Adding new fields to ASIM Schema

ASIM/dev/ASimTester/ASimTester.csv

@@ -10,6 +10,9 @@ ActingAppType,string,Optional,AuditEvent,Enumerated,Process|Service|Resource|URL
 ActingAppType,string,Optional,Authentication,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other,
 ActingAppType,string,Optional,FileEvent,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other,
 ActingAppType,string,Optional,UserManagement,Enumerated,Process|Service|Resource|URL|SaaS application|CSP|Other,
+ActingOriginalAppType,string,Optional,AuditEvent,,,
+ActingOriginalAppType,string,Optional,UserManagement,,,
+ActingOriginalAppType,string,Optional,Authentication,,,
 ActingProcessCommandLine,string,Optional,FileEvent,,,
 ActingProcessCommandLine,string,Optional,ProcessEvent,,,
 ActingProcessCreationTime,datetime,Optional,ProcessEvent,,,
@@ -772,6 +775,7 @@ NewValue,string,Recommended,AuditEvent,,,
 Object,string,Recommended,AuditEvent,,,
 ObjectId,string,Recommended,AuditEvent,,,
 ObjectType,string,Related,AuditEvent,Enumerated,Configuration Atom|Policy Rule|Event Log|Scheduled Task|Service|Directory Service Object|Other,
+OriginalObjectType,string,Optional,AuditEvent,,,
 OldValue,string,Optional,AuditEvent,,,
 Operation,string,Mandatory,AuditEvent,,,
 OuterVlanId,string,Alias,NetworkSession,,,DstVlanId
@@ -1066,6 +1070,9 @@ TargetAppName,string,Optional,FileEvent,,,
 TargetAppType,string,Conditional,AuditEvent,Enumerated,Process|Service|Resource|URL|SaaS application|Other,TargetAppName
 TargetAppType,string,Conditional,Authentication,Enumerated,Process|Service|Resource|URL|SaaS application|Other,TargetAppName
 TargetAppType,string,Conditional,FileEvent,Enumerated,Process|Service|Resource|URL|SaaS application|Other,TargetAppName
+TargetOriginalAppType,string,Optional,AuditEvent,,,
+TargetOriginalAppType,string,Optional,FileEvent,,,
+TargetOriginalAppType,string,Optional,Authentication,,,
 TargetDescription,string,Optional,AuditEvent,,,
 TargetDescription,string,Optional,Authentication,,,
 TargetDeviceType,string,Optional,AuditEvent,Enumerated,Computer|Mobile Device|IOT Device|Other,

ASIM/schemas/ASimAuditEvent.yaml

@@ -116,6 +116,11 @@ Fields:
   Description:
   Related to: Object
 
+- Name: OriginalObjectType
+  Type: string
+  Class: Optional
+  Description: The object type as reported by the reporting device.
+
 - Name: OldValue
   Type: string
   Class: Optional

ASIM/schemas/entities/ASimApp.yaml

@@ -18,6 +18,11 @@ Fields:
   Follows: <<Role>>AppName
   Description: The type of the application.
 
+- Name: <<Role>>OriginalAppType
+  Type: string
+  Class: Optional
+  Description: The application type as reported by the reporting device.
+
 - Name: <<Role>>Url
   Type: string
   Class: Optional

Parsers/ASimAuditEvent/ARM/vimAuditEventEmpty/vimAuditEventEmpty.json

@@ -35,7 +35,7 @@
             "displayName": "Audit event ASIM schema function",
             "category": "ASIM",
             "FunctionAlias": "vimAuditEventEmpty",
-            "query": "let EmptyAuditEvents =datatable (\n  ActorUserType:string,\n  ActorUsernameType:string,\n  ActorUserIdType:string,\n  EventResult:string,\n  EventType:string,\n  EventSchema:string,\n  ValueType:string,\n  EventSeverity:string,\n  EventVendor:string,\n  EventProduct:string,\n  SrcDvcIdType:string,\n  TargetDvcIdType:string,\n  SrcDomainType:string,\n  TargetDomainType:string,\n  SrcDeviceType:string,\n  TargetDeviceType:string,\n  ObjectType:string,\n  TargetAppType:string,\n  ActingAppType:string,\n  ThreatConfidence:int,\n  SrcGeoCountry:string,\n  TargetGeoCountry:string,\n  EventSubType:string,\n  EventResultDetails:string,\n  SrcHostname:string,\n  TargetHostname:string,\n  SrcIpAddr:string,\n  TargetIpAddr:string,\n  SrcGeoRegion:string,\n  SrcGeoCity:string,\n  TargetGeoRegion:string,\n  TargetGeoCity:string,\n  ThreatRiskLevel:int,\n  EventSchemaVersion:string,\n  EventReportUrl:string,\n  User:string,\n  ActorUsername:string,\n  Application:string,\n  Process:string,\n  Operation:string,\n  Object:string,\n  ObjectId:string,\n  OldValue:string,\n  NewValue:string,\n  Value:string,\n  TimeGenerated:datetime,\n  _ResourceId:string,\n  Type:string,\n  AdditionalFields:dynamic,\n  EventMessage:string,\n  EventCount:int,\n  EventStartTime:datetime,\n  EventEndTime:datetime,\n  EventOriginalUid:string,\n  EventOriginalType:string,\n  EventOriginalSubType:string,\n  EventOriginalResultDetails:string,\n  EventOriginalSeverity:string,\n  EventProductVersion:string,\n  EventOwner:string,\n  Rule:string,\n  RuleName:string,\n  RuleNumber:int,\n  ThreatId:string,\n  ThreatName:string,\n  ThreatCategory:string,\n  ThreatOriginalRiskLevel:string,\n  ThreatOriginalConfidence:string,\n  ThreatIsActive:bool,\n  ThreatIpAddr:string,\n  ThreatField:string,\n  ThreatFirstReportedTime:datetime,\n  ThreatLastReportedTime:datetime,\n  ActorUserId:string,\n  ActorScopeId:string,\n  ActorScope:string,\n  ActorOriginalUserType:string,\n  ActorSessionId:string,\n  TargetAppId:string,\n  TargetAppName:string,\n  TargetUrl:string,\n  ActingAppId:string,\n  ActingAppName:string,\n  HttpUserAgent:string,\n  Src:string,\n  SrcPortNumber:int,\n  SrcDomain:string,\n  SrcFQDN:string,\n  SrcDvcDescription:string,\n  SrcDvcId:string,\n  SrcDvcScopeId:string,\n  SrcDvcScope:string,\n  SrcGeoLatitude:real,\n  SrcGeoLongitude:real,\n  Dst:string,\n  TargetPortNumber:int,\n  TargetDomain:string,\n  TargetFQDN:string,\n  TargetDvcDescription:string,\n  TargetDvcId:string,\n  TargetDvcScopeId:string,\n  TargetDvcScope:string,\n  TargetGeoLatitude:real,\n  TargetGeoLongitude:real\n  , Dvc: string\t\n  , DvcId: string\n  , DvcIpAddr: string\t\n  , DvcHostname: string\n  , DvcDomain:string\n  , DvcDomainType:string\n  , DvcFQDN:string\n  , DvcDescription:string\n  , DvcIdType:string\n  , DvcMacAddr:string\n  , DvcZone:string\n  , DvcOs:string\n  , DvcOsVersion:string\n  , DvcAction:string\n  , DvcOriginalAction:string\n  , DvcScope:string\n  , DvcScopeOd:string\n)[];\nEmptyAuditEvents",
+            "query": "let EmptyAuditEvents =datatable (\n  ActorUserType:string,\n  ActorUsernameType:string,\n  ActorUserIdType:string,\n  EventResult:string,\n  EventType:string,\n  EventSchema:string,\n  ValueType:string,\n  EventSeverity:string,\n  EventVendor:string,\n  EventProduct:string,\n  SrcDvcIdType:string,\n  TargetDvcIdType:string,\n  SrcDomainType:string,\n  TargetDomainType:string,\n  SrcDeviceType:string,\n  TargetDeviceType:string,\n  ObjectType:string,\n  OriginalObjectType:string,\n  TargetAppType:string,\n  TargetOriginalAppType:string,\n  ActingAppType:string,\n  ActingOriginalAppType:string,\n  ThreatConfidence:int,\n  SrcGeoCountry:string,\n  TargetGeoCountry:string,\n  EventSubType:string,\n  EventResultDetails:string,\n  SrcHostname:string,\n  TargetHostname:string,\n  SrcIpAddr:string,\n  TargetIpAddr:string,\n  SrcGeoRegion:string,\n  SrcGeoCity:string,\n  TargetGeoRegion:string,\n  TargetGeoCity:string,\n  ThreatRiskLevel:int,\n  EventSchemaVersion:string,\n  EventReportUrl:string,\n  User:string,\n  ActorUsername:string,\n  Application:string,\n  Process:string,\n  Operation:string,\n  Object:string,\n  ObjectId:string,\n  OldValue:string,\n  NewValue:string,\n  Value:string,\n  TimeGenerated:datetime,\n  _ResourceId:string,\n  Type:string,\n  AdditionalFields:dynamic,\n  EventMessage:string,\n  EventCount:int,\n  EventStartTime:datetime,\n  EventEndTime:datetime,\n  EventOriginalUid:string,\n  EventOriginalType:string,\n  EventOriginalSubType:string,\n  EventOriginalResultDetails:string,\n  EventOriginalSeverity:string,\n  EventProductVersion:string,\n  EventOwner:string,\n  Rule:string,\n  RuleName:string,\n  RuleNumber:int,\n  ThreatId:string,\n  ThreatName:string,\n  ThreatCategory:string,\n  ThreatOriginalRiskLevel:string,\n  ThreatOriginalConfidence:string,\n  ThreatIsActive:bool,\n  ThreatIpAddr:string,\n  ThreatField:string,\n  ThreatFirstReportedTime:datetime,\n  ThreatLastReportedTime:datetime,\n  ActorUserId:string,\n  ActorScopeId:string,\n  ActorScope:string,\n  ActorOriginalUserType:string,\n  ActorSessionId:string,\n  TargetAppId:string,\n  TargetAppName:string,\n  TargetUrl:string,\n  ActingAppId:string,\n  ActingAppName:string,\n  HttpUserAgent:string,\n  Src:string,\n  SrcPortNumber:int,\n  SrcDomain:string,\n  SrcFQDN:string,\n  SrcDvcDescription:string,\n  SrcDvcId:string,\n  SrcDvcScopeId:string,\n  SrcDvcScope:string,\n  SrcGeoLatitude:real,\n  SrcGeoLongitude:real,\n  Dst:string,\n  TargetPortNumber:int,\n  TargetDomain:string,\n  TargetFQDN:string,\n  TargetDvcDescription:string,\n  TargetDvcId:string,\n  TargetDvcScopeId:string,\n  TargetDvcScope:string,\n  TargetGeoLatitude:real,\n  TargetGeoLongitude:real\n  , Dvc: string\t\n  , DvcId: string\n  , DvcIpAddr: string\t\n  , DvcHostname: string\n  , DvcDomain:string\n  , DvcDomainType:string\n  , DvcFQDN:string\n  , DvcDescription:string\n  , DvcIdType:string\n  , DvcMacAddr:string\n  , DvcZone:string\n  , DvcOs:string\n  , DvcOsVersion:string\n  , DvcAction:string\n  , DvcOriginalAction:string\n  , DvcScope:string\n  , DvcScopeOd:string\n)[];\nEmptyAuditEvents",
             "version": 1
           }
         }

Parsers/ASimAuditEvent/Parsers/vimAuditEventEmpty.yaml

@@ -35,8 +35,11 @@ ParserQuery: |
     SrcDeviceType:string,
     TargetDeviceType:string,
     ObjectType:string,
+    OriginalObjectType:string,
     TargetAppType:string,
+    TargetOriginalAppType:string,
     ActingAppType:string,
+    ActingOriginalAppType:string,
     ThreatConfidence:int,
     SrcGeoCountry:string,
     TargetGeoCountry:string,

Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json

@@ -35,7 +35,7 @@
             "displayName": "Authentication ASIM parser",
             "category": "ASIM",
             "FunctionAlias": "ASimAuthentication",
-            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) ))\n",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))\n",
             "version": 1,
             "functionParameters": "disabled:bool=False"
           }

Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json

@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimAuthenticationCrowdStrikeFalconHost",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection",
+            "category": "ASIM",
+            "FunctionAlias": "ASimAuthenticationCrowdStrikeFalconHost",
+            "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n  [\n    \"0\", \"Informational\",\n    \"1\", \"Informational\",\n    \"2\", \"Low\",\n    \"3\", \"Medium\",\n    \"4\", \"High\",\n    \"5\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n    CommonSecurityLog\n    | where not(disabled)\n    | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n    | where DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\")\n    | lookup EventSeverityLookup on LogSeverity\n    | extend\n        EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n        EventStartTime = todatetime(DeviceCustomDate1),\n        EventCount = int(1),\n        EventSchema = \"Authentication\",\n        EventSchemaVersion = \"0.1.3\",\n        EventType = \"Logon\",\n        EventProduct = \"FalconHost\",\n        EventVendor = \"CrowdStrike\"\n    | project-rename\n        TargetIpAddr = DestinationTranslatedAddress,\n        EventUid = _ItemId,\n        EventOriginalSeverity = LogSeverity,\n        EventOriginalSubType = DeviceEventClassID,\n        EventOriginalType = DeviceEventCategory,\n        EventProductVersion = DeviceVersion,\n        EventOriginalResultDetails = EventOutcome,\n        TargetUsername = DestinationUserName,\n        TargetAppName = ProcessName\n    | extend\n        EventEndTime = EventStartTime,\n        DvcIpAddr = TargetIpAddr,\n        TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n        TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n        TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n        LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n    | extend\n        User = TargetUsername,\n        Dst = TargetIpAddr,\n        Dvc = coalesce(DvcIpAddr, EventProduct),\n        Application = TargetAppName\n    | project-away \n        Source*,\n        Destination*,\n        Device*,\n        AdditionalExtensions,\n        CommunicationDirection,\n        Computer,\n        EndTime,\n        FieldDevice*,\n        Flex*,\n        File*,\n        Old*,\n        MaliciousIP*,\n        OriginalLogSeverity,\n        Process*,\n        Protocol,\n        Activity,\n        ReceivedBytes,\n        SentBytes,\n        Remote*,\n        Request*,\n        SimplifiedDeviceAction,\n        StartTime,\n        TenantId,\n        Threat*,\n        IndicatorThreatType,\n        ExternalID,\n        ReportReferenceLink,\n        ReceiptTime,\n        Reason,\n        ApplicationProtocol,\n        _ResourceId,\n        ExtID,\n        Message\n};\nparser(disabled=disabled)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}