starttime, endtime, targetusername_has, actorusername_has, targetdomain_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers) )),\n vimUserManagementLinuxAuthpriv(starttime, endtime, srcipaddr_has_any_prefix, targetusername_has_any, actorusername_has_any, eventtype_in, ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers) ))\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any, \n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n pack=pack\n)\n",
+ "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n | where SearchKey in ('Any', 'ExcludevimUserManagement')\n | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n | distinct SourceSpecificParser\n | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludevimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n targetusername_has_any: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n pack: bool=false) {\n union isfuzzy=true\n vimUserManagementEmpty,\n vimUserManagementMicrosoftSecurityEvent(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementMicrosoftSecurityEvent' in (DisabledParsers)))),\n vimUserManagementCiscoISE(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementCiscoISE' in (DisabledParsers)))),\n vimUserManagementSentinelOne(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementSentinelOne' in (DisabledParsers)))),\n vimUserManagementLinuxAuthpriv(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementLinuxAuthpriv' in (DisabledParsers)))),\n vimUserManagementNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, targetusername_has_any=targetusername_has_any, actorusername_has_any=actorusername_has_any, eventtype_in=eventtype_in, disabled = (ASimBuiltInDisabled or ('ExcludevimUserManagementNative' in (DisabledParsers))))\n}; \nparser (\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n targetusername_has_any = targetusername_has_any, \n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n pack=pack\n)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),targetusername_has_any:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),pack:bool=False"
}
From 13282b2264c310cdb248fabcff7693b9ac0db9a2 Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Wed, 13 Mar 2024 13:00:34 +0530
Subject: [PATCH 15/15] tester.csv changes
---
ASIM/dev/ASimTester/ASimTester.csv | 31 ++++++++++++++++++++++--------
1 file changed, 23 insertions(+), 8 deletions(-)
diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
index 513dd1edba..f1d2fb8a39 100644
--- a/ASIM/dev/ASimTester/ASimTester.csv
+++ b/ASIM/dev/ASimTester/ASimTester.csv
@@ -6,6 +6,7 @@ ActingAppId,string,Optional,UserManagement,,,
ActingAppName,string,Optional,AuditEvent,,,
ActingAppName,string,Optional,Authentication,,,
ActingAppName,string,Optional,FileEvent,,,
+ActingAppName,string,Optional,UserManagement,,,
ActingAppType,string,Optional,AuditEvent,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other,
ActingAppType,string,Optional,Authentication,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other,
ActingAppType,string,Optional,FileEvent,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other,
@@ -42,8 +43,8 @@ ActingProcessSHA1,string,Optional,ProcessEvent,SHA1,,
ActingProcessSHA256,string,Optional,ProcessEvent,SHA256,,
ActingProcessSHA512,string,Optional,ProcessEvent,SHA521,,
ActingProcessTokenElevation,string,Optional,ProcessEvent,,,
-ActiveAppName,string,Optional,UserManagement,,,
-ActorOriginalUserType,,,UserManagement,,,
+ActingAppName,string,Optional,UserManagement,,,
+ActorOriginalUserType,string,Optional,UserManagement,,,
ActorOriginalUserType,string,Optional,AuditEvent,,,
ActorOriginalUserType,string,Optional,Authentication,,,
ActorOriginalUserType,string,Optional,FileEvent,,,
@@ -52,10 +53,12 @@ ActorScope,string,Optional,AuditEvent,,,
ActorScope,string,Optional,Authentication,,,
ActorScope,string,Optional,FileEvent,,,
ActorScope,string,Optional,ProcessEvent,,,
+ActorScope,string,Optional,UserManagement,,,
ActorScopeId,string,Optional,AuditEvent,,,
ActorScopeId,string,Optional,Authentication,,,
ActorScopeId,string,Optional,FileEvent,,,
ActorScopeId,string,Optional,ProcessEvent,,,
+ActorScopeId,string,Optional,UserManagement,,,
ActorSessionId,string,Optional,AuditEvent,,,
ActorSessionId,string,Optional,Authentication,,,
ActorSessionId,string,Optional,FileEvent,,,
@@ -66,6 +69,7 @@ ActorUpn,string,Optional,FileEvent,,,
ActorUserAadId,string,Optional,AuditEvent,,,
ActorUserAadId,string,Optional,FileEvent,,,
ActorUserAadId,string,Optional,ProcessEvent,,,
+ActorUserAadId,string,Optional,UserManagement,,,
ActorUserId,string,Optional,AuditEvent,,,
ActorUserId,string,Optional,Authentication,,,
ActorUserId,string,Optional,UserManagement,,,
@@ -94,6 +98,7 @@ ActorUserPuid,string,Optional,FileEvent,,,
ActorUserSid,string,Optional,AuditEvent,,,
ActorUserSid,string,Optional,FileEvent,,,
ActorUserSid,string,Optional,ProcessEvent,,,
+ActorUserSid,string,Optional,UserManagement,,,
ActorUserType,string,Optional,AuditEvent,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other,
ActorUserType,string,Optional,Authentication,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other,
ActorUserType,string,Optional,FileEvent,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other,
@@ -367,7 +372,7 @@ DvcIpAddr,string,Recommended,ProcessEvent,IP Address,,
DvcIpAddr,string,Recommended,RegistryEvent,IP Address,,
DvcIpAddr,string,Recommended,UserManagement,,,
DvcIpAddr,string,Recommended,WebSession,IP Address,,
-DvcMacAddr,MAC address,Optional,UserManagement,,,
+DvcMacAddr,string,Optional,UserManagement,MAC address,,
DvcMacAddr,string,Optional,AuditEvent,MAC address,,
DvcMacAddr,string,Optional,Authentication,MAC address,,
DvcMacAddr,string,Optional,Common,MAC address,,
@@ -868,6 +873,7 @@ SrcDescription,string,Optional,FileEvent,,,
SrcDescription,string,Optional,NetworkSession,,,
SrcDescription,string,Optional,RegistryEvent,,,
SrcDescription,string,Optional,WebSession,,,
+SrcDescription,string,Optional,UserManagement,,,
SrcDeviceType,string,Optional,AuditEvent,Enumerated,Computer|Mobile Device|IOT Device|Other,
SrcDeviceType,string,Optional,Authentication,Enumerated,Computer|Mobile Device|IOT Device|Other,
SrcDeviceType,string,Optional,Dhcp,Enumerated,Computer|Mobile Device|IOT Device|Other,
@@ -941,35 +947,35 @@ SrcFQDN,string,Optional,FileEvent,,,
SrcFQDN,string,Optional,NetworkSession,FQDN,,
SrcFQDN,string,Optional,UserManagement,,,
SrcFQDN,string,Optional,WebSession,FQDN,,
-SrcGeoCity,City,Optional,UserManagement,,,
+SrcGeoCity,string,Optional,UserManagement,City,,
SrcGeoCity,string,Optional,AuditEvent,City,,
SrcGeoCity,string,Optional,Authentication,City,,
SrcGeoCity,string,Optional,Dns,City,,
SrcGeoCity,string,Optional,FileEvent,City,,
SrcGeoCity,string,Optional,NetworkSession,City,,
SrcGeoCity,string,Optional,WebSession,City,,
-SrcGeoCountry,Country,Optional,UserManagement,,,
+SrcGeoCountry,string,Optional,UserManagement,Country,,
SrcGeoCountry,string,Optional,AuditEvent,Country,,
SrcGeoCountry,string,Optional,Authentication,Country,,
SrcGeoCountry,string,Optional,Dns,Country,,
SrcGeoCountry,string,Optional,FileEvent,Country,,
SrcGeoCountry,string,Optional,NetworkSession,Country,,
SrcGeoCountry,string,Optional,WebSession,Country,,
-SrcGeoLatitude,Latitude,Optional,UserManagement,,,
+SrcGeoLatitude,real,Optional,UserManagement,,,
SrcGeoLatitude,real,Optional,AuditEvent,,,
SrcGeoLatitude,real,Optional,Authentication,,,
SrcGeoLatitude,real,Optional,Dns,City,,
SrcGeoLatitude,real,Optional,FileEvent,,,
SrcGeoLatitude,real,Optional,NetworkSession,,,
SrcGeoLatitude,real,Optional,WebSession,,,
-SrcGeoLongitude,Longitude,Optional,UserManagement,,,
+SrcGeoLongitude,real,Optional,UserManagement,,,
SrcGeoLongitude,real,Optional,AuditEvent,,,
SrcGeoLongitude,real,Optional,Authentication,,,
SrcGeoLongitude,real,Optional,Dns,,,
SrcGeoLongitude,real,Optional,FileEvent,,,
SrcGeoLongitude,real,Optional,NetworkSession,,,
SrcGeoLongitude,real,Optional,WebSession,,,
-SrcGeoRegion,Region,Optional,UserManagement,,,
+SrcGeoRegion,string,Optional,UserManagement,Region,,
SrcGeoRegion,string,Optional,AuditEvent,Region,,
SrcGeoRegion,string,Optional,Authentication,Region,,
SrcGeoRegion,string,Optional,Dns,Region,,
@@ -1000,6 +1006,7 @@ SrcIsp,string,Optional,Authentication,,,
SrcMacAddr,string,Mandatory,Dhcp,Mac Address,,
SrcMacAddr,string,Optional,NetworkSession,MAC address,,
SrcMacAddr,string,Optional,WebSession,MAC address,,
+SrcMacAddr,string,Optional,UserManagement,MAC address,,
SrcNatIpAddr,string,Optional,NetworkSession,IP Address,,
SrcNatIpAddr,string,Optional,WebSession,IP Address,,
SrcNatPortNumber,int,Optional,NetworkSession,,,
@@ -1007,6 +1014,7 @@ SrcNatPortNumber,int,Optional,WebSession,,,
SrcOriginalRiskLevel,string,Optional,AuditEvent,,,
SrcOriginalRiskLevel,string,Optional,Authentication,,,
SrcOriginalRiskLevel,string,Optional,Dns,,,
+SrcOriginalRiskLevel,string,Optional,UserManagement,,,
SrcOriginalUserType,string,Optional,Dhcp,,,
SrcOriginalUserType,string,Optional,Dns,,,
SrcOriginalUserType,string,Optional,NetworkSession,,,
@@ -1019,6 +1027,7 @@ SrcPortNumber,int,Optional,Dns,,,
SrcPortNumber,int,Optional,FileEvent,,,
SrcPortNumber,int,Optional,NetworkSession,,,
SrcPortNumber,int,Optional,WebSession,,,
+SrcPortNumber,int,Optional,UserManagement,,,
SrcProcessGuid,string,Optional,Dns,GUID,,
SrcProcessGuid,string,Optional,NetworkSession,,,
SrcProcessId,string,Optional,Dns,,,
@@ -1028,6 +1037,7 @@ SrcProcessName,string,Optional,NetworkSession,,,
SrcRiskLevel,int,Optional,AuditEvent,,,
SrcRiskLevel,int,Optional,Authentication,,,
SrcRiskLevel,int,Optional,Dns,,,
+SrcRiskLevel,int,Optional,UserManagement,,,
SrcScopeId,string,Optional,NetworkSession,,,
SrcUserAadId,string,Optional,Dns,,,
SrcUserAWSId,string,Optional,Dns,,,
@@ -1162,6 +1172,7 @@ TargetUserAadId,string,Optional,ProcessEvent,,,
TargetUserId,string,Optional,Authentication,,,
TargetUserId,string,Optional,UserManagement,,,
TargetUserId,string,Recommended,ProcessEvent,,,
+TargetUserUid,string,Optional,UserManagement,,,
TargetUserIdType,string,Conditional,Authentication,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|GWorkspaceProfileID|Other,TargetUserId
TargetUserIdType,string,Conditional,ProcessEvent,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|Other,TargetUserId
TargetUserIdType,string,Conditional,UserManagement,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|Other,TargetUserId
@@ -1172,9 +1183,12 @@ TargetUsernameType,string,Conditional,Authentication,Enumerated,UPN|Windows|DN|S
TargetUsernameType,string,Conditional,ProcessEvent,Enumerated,UPN|Windows|DN|Simple,TargetUsername
TargetUsernameType,string,Conditional,UserManagement,Enumerated,UPN|Windows|DN|Simple,TargetUsername
TargetUserScope,string,Optional,Authentication,,,
+TargetUserScope,string,Optional,UserManagement,,,
TargetUserScopeId,string,Optional,Authentication,,,
+TargetUserScopeId,string,Optional,UserManagement,,,
TargetUserSessionGuid,string,Optional,ProcessEvent,,,
TargetUserSessionId,string,Optional,ProcessEvent,,,
+TargetUserSessionId,string,Optional,UserManagement,,,
TargetUserSid,string,Optional,ProcessEvent,,,
TargetUserType,string,Optional,Authentication,,Regular|Guest|Machine|Admin|System|Application|Service|Other,
TargetUserType,string,Optional,ProcessEvent,Enumerated,Regular|Guest|Machine|Admin|System|Application|Service|Other,
@@ -1313,6 +1327,7 @@ TimeGenerated,datetime,Mandatory,NetworkSession,,,
TimeGenerated,datetime,Mandatory,ProcessEvent,,,
TimeGenerated,datetime,Mandatory,RegistryEvent,,,
TimeGenerated,datetime,Mandatory,WebSession,,,
+TimeGenerated,datetime,Mandatory,UserManagement,,,
TransactionIdHex,string,Recommended,Dns,Hexadecimal,,
Type,string,Mandatory,AuditEvent,,,
Type,string,Mandatory,Authentication,,,