From 28d902625e013e2929095ee0cc3885c21315452b Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Tue, 9 Jun 2026 15:59:41 -0700 Subject: [PATCH 01/30] Test workflow? --- .../workflows/asimFileAndParserValidation.yml | 141 ++++++++++++++++++ .../ASimAuthenticationTestProduct.yaml | 31 ++++ 2 files changed, 172 insertions(+) create mode 100644 .github/workflows/asimFileAndParserValidation.yml create mode 100644 Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml new file mode 100644 index 00000000000..99dbc45ee1b --- /dev/null +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -0,0 +1,141 @@ +name: New ASIM File and Parser Validation + +on: + pull_request: + types: [opened, labeled, unlabeled, synchronize] + +permissions: + contents: read + pull-requests: read + +jobs: + check-asim-label: + runs-on: ubuntu-latest + steps: + - name: Check for ASIM label + id: check-label + uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c + with: + script: | + const labels = context.payload.pull_request.labels.map(l => l.name); + if (labels.includes('ASIM')) { + core.info('PR has the ASIM label.'); + core.setOutput('has_label', 'true'); + } else { + core.info('PR does not have the ASIM label. Skipping workflow.'); + core.setOutput('has_label', 'false'); + } + + - name: Get changed files + if: steps.check-label.outputs.has_label == 'true' + id: changed-files + uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c + with: + script: | + const files = []; + let page = 1; + while (true) { + const response = await github.rest.pulls.listFiles({ + owner: context.repo.owner, + repo: context.repo.repo, + pull_number: context.payload.pull_request.number, + per_page: 100, + page: page + }); + files.push(...response.data); + if (response.data.length < 100) break; + page++; + } + const allFiles = files.map(f => f.filename); + const newFiles = files.filter(f => f.status === 'added').map(f => f.filename); + const parserPattern = /^Parsers\/ASim\w+\/Parsers\/.+\.yaml$/; + const asimYamlFiles = allFiles.filter(f => parserPattern.test(f)); + const newAsimYamlFiles = newFiles.filter(f => parserPattern.test(f)); + core.info(`Changed files (${allFiles.length}):`); + allFiles.forEach(f => core.info(` - ${f}`)); + core.info(`ASIM YAML files (${asimYamlFiles.length}):`); + asimYamlFiles.forEach(f => core.info(` - ${f}`)); + core.info(`New files (${newFiles.length}):`); + newFiles.forEach(f => core.info(` - ${f}`)); + core.setOutput('files', JSON.stringify(allFiles)); + core.setOutput('new_files', JSON.stringify(newFiles)); + core.setOutput('asim_yaml_files', JSON.stringify(asimYamlFiles)); + core.setOutput('has_new_files', newFiles.length > 0 ? 'true' : 'false'); + core.setOutput('has_asim_yaml_files', asimYamlFiles.length > 0 ? 'true' : 'false'); + + - name: Validate new file paths + if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_new_files == 'true' + uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c + with: + script: | + const newFiles = JSON.parse('${{ steps.changed-files.outputs.new_files }}'); + const allFiles = JSON.parse('${{ steps.changed-files.outputs.files }}'); + const errors = []; + + // 1. Validate new YAML files are in Parsers/ASim/Parsers/ + const parserPattern = /^Parsers\/(ASim\w+)\/Parsers\/(.+\.yaml)$/; + const newYamlFiles = newFiles.filter(f => parserPattern.test(f)); + const invalidNewFiles = newFiles.filter(f => f.endsWith('.yaml') && !parserPattern.test(f)); + + if (invalidNewFiles.length > 0) { + errors.push(`New YAML files not in expected directory (Parsers/ASim/Parsers/):\n${invalidNewFiles.map(f => ' - ' + f).join('\n')}`); + } + + if (newYamlFiles.length !== 2) { + errors.push(`Expected exactly 2 new YAML files in Parsers/ASim/Parsers/, found ${newYamlFiles.length}.`); + } + + // 2. Extract schema from the directory name + const schemas = new Set(newYamlFiles.map(f => { + const match = f.match(parserPattern); + return match ? match[1] : null; + }).filter(Boolean)); + + if (schemas.size > 1) { + errors.push(`New YAML files span multiple schemas: ${[...schemas].join(', ')}. Expected a single schema.`); + } + + const schema = [...schemas][0]; + if (schema) { + const schemaName = schema.replace(/^ASim/, ''); + core.info(`Detected schema: ${schemaName} (directory: ${schema})`); + + // 3. Check that ASim.yaml and im.yaml are modified + const expectedEdited = [ + `Parsers/${schema}/Parsers/${schema}.yaml`, + `Parsers/${schema}/Parsers/im${schemaName}.yaml` + ]; + const modifiedFiles = allFiles.filter(f => !newFiles.includes(f)); + for (const expected of expectedEdited) { + if (!modifiedFiles.includes(expected)) { + errors.push(`Expected modified file not found: ${expected}`); + } + } + + // 4. Check that new CHANGELOG md files exist (same name as new yaml files) + const newYamlBasenames = newYamlFiles.map(f => f.match(parserPattern)[2].replace('.yaml', '')); + const expectedNewChangelogs = newYamlBasenames.map(name => `Parsers/${schema}/CHANGELOG/${name}.md`); + for (const expected of expectedNewChangelogs) { + if (!newFiles.includes(expected)) { + errors.push(`Expected new CHANGELOG file not found: ${expected}`); + } + } + + // 5. Check that ASim.md and im.md in CHANGELOG are modified + const expectedEditedChangelogs = [ + `Parsers/${schema}/CHANGELOG/${schema}.md`, + `Parsers/${schema}/CHANGELOG/im${schemaName}.md` + ]; + for (const expected of expectedEditedChangelogs) { + if (!modifiedFiles.includes(expected)) { + errors.push(`Expected modified CHANGELOG file not found: ${expected}`); + } + } + } + + if (errors.length > 0) { + errors.forEach(e => core.error(e)); + core.setFailed('PR file validation failed. See errors above.'); + } else { + core.info('All file validations passed.'); + } diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml new file mode 100644 index 00000000000..1710d4cd35c --- /dev/null +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml @@ -0,0 +1,31 @@ +Parser: + Title: Authentication ASIM parser for TestProduct + Version: '0.1.0' + LastUpdated: Mar 11, 2026 +Product: + Name: TestProduct +Normalization: + Schema: Authentication + Version: '0.1.3' +References: + - Title: ASIM Authentication Schema + Link: https://aka.ms/ASimAuthenticationDoc + - Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + TEST DESCRIPTION +ParserName: ASimAuthenticationTestProduct +EquivalentBuiltInParser: _ASim_Authentication_TestProduct +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser = (disabled: bool) { + // Your parser logic here + TestProduct + | where not(disabled) + | project + TimeGenerated, Type + }; + parser(disabled = disabled) \ No newline at end of file From 0ca5e3ddb7b801a836879ea9245732ba2ffb3fab Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Tue, 9 Jun 2026 23:07:13 +0000 Subject: [PATCH 02/30] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationTestProduct.json | 36 +++++++++++++++++++ .../ASimAuthenticationTestProduct/README.md | 21 +++++++++++ .../ARM/FullDeploymentAuthentication.json | 20 +++++++++++ 3 files changed, 77 insertions(+) create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/README.md diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json new file mode 100644 index 00000000000..81617739c2b --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimAuthenticationTestProduct')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for TestProduct", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationTestProduct", + "query": "let parser = (disabled: bool) {\n // Your parser logic here\n TestProduct\n | where not(disabled)\n | project\n TimeGenerated, Type\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/README.md new file mode 100644 index 00000000000..9076173c326 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/README.md @@ -0,0 +1,21 @@ +# TestProduct ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for TestProduct. + +TEST DESCRIPTION + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +For the changelog, see: +- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationTestProduct%2FASimAuthenticationTestProduct.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationTestProduct%2FASimAuthenticationTestProduct.json) diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json index 0f66a239e44..255a84abbc9 100644 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -698,6 +698,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationTestProduct", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", From 7b7414235b61c8f36a28992f9bd7b463fb8ebbae Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Tue, 9 Jun 2026 16:08:49 -0700 Subject: [PATCH 03/30] Add necessary files --- .../CHANGELOG/ASimAuthentication.md | 4 ++ .../ASimAuthenticationTestProduct.md | 5 ++ .../CHANGELOG/imAuthentication.md | 4 ++ .../CHANGELOG/vimAuthenticationTestProduct.md | 5 ++ .../Parsers/ASimAuthentication.yaml | 4 +- .../Parsers/imAuthentication.yaml | 4 +- .../Parsers/vimAuthenticationTestProduct.yaml | 61 +++++++++++++++++++ 7 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md create mode 100644 Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationTestProduct.md create mode 100644 Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md index ab08dac1d76..c3fef0705b9 100644 --- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md +++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md @@ -1,5 +1,9 @@ # Changelog for ASimAuthentication.yaml +## Version 0.2.16 + +- Test + ## Version 0.2.15 - (2026-04-13) ASIM Authentication Parser for VMware ESXi - [PR #13989](https://github.com/Azure/Azure-Sentinel/pull/13989) diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md new file mode 100644 index 00000000000..2b27a97183e --- /dev/null +++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md @@ -0,0 +1,5 @@ +# Changelog for ASimAuthenticationTestProduct.yaml + +## Version 0.1.0 + +- Test \ No newline at end of file diff --git a/Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md b/Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md index c8497c1151a..175a78e0cd9 100644 --- a/Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md +++ b/Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md @@ -1,5 +1,9 @@ # Changelog for imAuthentication.yaml +## Version 0.3.13 + +- Test + ## Version 0.3.12 - (2026-05-05) ASIM Authentication Parser for VMware ESXi - [PR #13989](https://github.com/Azure/Azure-Sentinel/pull/13989) diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationTestProduct.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationTestProduct.md new file mode 100644 index 00000000000..c50334a1d89 --- /dev/null +++ b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationTestProduct.md @@ -0,0 +1,5 @@ +# Changelog for vimAuthenticationTestProduct.yaml + +## Version 0.1.0 + +- Test \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index 9abd7c0c154..37213bb57b9 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -61,7 +61,8 @@ ParserQuery: | ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )), ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack), ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack), - ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack) + ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack), + ASimAuthenticationTestProduct (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack), Parsers: - _Im_Authentication_Empty - _ASim_Authentication_AADManagedIdentitySignInLogs @@ -102,3 +103,4 @@ Parsers: - _ASim_Authentication_Native - _ASim_Authentication_VMwareESXi - _ASim_Authentication_PaloAltoGlobalProtect + - _ASim_Authentication_TestProduct diff --git a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml index 1f1c4546338..66e2e768e80 100644 --- a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml @@ -90,6 +90,7 @@ ParserQuery: | , vimAuthenticationVMwareESXi (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareESXi' in (DisabledParsers) )), pack=pack) , vimAuthenticationPaloAltoPanOS (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) )), pack=pack) , vimAuthenticationPaloAltoGlobalProtect (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) )), pack=pack) + , vimAuthenticationTestProduct (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationTestProduct' in (DisabledParsers) )), pack=pack) }; Generic(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack) Parsers: @@ -130,4 +131,5 @@ Parsers: - _Im_Authentication_CrowdStrikeFalconHost - _Im_Authentication_IllumioSaaSCore - _Im_Authentication_Native - - _Im_Authentication_VMwareESXi \ No newline at end of file + - _Im_Authentication_VMwareESXi + - _Im_Authentication_TestProduct \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml new file mode 100644 index 00000000000..0a37adeca79 --- /dev/null +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml @@ -0,0 +1,61 @@ +Parser: + Title: Authentication filter ASIM parser for TestProduct + Version: '0.1.0' + LastUpdated: Mar 11, 2026 +Product: + Name: TestProduct +Normalization: + Schema: Authentication + Version: '0.1.3' +References: + - Title: ASIM Authentication Schema + Link: https://aka.ms/ASimAuthenticationDoc + - Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + TEST DESCRIPTION +ParserName: vimAuthenticationTestProduct +EquivalentBuiltInParser: _Im_Authentication_TestProduct +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: username_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetappname_has_any + Type: dynamic + Default: dynamic([]) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: srchostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype_in + Type: dynamic + Default: dynamic([]) + - Name: eventresultdetails_in + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: '*' + - Name: disabled + Type: bool + Default: false + - Name: pack + Type: bool + Default: false +ParserQuery: | + let parser = (disabled: bool) { + // Your parser logic here + TestProduct + | where not(disabled) + | project + TimeGenerated, Type + }; + parser(disabled = disabled) \ No newline at end of file From c4d7544e8ca6a3542aa3cac46a66f485fb0f6cbb Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Tue, 9 Jun 2026 16:13:00 -0700 Subject: [PATCH 04/30] Remove md file for test --- .../CHANGELOG/ASimAuthenticationTestProduct.md | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md deleted file mode 100644 index 2b27a97183e..00000000000 --- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md +++ /dev/null @@ -1,5 +0,0 @@ -# Changelog for ASimAuthenticationTestProduct.yaml - -## Version 0.1.0 - -- Test \ No newline at end of file From 527b04b95809f5337e9b01a244476d1ec2c7e3bc Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Tue, 9 Jun 2026 23:20:17 +0000 Subject: [PATCH 05/30] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthentication.json | 2 +- .../ARM/FullDeploymentAuthentication.json | 20 +++++++++++ .../imAuthentication/imAuthentication.json | 2 +- .../vimAuthenticationTestProduct/README.md | 21 +++++++++++ .../vimAuthenticationTestProduct.json | 36 +++++++++++++++++++ 5 files changed, 79 insertions(+), 2 deletions(-) create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index f860bd49296..56cd04c140d 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoDNAC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoDNAC' in (DisabledParsers) )),\n ASimAuthenticationCiscoIOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoISEAdministrator (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISEAdministrator' in (DisabledParsers) ),pack=pack),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationFortinetFortigate (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationVMwareVCenter (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoDNAC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoDNAC' in (DisabledParsers) )),\n ASimAuthenticationCiscoIOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoISEAdministrator (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISEAdministrator' in (DisabledParsers) ),pack=pack),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationFortinetFortigate (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationVMwareVCenter (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack),\n ASimAuthenticationTestProduct (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack),\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json index 255a84abbc9..8067d58110c 100644 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -1498,6 +1498,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationTestProduct", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json index d4dbabeada1..360c78b9560 100644 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imAuthentication", - "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationOktaSystemLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSystemLogs' in (DisabledParsers) )))\n , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoDNAC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoDNAC' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n , vimAuthenticationCiscoIOS (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoIOS' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationCiscoISEAdministrator (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISEAdministrator' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n , vimAuthenticationVMwareVCenter (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))\n , vimAuthenticationNative (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationNative' in (DisabledParsers) )))\n , vimAuthenticationFortinetFortigate (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) )))\n , vimAuthenticationVMwareESXi (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareESXi' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationPaloAltoPanOS (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationPaloAltoGlobalProtect (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) )), pack=pack)\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", + "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationOktaSystemLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSystemLogs' in (DisabledParsers) )))\n , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoDNAC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoDNAC' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n , vimAuthenticationCiscoIOS (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoIOS' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationCiscoISEAdministrator (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISEAdministrator' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n , vimAuthenticationVMwareVCenter (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))\n , vimAuthenticationNative (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationNative' in (DisabledParsers) )))\n , vimAuthenticationFortinetFortigate (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) )))\n , vimAuthenticationVMwareESXi (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareESXi' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationPaloAltoPanOS (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationPaloAltoGlobalProtect (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationTestProduct (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationTestProduct' in (DisabledParsers) )), pack=pack)\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/README.md new file mode 100644 index 00000000000..f54f1872eee --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/README.md @@ -0,0 +1,21 @@ +# TestProduct ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for TestProduct. + +TEST DESCRIPTION + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +For the changelog, see: +- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationTestProduct.md) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationTestProduct%2FvimAuthenticationTestProduct.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationTestProduct%2FvimAuthenticationTestProduct.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json new file mode 100644 index 00000000000..c4ca53305e8 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationTestProduct')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "Authentication filter ASIM parser for TestProduct", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationTestProduct", + "query": "let parser = (disabled: bool) {\n // Your parser logic here\n TestProduct\n | where not(disabled)\n | project\n TimeGenerated, Type\n};\nparser(disabled = disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" + } + } + ] +} \ No newline at end of file From 9612235240dec473ecdc0d678c13d0bc96783f7f Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Tue, 9 Jun 2026 16:22:35 -0700 Subject: [PATCH 06/30] Add PR comment --- .github/workflows/asimFileAndParserValidation.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index 99dbc45ee1b..d8a6252010f 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -3,10 +3,11 @@ name: New ASIM File and Parser Validation on: pull_request: types: [opened, labeled, unlabeled, synchronize] + branches: [master] permissions: contents: read - pull-requests: read + pull-requests: write jobs: check-asim-label: @@ -134,8 +135,15 @@ jobs: } if (errors.length > 0) { + const body = `## ASIM File Validation Failed\n\nThe following validation errors were found:\n\n${errors.map(e => '- ' + e).join('\n')}\n\n---\n*This comment was generated automatically by the ASIM File and Parser Validation workflow.*`; + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + body: body + }); errors.forEach(e => core.error(e)); - core.setFailed('PR file validation failed. See errors above.'); + core.setFailed('PR file validation failed. See PR comment for details.'); } else { core.info('All file validations passed.'); } From 594617cefc92e17bc6923ce9d28f82909657307b Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Tue, 9 Jun 2026 16:56:12 -0700 Subject: [PATCH 07/30] Add LLM step --- .../workflows/asimFileAndParserValidation.yml | 73 +++++++++++++++++++ .../ASimAuthenticationTestProduct.md | 5 ++ 2 files changed, 78 insertions(+) create mode 100644 Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index d8a6252010f..cc1e93c7636 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -8,6 +8,7 @@ on: permissions: contents: read pull-requests: write + models: read jobs: check-asim-label: @@ -147,3 +148,75 @@ jobs: } else { core.info('All file validations passed.'); } + + - name: Checkout repository + if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + uses: actions/checkout@v4 + + - name: Install js-yaml + if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + run: npm install js-yaml + + - name: Analyze YAML files with LLM + if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + script: | + const fs = require('fs'); + const yaml = require('js-yaml'); + const newFiles = JSON.parse('${{ steps.changed-files.outputs.new_files }}'); + const parserPattern = /^Parsers\/ASim\w+\/Parsers\/(.+)\.yaml$/; + const newYamlFiles = newFiles.filter(f => { + const match = f.match(parserPattern); + return match && match[1].startsWith('ASim'); + }); + + // Extract ParserQuery from the new ASim-prefixed YAML file + const parserQueries = []; + for (const filePath of newYamlFiles) { + try { + const content = fs.readFileSync(filePath, 'utf8'); + const parsed = yaml.load(content); + if (parsed && parsed.ParserQuery) { + parserQueries.push(`### ${filePath}\n\`\`\`kql\n${parsed.ParserQuery}\n\`\`\``); + } else { + core.warning(`No ParserQuery found in: ${filePath}`); + } + } catch (err) { + core.warning(`Could not read/parse file: ${filePath} - ${err.message}`); + } + } + + if (parserQueries.length === 0) { + core.info('No ParserQuery fields found in new YAML files. Skipping LLM analysis.'); + return; + } + + const prompt = `You are a KQL and ASIM (Advanced Security Information Model) expert reviewing a new parser for the Azure-Sentinel repository.\n\nHere is the ParserQuery from the new ASim-prefixed YAML file:\n\n${parserQueries.join('\n\n')}\n\nPlease:\n1. Analyze the KQL query: identify the data source, target ASIM schema, and summarize the parsing logic.\n2. Check for potential issues such as incorrect field mappings, missing required ASIM fields, inefficient KQL patterns, or logic errors.\n3. Suggest specific improvements to the query for correctness, performance, and ASIM compliance.`; + + const response = await fetch('https://models.github.ai/inference/chat/completions', { + method: 'POST', + headers: { + 'Authorization': `Bearer ${process.env.GITHUB_TOKEN}`, + 'Content-Type': 'application/json' + }, + body: JSON.stringify({ + model: 'openai/gpt-5', + messages: [ + { role: 'user', content: prompt } + ] + }) + }); + + if (!response.ok) { + const errorText = await response.text(); + core.setFailed(`LLM API call failed: ${response.status} ${errorText}`); + return; + } + + const result = await response.json(); + const analysis = result.choices[0].message.content; + core.info('LLM Analysis:\n' + analysis); + core.setOutput('analysis', analysis); diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md new file mode 100644 index 00000000000..2b27a97183e --- /dev/null +++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md @@ -0,0 +1,5 @@ +# Changelog for ASimAuthenticationTestProduct.yaml + +## Version 0.1.0 + +- Test \ No newline at end of file From 8515a609cefbd487d109e123be798561ae7a44f5 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 09:32:21 -0700 Subject: [PATCH 08/30] Add changes --- .../workflows/asimFileAndParserValidation.yml | 27 ++++++++++++++++--- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index cc1e93c7636..efd1f42c42f 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -2,9 +2,12 @@ name: New ASIM File and Parser Validation on: pull_request: - types: [opened, labeled, unlabeled, synchronize] + types: [labeled, synchronize] branches: [master] + # Allows you to run this workflow manually from the Actions tab + workflow_dispatch: + permissions: contents: read pull-requests: write @@ -66,6 +69,7 @@ jobs: core.setOutput('has_asim_yaml_files', asimYamlFiles.length > 0 ? 'true' : 'false'); - name: Validate new file paths + id: validate-paths if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_new_files == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c with: @@ -150,15 +154,15 @@ jobs: } - name: Checkout repository - if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' uses: actions/checkout@v4 - name: Install js-yaml - if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' run: npm install js-yaml - name: Analyze YAML files with LLM - if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -173,6 +177,21 @@ jobs: return match && match[1].startsWith('ASim'); }); + // Check if the last commit in the PR touched any of the new YAML files + const lastCommitSha = context.payload.pull_request.head.sha; + const commitResponse = await github.rest.repos.getCommit({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: lastCommitSha + }); + const lastCommitFiles = commitResponse.data.files.map(f => f.filename); + const touchedNewYamlFiles = newYamlFiles.filter(f => lastCommitFiles.includes(f)); + + if (touchedNewYamlFiles.length === 0) { + core.info('Last commit did not change any new ASim YAML files. Skipping LLM analysis.'); + return; + } + // Extract ParserQuery from the new ASim-prefixed YAML file const parserQueries = []; for (const filePath of newYamlFiles) { From a6066c578314eecf8a1eed162d8057491055da18 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 11:02:48 -0700 Subject: [PATCH 09/30] Test version checking --- .../workflows/asimFileAndParserValidation.yml | 168 +++++++++++++++++- .../CHANGELOG/ASimAuthentication.md | 2 +- .../ASimAuthenticationTestProduct.md | 2 +- 3 files changed, 164 insertions(+), 8 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index efd1f42c42f..8bf4a67196d 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -1,3 +1,16 @@ +# ============================================================================ +# New ASIM File and Parser Validation +# ============================================================================ +# This workflow validates pull requests that add new ASIM parsers. +# It checks: +# 1. The PR has the "ASIM" label +# 2. New files follow the expected directory structure +# 3. Required companion files (union parsers, changelogs) are present +# 4. Parser.Version in new and unifying parser YAML files matches +# a corresponding entry in their CHANGELOG files +# 5. The KQL ParserQuery from the new ASim-prefixed parser is +# analyzed by an LLM for correctness and ASIM compliance +# ============================================================================ name: New ASIM File and Parser Validation on: @@ -9,14 +22,18 @@ on: workflow_dispatch: permissions: - contents: read - pull-requests: write - models: read + contents: read # Read repo contents for checkout + pull-requests: write # Post validation comments on PRs + models: read # Access GitHub Models API for LLM analysis jobs: check-asim-label: runs-on: ubuntu-latest steps: + # ---------------------------------------------------------------- + # Step 1: Check if the PR has the "ASIM" label. + # If not, all subsequent steps are skipped. + # ---------------------------------------------------------------- - name: Check for ASIM label id: check-label uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c @@ -31,6 +48,11 @@ jobs: core.setOutput('has_label', 'false'); } + # ---------------------------------------------------------------- + # Step 2: Fetch all files in the PR and categorize them. + # Outputs: files, new_files, asim_yaml_files, + # has_new_files, has_asim_yaml_files + # ---------------------------------------------------------------- - name: Get changed files if: steps.check-label.outputs.has_label == 'true' id: changed-files @@ -53,6 +75,8 @@ jobs: } const allFiles = files.map(f => f.filename); const newFiles = files.filter(f => f.status === 'added').map(f => f.filename); + + // Filter for YAML files under Parsers/ASim/Parsers/ const parserPattern = /^Parsers\/ASim\w+\/Parsers\/.+\.yaml$/; const asimYamlFiles = allFiles.filter(f => parserPattern.test(f)); const newAsimYamlFiles = newFiles.filter(f => parserPattern.test(f)); @@ -68,6 +92,15 @@ jobs: core.setOutput('has_new_files', newFiles.length > 0 ? 'true' : 'false'); core.setOutput('has_asim_yaml_files', asimYamlFiles.length > 0 ? 'true' : 'false'); + # ---------------------------------------------------------------- + # Step 3: Validate the PR's file structure. + # Expected for a new ASIM parser: + # - 2 new YAML files in Parsers/ASim/Parsers/ + # - ASim.yaml and im.yaml must be modified + # - 2 new CHANGELOG .md files matching the new YAML filenames + # - ASim.md and im.md in CHANGELOG/ must be modified + # Posts a comment on the PR if validation fails. + # ---------------------------------------------------------------- - name: Validate new file paths id: validate-paths if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_new_files == 'true' @@ -106,7 +139,7 @@ jobs: const schemaName = schema.replace(/^ASim/, ''); core.info(`Detected schema: ${schemaName} (directory: ${schema})`); - // 3. Check that ASim.yaml and im.yaml are modified + // 3. Check that the union parsers (ASim.yaml and im.yaml) are modified const expectedEdited = [ `Parsers/${schema}/Parsers/${schema}.yaml`, `Parsers/${schema}/Parsers/im${schemaName}.yaml` @@ -139,6 +172,7 @@ jobs: } } + // Post a comment on the PR summarizing validation failures if (errors.length > 0) { const body = `## ASIM File Validation Failed\n\nThe following validation errors were found:\n\n${errors.map(e => '- ' + e).join('\n')}\n\n---\n*This comment was generated automatically by the ASIM File and Parser Validation workflow.*`; await github.rest.issues.createComment({ @@ -153,6 +187,16 @@ jobs: core.info('All file validations passed.'); } + # ---------------------------------------------------------------- + # Steps 4-7: Content-based validation and LLM analysis. + # Requires file validation to pass and ASIM YAML files to exist. + # Step 4: Checkout the repository to read files from disk. + # Step 5: Install js-yaml for YAML parsing. + # Step 6: Validate Parser.Version in new parser YAML files and + # unifying parsers against their CHANGELOG entries. + # Step 7: Send the ASim-prefixed parser's KQL query to an LLM + # for analysis (only if last commit touched the file). + # ---------------------------------------------------------------- - name: Checkout repository if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' uses: actions/checkout@v4 @@ -161,23 +205,133 @@ jobs: if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' run: npm install js-yaml + # ---------------------------------------------------------------- + # Step 6: Validate Parser.Version against CHANGELOG entries. + # For each new parser YAML file: + # - Reads Parser.Version from the YAML + # - Checks that the corresponding CHANGELOG .md file + # contains a matching "Version X.X" entry + # For the unifying (edited) parsers (ASim.yaml, + # im.yaml): + # - Same version-to-CHANGELOG validation + # Outputs the parsed file contents as JSON for later steps. + # ---------------------------------------------------------------- + - name: Check parser and changelog for matching versions + id: read-yaml + if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c + with: + script: | + const fs = require('fs'); + const yaml = require('js-yaml'); + const newFiles = JSON.parse('${{ steps.changed-files.outputs.new_files }}'); + const parserPattern = /^(Parsers\/ASim\w+)\/Parsers\/(.+)\.yaml$/; + const newYamlFiles = newFiles.filter(f => parserPattern.test(f)); + const errors = []; + + const parsedFiles = {}; + for (const filePath of newYamlFiles) { + try { + const content = fs.readFileSync(filePath, 'utf8'); + const parsed = yaml.load(content); + parsedFiles[filePath] = parsed; + core.info(`Read file: ${filePath}`); + + // Extract Parser.Version and validate against CHANGELOG + const version = parsed?.Parser?.Version; + if (!version) { + errors.push(`Missing Parser.Version in: ${filePath}`); + continue; + } + core.info(` Parser.Version: ${version}`); + + // Derive the CHANGELOG path: Parsers/ASim/CHANGELOG/.md + const match = filePath.match(parserPattern); + const changelogPath = `${match[1]}/CHANGELOG/${match[2]}.md`; + + try { + const changelogContent = fs.readFileSync(changelogPath, 'utf8'); + const versionPattern = new RegExp(`Version ${version.replace('.', '\\.')}`, 'm'); + if (versionPattern.test(changelogContent)) { + core.info(` Version ${version} found in ${changelogPath}`); + } else { + errors.push(`Version ${version} from ${filePath} is not referenced in ${changelogPath}`); + } + } catch (err) { + errors.push(`Could not read CHANGELOG file: ${changelogPath} - ${err.message}`); + } + } catch (err) { + core.warning(`Could not read/parse file: ${filePath} - ${err.message}`); + } + } + + // Also validate the unifying (edited) parsers: ASim.yaml and im.yaml + // These are existing files modified in the PR, not new files. + // Derive the schema directory from one of the new parser files. + const sampleMatch = newYamlFiles[0]?.match(parserPattern); + if (sampleMatch) { + const schemaDir = sampleMatch[1]; // e.g. Parsers/ASimWebSession + const schemaName = schemaDir.split('/')[1]; // e.g. ASimWebSession + const shortSchema = schemaName.replace(/^ASim/, ''); // e.g. WebSession + + const unifyingParsers = [ + { yaml: `${schemaDir}/Parsers/${schemaName}.yaml`, changelog: `${schemaDir}/CHANGELOG/${schemaName}.md` }, + { yaml: `${schemaDir}/Parsers/im${shortSchema}.yaml`, changelog: `${schemaDir}/CHANGELOG/im${shortSchema}.md` } + ]; + + for (const { yaml: yamlPath, changelog: changelogPath } of unifyingParsers) { + try { + const content = fs.readFileSync(yamlPath, 'utf8'); + const parsed = yaml.load(content); + const version = parsed?.Parser?.Version; + if (!version) { + errors.push(`Missing Parser.Version in unifying parser: ${yamlPath}`); + continue; + } + core.info(`Unifying parser ${yamlPath} - Parser.Version: ${version}`); + + try { + const changelogContent = fs.readFileSync(changelogPath, 'utf8'); + const versionPattern = new RegExp(`Version ${version.replace('.', '\\.')}`, 'm'); + if (versionPattern.test(changelogContent)) { + core.info(` Version ${version} found in ${changelogPath}`); + } else { + errors.push(`Version ${version} from ${yamlPath} is not referenced in ${changelogPath}`); + } + } catch (err) { + errors.push(`Could not read CHANGELOG file: ${changelogPath} - ${err.message}`); + } + } catch (err) { + errors.push(`Could not read unifying parser: ${yamlPath} - ${err.message}`); + } + } + } + + if (errors.length > 0) { + errors.forEach(e => core.error(e)); + core.setFailed('YAML/CHANGELOG version validation failed. See errors above.'); + } + + core.setOutput('parsed_files', JSON.stringify(parsedFiles)); + - name: Analyze YAML files with LLM if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }} with: script: | const fs = require('fs'); const yaml = require('js-yaml'); const newFiles = JSON.parse('${{ steps.changed-files.outputs.new_files }}'); const parserPattern = /^Parsers\/ASim\w+\/Parsers\/(.+)\.yaml$/; + // Only analyze the ASim-prefixed file (not the vim-prefixed variant) const newYamlFiles = newFiles.filter(f => { const match = f.match(parserPattern); return match && match[1].startsWith('ASim'); }); - // Check if the last commit in the PR touched any of the new YAML files + // Skip LLM call if the latest commit didn't modify these files const lastCommitSha = context.payload.pull_request.head.sha; const commitResponse = await github.rest.repos.getCommit({ owner: context.repo.owner, @@ -213,6 +367,7 @@ jobs: return; } + // Send the ParserQuery to the LLM for review const prompt = `You are a KQL and ASIM (Advanced Security Information Model) expert reviewing a new parser for the Azure-Sentinel repository.\n\nHere is the ParserQuery from the new ASim-prefixed YAML file:\n\n${parserQueries.join('\n\n')}\n\nPlease:\n1. Analyze the KQL query: identify the data source, target ASIM schema, and summarize the parsing logic.\n2. Check for potential issues such as incorrect field mappings, missing required ASIM fields, inefficient KQL patterns, or logic errors.\n3. Suggest specific improvements to the query for correctness, performance, and ASIM compliance.`; const response = await fetch('https://models.github.ai/inference/chat/completions', { @@ -235,6 +390,7 @@ jobs: return; } + // Parse and output the LLM response const result = await response.json(); const analysis = result.choices[0].message.content; core.info('LLM Analysis:\n' + analysis); diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md index c3fef0705b9..129c3c5a967 100644 --- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md +++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md @@ -1,6 +1,6 @@ # Changelog for ASimAuthentication.yaml -## Version 0.2.16 +## Version 0.3.10 - Test diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md index 2b27a97183e..59db8db05e6 100644 --- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md +++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md @@ -1,5 +1,5 @@ # Changelog for ASimAuthenticationTestProduct.yaml -## Version 0.1.0 +## Version 0.2.0 - Test \ No newline at end of file From cdcdce293759a60ab4e7bc89d3af5fd2abaed4ed Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 14:05:13 -0700 Subject: [PATCH 10/30] Test other case --- .../CHANGELOG/ASimAuthenticationTestProduct.md | 2 +- Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md index 59db8db05e6..2b27a97183e 100644 --- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md +++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md @@ -1,5 +1,5 @@ # Changelog for ASimAuthenticationTestProduct.yaml -## Version 0.2.0 +## Version 0.1.0 - Test \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index 37213bb57b9..80f0a153d16 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -1,6 +1,6 @@ Parser: Title: Authentication ASIM parser - Version: '0.2.15' + Version: '0.2.18' LastUpdated: May 05, 2026 Product: Name: Source agnostic From 60e903df7d8325d49a51e1dfae0ffa2cd9f90a36 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 14:25:16 -0700 Subject: [PATCH 11/30] Test --- .../workflows/asimFileAndParserValidation.yml | 86 +++++-- .../CHANGELOG/ASimAuthentication.md | 4 - .../Parsers/ASimAuthentication.yaml | 2 +- .../ASimAuthenticationTestProduct.yaml | 211 +++++++++++++++++- 4 files changed, 275 insertions(+), 28 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index 8bf4a67196d..d10b7b3d411 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -308,12 +308,24 @@ jobs: } if (errors.length > 0) { + const body = `## ASIM Version Validation Failed\n\nThe following version/CHANGELOG mismatches were found:\n\n${errors.map(e => '- ' + e).join('\n')}\n\n---\n*This comment was generated automatically by the ASIM File and Parser Validation workflow.*`; + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + body: body + }); errors.forEach(e => core.error(e)); - core.setFailed('YAML/CHANGELOG version validation failed. See errors above.'); + core.setFailed('YAML/CHANGELOG version validation failed. See PR comment for details.'); } - core.setOutput('parsed_files', JSON.stringify(parsedFiles)); - + # ---------------------------------------------------------------- + # Step 7: LLM-based analysis of the new parser's KQL query. + # Extracts the ParserQuery from the new ASim-prefixed YAML file + # and sends it to the GitHub Models API (GPT-5) for review. + # Skips the API call if the last commit didn't modify the file + # to avoid redundant usage. + # ---------------------------------------------------------------- - name: Analyze YAML files with LLM if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c @@ -332,18 +344,24 @@ jobs: }); // Skip LLM call if the latest commit didn't modify these files - const lastCommitSha = context.payload.pull_request.head.sha; - const commitResponse = await github.rest.repos.getCommit({ - owner: context.repo.owner, - repo: context.repo.repo, - ref: lastCommitSha - }); - const lastCommitFiles = commitResponse.data.files.map(f => f.filename); - const touchedNewYamlFiles = newYamlFiles.filter(f => lastCommitFiles.includes(f)); + // (unless the workflow was manually triggered via workflow_dispatch) + const isManualTrigger = '${{ github.event_name }}' === 'workflow_dispatch'; + if (!isManualTrigger) { + const lastCommitSha = context.payload.pull_request.head.sha; + const commitResponse = await github.rest.repos.getCommit({ + owner: context.repo.owner, + repo: context.repo.repo, + ref: lastCommitSha + }); + const lastCommitFiles = commitResponse.data.files.map(f => f.filename); + const touchedNewYamlFiles = newYamlFiles.filter(f => lastCommitFiles.includes(f)); - if (touchedNewYamlFiles.length === 0) { - core.info('Last commit did not change any new ASim YAML files. Skipping LLM analysis.'); - return; + if (touchedNewYamlFiles.length === 0) { + core.info('Last commit did not change any new ASim YAML files. Skipping LLM analysis.'); + return; + } + } else { + core.info('Workflow manually triggered. Running LLM analysis regardless of last commit.'); } // Extract ParserQuery from the new ASim-prefixed YAML file @@ -368,7 +386,45 @@ jobs: } // Send the ParserQuery to the LLM for review - const prompt = `You are a KQL and ASIM (Advanced Security Information Model) expert reviewing a new parser for the Azure-Sentinel repository.\n\nHere is the ParserQuery from the new ASim-prefixed YAML file:\n\n${parserQueries.join('\n\n')}\n\nPlease:\n1. Analyze the KQL query: identify the data source, target ASIM schema, and summarize the parsing logic.\n2. Check for potential issues such as incorrect field mappings, missing required ASIM fields, inefficient KQL patterns, or logic errors.\n3. Suggest specific improvements to the query for correctness, performance, and ASIM compliance.`; + const prompt = `You are a KQL performance and efficiency expert reviewing \ + a new ASIM parser for the Azure-Sentinel repository. Your job is to check \ + for efficiency and performance of the KQL query. There is already a separate \ + schema and data tester for ASIM correctness, so focus only on performance \ + and best practices. + + Here is the ParserQuery from the new ASim-prefixed YAML file: + + ${parserQueries.join('\n\n')} + + Please review the KQL query for the following: + + 1. **Filter → Parse → Map pattern**: Verify the query follows the correct \ + ASIM parsing flow. Filtering should happen early on native columns before \ + any parsing. Parsing should occur next, followed by field mapping. + + 2. **Field mapping operators**: Check that \`project-rename\` is used for \ + direct column-to-field mappings, and \`extend\` is used for calculated or \ + normalized fields. Flag any misuse (e.g., using \`extend\` where \ + \`project-rename\` would suffice). + + 3. **No \`project-away\`**: The query must NOT use \`project-away\` to remove \ + unmapped columns. It should use \`project\` instead, as \`project-away\` does \ + not protect the parser from schema changes in the source data. + + 4. **\`pack\` parameter**: If the query uses \`AdditionalFields\`, verify that \ + a \`pack: bool = false\` parameter is included. This allows users to choose \ + whether to populate \`AdditionalFields\` or return an empty dynamic, \ + improving performance for users who do not need the extra information. + + 5. **Parsing operator efficiency**: Check that high-performance parsing \ + operators are used (\`split\`, \`parse-kv\`, \`parse\`) and that regular \ + expressions are avoided where simpler operators would work. + + 6. **General KQL performance**: Flag any other inefficient patterns such as \ + unnecessary \`let\` statements, redundant filters, expensive joins, or \ + operations that could be reordered for better performance. + + Provide specific, actionable suggestions for each issue found.`; const response = await fetch('https://models.github.ai/inference/chat/completions', { method: 'POST', diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md index 129c3c5a967..ab08dac1d76 100644 --- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md +++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md @@ -1,9 +1,5 @@ # Changelog for ASimAuthentication.yaml -## Version 0.3.10 - -- Test - ## Version 0.2.15 - (2026-04-13) ASIM Authentication Parser for VMware ESXi - [PR #13989](https://github.com/Azure/Azure-Sentinel/pull/13989) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index 80f0a153d16..435545496b8 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -1,6 +1,6 @@ Parser: Title: Authentication ASIM parser - Version: '0.2.18' + Version: '0.2.16' LastUpdated: May 05, 2026 Product: Name: Source agnostic diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml index 1710d4cd35c..eb7915441f6 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml @@ -21,11 +21,206 @@ ParserParams: Type: bool Default: false ParserQuery: | - let parser = (disabled: bool) { - // Your parser logic here - TestProduct - | where not(disabled) - | project - TimeGenerated, Type - }; - parser(disabled = disabled) \ No newline at end of file + let parser = (disabled:bool=false) { + let LogonMethodLookup = datatable(Method: string, LogonMethod: string) + [ + 'password', 'Username & password', + 'publickey', 'PKI', + 'keyboard-interactive/pam', 'PAM' + ]; + let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId; + // + // -- Successful login + let SSHDAccepted=(disabled:bool=false) { + // -- Parse events with the format "Accepted (password|none|publickey|etc.) for from port ssh2" + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage startswith 'Accepted' + | parse SyslogMessage with "Accepted " Method: string " for " TargetUsername:string " from " SrcIpAddr:string " port" SrcPortNumber:int * + | extend + EventCount = int(1), + EventResult = 'Success', + EventSeverity = 'Informational', + EventType = 'Logon' + | lookup LogonMethodLookup on Method + | extend LogonMethod = case( + isnotempty(LogonMethod), LogonMethod, + SyslogMessage has "key RSA", "PKI", + "Other") + | project-away SyslogMessage, ProcessName, Method + }; + // + // -- Failed login - incorrect password + let SSHDFailed=(disabled:bool=false) { + // -- Parse events with the format "Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]" + // -- Or a number of such events message repeated times: [ ] + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and ( + SyslogMessage startswith 'Failed' + or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed') + ) + | parse SyslogMessage with * "Failed " Method: string " for " TargetUsername:string " from " SrcIpAddr:string " port" SrcPortNumber:int * + | parse SyslogMessage with "message repeated" EventCount:int " times:" * + | extend + EventCount = toint(coalesce(EventCount,1)), + EventResult = 'Failure', + EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'), + EventSeverity = 'Low' , + EventType = 'Logon' + | lookup LogonMethodLookup on Method + | extend LogonMethod = case( + isnotempty(LogonMethod), LogonMethod, + SyslogMessage has "key RSA", "PKI", + "Other") + | project-away SyslogMessage, ProcessName, Method + }; + // + // -- Logoff - Timeout + let SSHDTimeout=(disabled:bool=false) { + // -- Parse events with the format "Timeout, client not responding from user yanivsh 131.107.174.198 port 7623" + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage startswith 'Timeout' + | parse-where SyslogMessage with * "user " TargetUsername:string " " SrcIpAddr:string " port " SrcPortNumber:int + | extend + EventCount = int(1), + EventResult = 'Success', + EventSeverity = 'Informational', + EventType = 'Logoff' + | project-away SyslogMessage, ProcessName + }; + // + // -- Failed login - invalid user + let SSHDInvalidUser=(disabled:bool=false) { + // -- Parse events with the format "Invalid user [] from port " + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage startswith 'Invalid user' + | parse SyslogMessage with "Invalid user " TargetUsername:string " from " SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be "0.0.0.0 port 0" or just "0.0.0.0" + | parse SyslogMessage with "Invalid user from " SrcIpAddrNoUser:string " port " SrcPortNumberNoUser:int + | extend SrcInfo = split(SrcIpAddrAndPort, " ") + | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] ("port"). [2] will be null if there is no port. + | extend + EventCount = int(1), + EventResult = 'Failure', + EventResultDetails = 'No such user', + EventSeverity = 'Low', + EventType = 'Logon', + SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser), + SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser) + | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo + }; + // + // -- Blocked intrusion attempts + let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) { + // -- Parse events with the format "reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!" + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage startswith "reverse mapping checking getaddrinfo for" + | parse SyslogMessage with * " for " Src " [" SrcIpAddr "]" * + | invoke _ASIM_ResolveSrcFQDN ('Src') + | extend + DvcAction = 'Block', + EventCount = int(1), + EventResult = 'Failure', + EventResultDetails = 'Logon violates policy', + EventSeverity = 'Medium', + EventType = 'Logon', + RuleName = "Reverse mapping failed", + TargetUsername = '' + | extend + Rule = RuleName + | project-away SyslogMessage, ProcessName, Src + }; + let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) { + // -- Parse events with the format "Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!" + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage has "but this does not map back to the address" + | parse SyslogMessage with "Address " SrcIpAddr:string " maps to " Src:string ", but this" * + | invoke _ASIM_ResolveSrcFQDN ('Src') + | extend + DvcAction = 'Block', + EventCount = int(1), + EventResult = 'Failure', + EventResultDetails = 'Logon violates policy', + EventSeverity = 'Medium', + EventType = 'Logon', + RuleName = "Address to host to address mapping does not map back to address", + TargetUsername = '' + | extend + Rule = RuleName + | project-away SyslogMessage, ProcessName, Src + }; + let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) { + // -- Parse events with the format "Nasty PTR record "" is set up for , ignoring" + SyslogProjects | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage startswith "Nasty PTR record" + | parse SyslogMessage with * "set up for " SrcIpAddr:string ", ignoring" + | extend + DvcAction = 'Block', + EventCount = int(1), + EventResult = 'Failure', + EventResultDetails = 'Logon violates policy', + EventSeverity = 'Medium', + EventType = 'Logon', + RuleName = "Nasty PTR record set for IP Address", + TargetUsername = '' + | extend + Rule = RuleName + | project-away SyslogMessage, ProcessName + }; + union isfuzzy=false + SSHDAccepted (disabled=disabled), + SSHDFailed (disabled=disabled), + SSHDInvalidUser (disabled=disabled), + SSHDTimeout (disabled=disabled), + SSHDABreakInAttemptMappingFailed (disabled=disabled), + SSHDABreakInAttemptMappingMismatch (disabled=disabled), + SSHDABreakInAttemptNastyPtr (disabled=disabled) + | invoke _ASIM_ResolveDvcFQDN ('Computer') + | extend + DvcIdType = iff (isnotempty(_ResourceId), "AzureResourceId", ""), + DvcOs = 'Linux', + EventEndTime = TimeGenerated, + EventProduct = 'OpenSSH', + EventSchema = 'Authentication', + EventSchemaVersion = '0.1.3', + EventStartTime = TimeGenerated, + EventSubType = 'Remote', + EventVendor = 'OpenBSD', + LogonProtocol = 'ssh', + TargetAppId = tostring(ProcessID), + TargetAppName = 'sshd', + TargetAppType = 'Service', + TargetDvcOs = 'Linux', + TargetUsernameType = 'Simple', + Type = 'Syslog' + | project-away Computer, ProcessID + | project-rename + DvcId = _ResourceId, + DvcIpAddr = HostIP, + DvcScopeId = _SubscriptionId, + EventUid = _ItemId + // + // -- Aliases + | extend + Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr), + IpAddr = SrcIpAddr, + Src = SrcIpAddr, + TargetDomain = DvcDomain, + TargetDomainType = DvcDomainType, + TargetDvcId = DvcId, + TargetDvcIdType = DvcIdType, + TargetDvcScopeId = DvcScopeId, + TargetFQDN = DvcFQDN, + TargetHostname = DvcHostname, + TargetIpAddr = DvcIpAddr, + User = TargetUsername, + Application = TargetAppName + | extend Dvc = Dst + }; + parser ( + disabled=disabled + ) \ No newline at end of file From 2e3f5669b57c9346045bbe792bccc7fd0eb66897 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 14:30:38 -0700 Subject: [PATCH 12/30] Ok, add in change for md file --- Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md index ab08dac1d76..c3fef0705b9 100644 --- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md +++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md @@ -1,5 +1,9 @@ # Changelog for ASimAuthentication.yaml +## Version 0.2.16 + +- Test + ## Version 0.2.15 - (2026-04-13) ASIM Authentication Parser for VMware ESXi - [PR #13989](https://github.com/Azure/Azure-Sentinel/pull/13989) From 8404d039964c479cd8d8cae75d4f6f30ffe8cae5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Wed, 10 Jun 2026 21:37:18 +0000 Subject: [PATCH 13/30] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationTestProduct.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json index 81617739c2b..7666c027635 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM parser for TestProduct", "category": "ASIM", "FunctionAlias": "ASimAuthenticationTestProduct", - "query": "let parser = (disabled: bool) {\n // Your parser logic here\n TestProduct\n | where not(disabled)\n | project\n TimeGenerated, Type\n};\nparser(disabled = disabled)", + "query": "let parser = (disabled:bool=false) {\n let LogonMethodLookup = datatable(Method: string, LogonMethod: string)\n [\n 'password', 'Username & password',\n 'publickey', 'PKI',\n 'keyboard-interactive/pam', 'PAM'\n ];\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login \n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted (password|none|publickey|etc.) for from port ssh2\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | parse SyslogMessage with \"Accepted \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = case(\n isnotempty(LogonMethod), LogonMethod,\n SyslogMessage has \"key RSA\", \"PKI\",\n \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format \"Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | parse SyslogMessage with * \"Failed \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = case(\n isnotempty(LogonMethod), LogonMethod,\n SyslogMessage has \"key RSA\", \"PKI\",\n \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be \"0.0.0.0 port 0\" or just \"0.0.0.0\"\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend SrcInfo = split(SrcIpAddrAndPort, \" \")\n | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] (\"port\"). [2] will be null if there is no port.\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple',\n Type = 'Syslog'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcIdType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername,\n Application = TargetAppName\n | extend Dvc = Dst\n };\n parser (\n disabled=disabled\n )", "version": 1, "functionParameters": "disabled:bool=False" } From 0dc3f8b9d83b798dd262be8f0c60b37cd257cf1c Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 15:05:13 -0700 Subject: [PATCH 14/30] Test --- .github/workflows/asimFileAndParserValidation.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index d10b7b3d411..5ad7065d937 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -18,9 +18,6 @@ on: types: [labeled, synchronize] branches: [master] - # Allows you to run this workflow manually from the Actions tab - workflow_dispatch: - permissions: contents: read # Read repo contents for checkout pull-requests: write # Post validation comments on PRs @@ -344,9 +341,11 @@ jobs: }); // Skip LLM call if the latest commit didn't modify these files - // (unless the workflow was manually triggered via workflow_dispatch) - const isManualTrigger = '${{ github.event_name }}' === 'workflow_dispatch'; - if (!isManualTrigger) { + // (unless the PR has the 'SafeToRun' label, which bypasses this check) + const labels = context.payload.pull_request.labels.map(l => l.name); + const isSafeToRun = labels.includes('SafeToRun'); + + if (!isSafeToRun) { const lastCommitSha = context.payload.pull_request.head.sha; const commitResponse = await github.rest.repos.getCommit({ owner: context.repo.owner, @@ -361,7 +360,7 @@ jobs: return; } } else { - core.info('Workflow manually triggered. Running LLM analysis regardless of last commit.'); + core.info('PR has "SafeToRun" label. Bypassing last commit check.'); } // Extract ParserQuery from the new ASim-prefixed YAML file From 3700eaf1db44ea888097db808dd25a31c1aa07f2 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 15:26:45 -0700 Subject: [PATCH 15/30] Test new prompt --- .../workflows/asimFileAndParserValidation.yml | 83 ++++++++++++------- 1 file changed, 52 insertions(+), 31 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index 5ad7065d937..dd436af1a8e 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -185,13 +185,14 @@ jobs: } # ---------------------------------------------------------------- - # Steps 4-7: Content-based validation and LLM analysis. + # Steps 4-8: Content-based validation and LLM analysis. # Requires file validation to pass and ASIM YAML files to exist. # Step 4: Checkout the repository to read files from disk. # Step 5: Install js-yaml for YAML parsing. # Step 6: Validate Parser.Version in new parser YAML files and # unifying parsers against their CHANGELOG entries. - # Step 7: Send the ASim-prefixed parser's KQL query to an LLM + # Step 7: Check if the PR has the "SafeToRun" label. + # Step 8: Send the ASim-prefixed parser's KQL query to an LLM # for analysis (only if last commit touched the file). # ---------------------------------------------------------------- - name: Checkout repository @@ -317,14 +318,32 @@ jobs: } # ---------------------------------------------------------------- - # Step 7: LLM-based analysis of the new parser's KQL query. + # Step 7: Check if the PR has the "SafeToRun" label. + # Required for the LLM analysis step to run. + # ---------------------------------------------------------------- + - name: Check for SafeToRun label + id: check-safe-to-run + if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c + with: + script: | + const labels = context.payload.pull_request.labels.map(l => l.name); + if (labels.includes('SafeToRun')) { + core.info('PR has the SafeToRun label.'); + core.setOutput('is_safe', 'true'); + } else { + core.info('PR does not have the SafeToRun label. Skipping LLM analysis.'); + core.setOutput('is_safe', 'false'); + } + + # ---------------------------------------------------------------- + # Step 8: LLM-based analysis of the new parser's KQL query. # Extracts the ParserQuery from the new ASim-prefixed YAML file # and sends it to the GitHub Models API (GPT-5) for review. - # Skips the API call if the last commit didn't modify the file - # to avoid redundant usage. + # Only runs if the PR has the "SafeToRun" label. # ---------------------------------------------------------------- - name: Analyze YAML files with LLM - if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + if: steps.check-safe-to-run.outputs.is_safe == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c env: GITHUB_TOKEN: ${{ github.token }} @@ -340,29 +359,6 @@ jobs: return match && match[1].startsWith('ASim'); }); - // Skip LLM call if the latest commit didn't modify these files - // (unless the PR has the 'SafeToRun' label, which bypasses this check) - const labels = context.payload.pull_request.labels.map(l => l.name); - const isSafeToRun = labels.includes('SafeToRun'); - - if (!isSafeToRun) { - const lastCommitSha = context.payload.pull_request.head.sha; - const commitResponse = await github.rest.repos.getCommit({ - owner: context.repo.owner, - repo: context.repo.repo, - ref: lastCommitSha - }); - const lastCommitFiles = commitResponse.data.files.map(f => f.filename); - const touchedNewYamlFiles = newYamlFiles.filter(f => lastCommitFiles.includes(f)); - - if (touchedNewYamlFiles.length === 0) { - core.info('Last commit did not change any new ASim YAML files. Skipping LLM analysis.'); - return; - } - } else { - core.info('PR has "SafeToRun" label. Bypassing last commit check.'); - } - // Extract ParserQuery from the new ASim-prefixed YAML file const parserQueries = []; for (const filePath of newYamlFiles) { @@ -423,7 +419,24 @@ jobs: unnecessary \`let\` statements, redundant filters, expensive joins, or \ operations that could be reordered for better performance. - Provide specific, actionable suggestions for each issue found.`; + **Output format:** + + First, provide an overall **Readiness Rating** out of 10 (where 10 means \ + production-ready with no issues). + + Then, return your findings as a markdown table with the following columns: + + | # | Priority | Issue | Suggestion | + |---|----------|-------|------------| + + Where: + - **Priority** is one of: 🔴 High, 🟡 Medium, 🟢 Low + - **Issue** is a concise description of the problem found + - **Suggestion** is a specific, actionable fix + + If no issues are found for a category, do not include a row for it. \ + If the query has no issues at all, return the table with a single row \ + stating "No issues found" and a rating of 10/10.`; const response = await fetch('https://models.github.ai/inference/chat/completions', { method: 'POST', @@ -449,4 +462,12 @@ jobs: const result = await response.json(); const analysis = result.choices[0].message.content; core.info('LLM Analysis:\n' + analysis); - core.setOutput('analysis', analysis); + + // Post the LLM analysis as a PR comment + const body = `## ASIM Parser KQL Review\n\n${analysis}\n\n---\n*This review was generated automatically by the ASIM File and Parser Validation workflow using GitHub Models.*`; + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + body: body + }); From 7db107c8bcac8181b178da34503e0be669eeee47 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 15:50:59 -0700 Subject: [PATCH 16/30] Add changes and vim parser analysis --- .../workflows/asimFileAndParserValidation.yml | 126 +++++++- .../Parsers/vimAuthenticationTestProduct.yaml | 281 +++++++++++++++++- 2 files changed, 392 insertions(+), 15 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index dd436af1a8e..67e673664c4 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -342,7 +342,7 @@ jobs: # and sends it to the GitHub Models API (GPT-5) for review. # Only runs if the PR has the "SafeToRun" label. # ---------------------------------------------------------------- - - name: Analyze YAML files with LLM + - name: Analyze parsers for ASIM best practices if: steps.check-safe-to-run.outputs.is_safe == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c env: @@ -353,20 +353,41 @@ jobs: const yaml = require('js-yaml'); const newFiles = JSON.parse('${{ steps.changed-files.outputs.new_files }}'); const parserPattern = /^Parsers\/ASim\w+\/Parsers\/(.+)\.yaml$/; - // Only analyze the ASim-prefixed file (not the vim-prefixed variant) - const newYamlFiles = newFiles.filter(f => { + + // Separate new YAML files into ASim-prefixed and vim-prefixed parsers + const asimFiles = newFiles.filter(f => { const match = f.match(parserPattern); return match && match[1].startsWith('ASim'); }); + const vimFiles = newFiles.filter(f => { + const match = f.match(parserPattern); + return match && match[1].startsWith('vim'); + }); - // Extract ParserQuery from the new ASim-prefixed YAML file - const parserQueries = []; - for (const filePath of newYamlFiles) { + // Extract ParserQuery from the ASim-prefixed YAML file + let asimParserQuery = null; + for (const filePath of asimFiles) { + try { + const content = fs.readFileSync(filePath, 'utf8'); + const parsed = yaml.load(content); + if (parsed && parsed.ParserQuery) { + asimParserQuery = { file: filePath, query: parsed.ParserQuery }; + } else { + core.warning(`No ParserQuery found in: ${filePath}`); + } + } catch (err) { + core.warning(`Could not read/parse file: ${filePath} - ${err.message}`); + } + } + + // Extract ParserQuery from the vim-prefixed YAML file + let vimParserQuery = null; + for (const filePath of vimFiles) { try { const content = fs.readFileSync(filePath, 'utf8'); const parsed = yaml.load(content); if (parsed && parsed.ParserQuery) { - parserQueries.push(`### ${filePath}\n\`\`\`kql\n${parsed.ParserQuery}\n\`\`\``); + vimParserQuery = { file: filePath, query: parsed.ParserQuery }; } else { core.warning(`No ParserQuery found in: ${filePath}`); } @@ -375,11 +396,20 @@ jobs: } } - if (parserQueries.length === 0) { + if (!asimParserQuery && !vimParserQuery) { core.info('No ParserQuery fields found in new YAML files. Skipping LLM analysis.'); return; } + core.info(`ASim parser: ${asimParserQuery?.file || 'not found'}`); + core.info(`vim parser: ${vimParserQuery?.file || 'not found'}`); + + // Build the query content for the LLM prompt + const parserQueries = []; + if (asimParserQuery) { + parserQueries.push(`### ${asimParserQuery.file}\n\`\`\`kql\n${asimParserQuery.query}\n\`\`\``); + } + // Send the ParserQuery to the LLM for review const prompt = `You are a KQL performance and efficiency expert reviewing \ a new ASIM parser for the Azure-Sentinel repository. Your job is to check \ @@ -471,3 +501,83 @@ jobs: issue_number: context.payload.pull_request.number, body: body }); + + // Analyze the vim-prefixed parser query, passing the previous + // conversation as context so the LLM has awareness of the ASim review. + if (vimParserQuery) { + const vimPrompt = `Now review the vim (parameter/filtering) version of \ + the same ASIM parser. This parser adds filtering parameters to improve \ + query efficiency by reducing the number of rows processed early in the \ + query pipeline. + + You have already reviewed the ASim (parameter-less) version above. \ + Do NOT repeat issues already identified in that review. Focus only on \ + the filtering logic specific to this vim parser. + + Here is the ParserQuery from the vim-prefixed YAML file: + + ### ${vimParserQuery.file} + \`\`\`kql + ${vimParserQuery.query} + \`\`\` + + Please review: + 1. **Parameter placement**: Are the filtering parameters applied as \ + early as possible in the query? Filters should be placed before any \ + parsing or field calculations to avoid unnecessary computation on rows \ + that will be filtered out. + 2. **Filter efficiency**: Are the parameter-based filters using native \ + columns and indexed fields where possible? + 3. **Redundant computation**: Are there any calculated fields or parsing \ + operations that occur before the parameter filters, when they could be \ + moved after? + 4. **Parameter completeness**: Are the filtering parameters comprehensive \ + enough to allow efficient querying for common use cases? + + **Output format:** + + First, provide an overall **Readiness Rating** out of 10. + + Then, return findings as a markdown table: + + | # | Priority | Issue | Suggestion | + |---|----------|-------|------------| + + Where Priority is one of: 🔴 High, 🟡 Medium, 🟢 Low. + Only include issues specific to the filtering/parameter logic. \ + If no issues are found, return a single row stating "No issues found" \ + and a rating of 10/10.`; + + const vimResponse = await fetch('https://models.github.ai/inference/chat/completions', { + method: 'POST', + headers: { + 'Authorization': `Bearer ${process.env.GITHUB_TOKEN}`, + 'Content-Type': 'application/json' + }, + body: JSON.stringify({ + model: 'openai/gpt-5', + messages: [ + { role: 'user', content: prompt }, + { role: 'assistant', content: analysis }, + { role: 'user', content: vimPrompt } + ] + }) + }); + + if (!vimResponse.ok) { + const errorText = await vimResponse.text(); + core.warning(`LLM API call for vim parser failed: ${vimResponse.status} ${errorText}`); + } else { + const vimResult = await vimResponse.json(); + const vimAnalysis = vimResult.choices[0].message.content; + core.info('vim Parser LLM Analysis:\n' + vimAnalysis); + + const vimBody = `## ASIM vim Parser KQL Review\n\n${vimAnalysis}\n\n---\n*This review was generated automatically by the ASIM File and Parser Validation workflow using GitHub Models.*`; + await github.rest.issues.createComment({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + body: vimBody + }); + } + } diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml index 0a37adeca79..5bdf824d3ed 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml @@ -51,11 +51,278 @@ ParserParams: Type: bool Default: false ParserQuery: | - let parser = (disabled: bool) { - // Your parser logic here - TestProduct - | where not(disabled) - | project - TimeGenerated, Type + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + username_has_any: dynamic = dynamic([]), + targetappname_has_any: dynamic = dynamic([]), + srcipaddr_has_any_prefix: dynamic = dynamic([]), + srchostname_has_any: dynamic = dynamic([]), + eventtype_in: dynamic = dynamic([]), + eventresultdetails_in: dynamic = dynamic([]), + eventresult: string = '*', + disabled: bool=false + ) + { + let LogonMethodLookup = datatable(Method: string, LogonMethod: string) + [ + 'password', 'Username & password', + 'publickey', 'PKI', + 'keyboard-interactive/pam', 'PAM' + ]; + let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime)) + { + T + | where + (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any)) + and ((array_length(targetappname_has_any) == 0) or 'sshd' in~ (targetappname_has_any)) + and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))) + and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source + // eventresultdetails_in filtering done later in the parser + // eventresult filtering done later in the parser }; - parser(disabled = disabled) \ No newline at end of file + let SyslogProjects = Syslog + | project + TimeGenerated, + Computer, + SyslogMessage, + ProcessName, + ProcessID, + HostIP, + Type, + _ItemId, + _ResourceId, + _SubscriptionId; + // + // -- Successful login + let SSHDAccepted=(disabled: bool=false) + { + // -- Parse events with the format "Accepted (password|none|publickey|etc.) for from port ssh2" + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage startswith 'Accepted' + | invoke prefilter() + | parse SyslogMessage with "Accepted " Method: string " for " TargetUsername:string " from " SrcIpAddr:string " port" SrcPortNumber:int * + | extend + EventCount = int(1), + EventResult = 'Success', + EventSeverity = 'Informational', + EventType = 'Logon' + | lookup LogonMethodLookup on Method + | extend LogonMethod = case( + isnotempty(LogonMethod), LogonMethod, + SyslogMessage has "key RSA", "PKI", + "Other") + | project-away SyslogMessage, ProcessName, Method + }; + // + // -- Failed login - incorrect password + let SSHDFailed=(disabled: bool=false) + { + // -- Parse events with the format Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]" + // -- Or a number of such events message repeated times: [ ] + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and ( + SyslogMessage startswith 'Failed' + or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed') + ) + | invoke prefilter() + | parse SyslogMessage with * "Failed " Method: string " for " TargetUsername:string " from " SrcIpAddr:string " port" SrcPortNumber:int * + | parse SyslogMessage with "message repeated" EventCount:int " times:" * + | extend + EventCount = toint(coalesce(EventCount,1)), + EventResult = 'Failure', + EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'), + EventSeverity = 'Low' , + EventType = 'Logon' + | lookup LogonMethodLookup on Method + | extend LogonMethod = coalesce(LogonMethod, "Other") + | project-away SyslogMessage, ProcessName, Method + }; + // + // -- Logoff - Timeout + let SSHDTimeout=(disabled: bool=false) + { + // -- Parse events with the format "Timeout, client not responding from user yanivsh 131.107.174.198 port 7623" + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage startswith 'Timeout' + | invoke prefilter() + | parse-where SyslogMessage with * "user " TargetUsername: string " " SrcIpAddr: string " port " SrcPortNumber: int + | extend + EventCount = int(1), + EventResult = 'Success', + EventSeverity = 'Informational', + EventType = 'Logoff' + | project-away SyslogMessage, ProcessName + }; + // + // -- Failed login - invalid user + let SSHDInvalidUser=(disabled: bool=false) + { + // -- Parse events with the format "Invalid user [] from port " + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage startswith 'Invalid user' + | invoke prefilter() + | parse SyslogMessage with "Invalid user " TargetUsername:string " from " SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be "0.0.0.0 port 0" or just "0.0.0.0" + | parse SyslogMessage with "Invalid user from " SrcIpAddrNoUser:string " port " SrcPortNumberNoUser:int + | extend SrcInfo = split(SrcIpAddrAndPort, " ") + | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] ("port"). [2] will be null if there is no port. + | extend + EventCount = int(1), + EventResult = 'Failure', + EventResultDetails = 'No such user', + EventSeverity = 'Low', + EventType = 'Logon', + SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser), + SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser) + | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo + }; + // + // -- Blocked intrusion attempts + let SSHDABreakInAttemptMappingFailed=(disabled: bool=false) + { + // -- Parse events with the format "reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!" + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage startswith "reverse mapping checking getaddrinfo for" + | invoke prefilter() + | parse SyslogMessage with * " for " Src " [" SrcIpAddr "]" * + | invoke _ASIM_ResolveSrcFQDN ('Src') + | extend + DvcAction = 'Block', + EventCount = int(1), + EventResult = 'Failure', + EventResultDetails = 'Logon violates policy', + EventSeverity = 'Medium', + EventType = 'Logon', + RuleName = "Reverse mapping failed", + TargetUsername = '' + | extend + Rule = RuleName + | project-away SyslogMessage, ProcessName, Src + }; + let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false) + { + // -- Parse events with the format "Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!" + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage has "but this does not map back to the address" + | invoke prefilter() + | parse SyslogMessage with "Address " SrcIpAddr: string " maps to " Src: string ", but this" * + | invoke _ASIM_ResolveSrcFQDN ('Src') + | extend + DvcAction = 'Block', + EventCount = int(1), + EventResult = 'Failure', + EventResultDetails = 'Logon violates policy', + EventSeverity = 'Medium', + EventType = 'Logon', + RuleName = "Address to host to address mapping does not map back to address", + TargetUsername = '' + | extend + Rule = RuleName + | project-away SyslogMessage, ProcessName, Src + }; + let SSHDABreakInAttemptNastyPtr=(disabled: bool=false) + { + // -- Parse events with the format "Nasty PTR record "" is set up for , ignoring" + SyslogProjects + | where not(disabled) + | where ProcessName == "sshd" and SyslogMessage startswith "Nasty PTR record" + | invoke prefilter() + | parse SyslogMessage with * "set up for " SrcIpAddr: string ", ignoring" + | extend + DvcAction = 'Block', + EventCount = int(1), + EventResult = 'Failure', + EventResultDetails = 'Logon violates policy', + EventSeverity = 'Medium', + EventType = 'Logon', + RuleName = "Nasty PTR record set for IP Address", + TargetUsername = '' + | extend + Rule = RuleName + | project-away SyslogMessage, ProcessName + }; + union isfuzzy=false + SSHDAccepted (disabled=disabled), + SSHDFailed (disabled=disabled), + SSHDInvalidUser (disabled=disabled), + SSHDTimeout (disabled=disabled), + SSHDABreakInAttemptMappingFailed (disabled=disabled), + SSHDABreakInAttemptMappingMismatch (disabled=disabled), + SSHDABreakInAttemptNastyPtr (disabled=disabled) + // Post-filtering + | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any)) + and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))) + and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in)) + and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in)) + and (eventresult == "*" or (EventResult == eventresult)) + // mapping ASimMatchingUsername + | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any) + // ActorUsername not coming from source. Hence, not mapped. + | extend ASimMatchingUsername = case + ( + array_length(username_has_any) == 0, "-", + temp_isMatchTargetUsername, "TargetUsername", + "No match" + ) + | invoke _ASIM_ResolveDvcFQDN ('Computer') + | extend + DvcIdType = iff (isnotempty(_ResourceId), "AzureResourceId", ""), + DvcOs = 'Linux', + EventEndTime = TimeGenerated, + EventProduct = 'OpenSSH', + EventSchema = 'Authentication', + EventSchemaVersion = '0.1.2', + EventStartTime = TimeGenerated, + EventSubType = 'Remote', + EventVendor = 'OpenBSD', + LogonProtocol = 'ssh', + TargetAppId = tostring(ProcessID), + TargetAppName = 'sshd', + TargetAppType = 'Service', + TargetDvcOs = 'Linux', + TargetUsernameType = 'Simple', + Type = 'Syslog' + | project-away Computer, ProcessID, temp* + | project-rename + DvcId = _ResourceId, + DvcIpAddr = HostIP, + DvcScopeId = _SubscriptionId, + EventUid = _ItemId + // + // -- Aliases + | extend + Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr), + IpAddr = SrcIpAddr, + Src = SrcIpAddr, + TargetDomain = DvcDomain, + TargetDomainType = DvcDomainType, + TargetDvcId = DvcId, + TargetDvcIdType = DvcIdType, + TargetDvcScopeId = DvcScopeId, + TargetFQDN = DvcFQDN, + TargetHostname = DvcHostname, + TargetIpAddr = DvcIpAddr, + User = TargetUsername, + Application = TargetAppName + | extend Dvc = Dst + }; + parser( + starttime=starttime, + endtime=endtime, + username_has_any=username_has_any, + targetappname_has_any=targetappname_has_any, + srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, + srchostname_has_any=srchostname_has_any, + eventtype_in=eventtype_in, + eventresultdetails_in=eventresultdetails_in, + eventresult=eventresult, + disabled=disabled + ) \ No newline at end of file From 67ce495ccc5fbb41b49216c5c8f590039ecab840 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Wed, 10 Jun 2026 23:06:48 +0000 Subject: [PATCH 17/30] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../vimAuthenticationTestProduct.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json index c4ca53305e8..9da8b86f9ea 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json @@ -27,7 +27,7 @@ "displayName": "Authentication filter ASIM parser for TestProduct", "category": "ASIM", "FunctionAlias": "vimAuthenticationTestProduct", - "query": "let parser = (disabled: bool) {\n // Your parser logic here\n TestProduct\n | where not(disabled)\n | project\n TimeGenerated, Type\n};\nparser(disabled = disabled)", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\nlet LogonMethodLookup = datatable(Method: string, LogonMethod: string)\n[\n 'password', 'Username & password',\n 'publickey', 'PKI',\n 'keyboard-interactive/pam', 'PAM'\n];\nlet prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'sshd' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n// eventresultdetails_in filtering done later in the parser\n// eventresult filtering done later in the parser \n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled: bool=false)\n { \n // -- Parse events with the format \"Accepted (password|none|publickey|etc.) for from port ssh2\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | invoke prefilter()\n | parse SyslogMessage with \"Accepted \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = case(\n isnotempty(LogonMethod), LogonMethod,\n SyslogMessage has \"key RSA\", \"PKI\",\n \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled: bool=false)\n {\n // -- Parse events with the format Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | invoke prefilter()\n | parse SyslogMessage with * \"Failed \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = coalesce(LogonMethod, \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled: bool=false)\n {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | invoke prefilter()\n | parse-where SyslogMessage with * \"user \" TargetUsername: string \" \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled: bool=false)\n {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | invoke prefilter()\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be \"0.0.0.0 port 0\" or just \"0.0.0.0\"\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend SrcInfo = split(SrcIpAddrAndPort, \" \")\n | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] (\"port\"). [2] will be null if there is no port.\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled: bool=false)\n {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | invoke prefilter()\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false)\n {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | invoke prefilter()\n | parse SyslogMessage with \"Address \" SrcIpAddr: string \" maps to \" Src: string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled: bool=false)\n {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | invoke prefilter()\n | parse SyslogMessage with * \"set up for \" SrcIpAddr: string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0, \"-\",\n temp_isMatchTargetUsername, \"TargetUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple',\n Type = 'Syslog'\n | project-away Computer, ProcessID, temp*\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcIdType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername,\n Application = TargetAppName\n | extend Dvc = Dst\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" } From 174793d2ddd3488d1aab0ee4266eb2ec962eb2f4 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 16:10:30 -0700 Subject: [PATCH 18/30] Remove previous prompt to limit tokens --- .github/workflows/asimFileAndParserValidation.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index 67e673664c4..0e8ea2992b7 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -557,8 +557,6 @@ jobs: body: JSON.stringify({ model: 'openai/gpt-5', messages: [ - { role: 'user', content: prompt }, - { role: 'assistant', content: analysis }, { role: 'user', content: vimPrompt } ] }) From caa33eb2ce49e52783dda6d066eb4722b20f463a Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 16:30:07 -0700 Subject: [PATCH 19/30] Try using PAT --- .github/workflows/asimFileAndParserValidation.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index 0e8ea2992b7..1aeac4fa1be 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -346,7 +346,7 @@ jobs: if: steps.check-safe-to-run.outputs.is_safe == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c env: - GITHUB_TOKEN: ${{ github.token }} + MODELS_TOKEN: ${{ secrets.PAT }} with: script: | const fs = require('fs'); @@ -471,7 +471,7 @@ jobs: const response = await fetch('https://models.github.ai/inference/chat/completions', { method: 'POST', headers: { - 'Authorization': `Bearer ${process.env.GITHUB_TOKEN}`, + 'Authorization': `Bearer ${process.env.MODELS_TOKEN}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ @@ -551,7 +551,7 @@ jobs: const vimResponse = await fetch('https://models.github.ai/inference/chat/completions', { method: 'POST', headers: { - 'Authorization': `Bearer ${process.env.GITHUB_TOKEN}`, + 'Authorization': `Bearer ${process.env.MODELS_TOKEN}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ From b89855158305240d7f4ae34e9001c40af786dbf2 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Wed, 10 Jun 2026 16:36:49 -0700 Subject: [PATCH 20/30] Use GITHUB token --- .github/workflows/asimFileAndParserValidation.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index 1aeac4fa1be..0e8ea2992b7 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -346,7 +346,7 @@ jobs: if: steps.check-safe-to-run.outputs.is_safe == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c env: - MODELS_TOKEN: ${{ secrets.PAT }} + GITHUB_TOKEN: ${{ github.token }} with: script: | const fs = require('fs'); @@ -471,7 +471,7 @@ jobs: const response = await fetch('https://models.github.ai/inference/chat/completions', { method: 'POST', headers: { - 'Authorization': `Bearer ${process.env.MODELS_TOKEN}`, + 'Authorization': `Bearer ${process.env.GITHUB_TOKEN}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ @@ -551,7 +551,7 @@ jobs: const vimResponse = await fetch('https://models.github.ai/inference/chat/completions', { method: 'POST', headers: { - 'Authorization': `Bearer ${process.env.MODELS_TOKEN}`, + 'Authorization': `Bearer ${process.env.GITHUB_TOKEN}`, 'Content-Type': 'application/json' }, body: JSON.stringify({ From afaa9403d55bc78261620fd9387833971ff8eb19 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Thu, 11 Jun 2026 10:18:59 -0700 Subject: [PATCH 21/30] Update vim prompt --- .../workflows/asimFileAndParserValidation.yml | 29 +++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index 0e8ea2992b7..f21bbd5cc61 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -380,14 +380,18 @@ jobs: } } - // Extract ParserQuery from the vim-prefixed YAML file + // Extract ParserQuery and ParserParams from the vim-prefixed YAML file let vimParserQuery = null; for (const filePath of vimFiles) { try { const content = fs.readFileSync(filePath, 'utf8'); const parsed = yaml.load(content); if (parsed && parsed.ParserQuery) { - vimParserQuery = { file: filePath, query: parsed.ParserQuery }; + vimParserQuery = { + file: filePath, + query: parsed.ParserQuery, + params: parsed.ParserParams || [] + }; } else { core.warning(`No ParserQuery found in: ${filePath}`); } @@ -505,6 +509,11 @@ jobs: // Analyze the vim-prefixed parser query, passing the previous // conversation as context so the LLM has awareness of the ASim review. if (vimParserQuery) { + // Format ParserParams for the prompt + const paramsTable = vimParserQuery.params.map(p => + `| ${p.Name} | ${p.Type} | ${p.Default} |` + ).join('\n'); + const vimPrompt = `Now review the vim (parameter/filtering) version of \ the same ASIM parser. This parser adds filtering parameters to improve \ query efficiency by reducing the number of rows processed early in the \ @@ -514,6 +523,22 @@ jobs: Do NOT repeat issues already identified in that review. Focus only on \ the filtering logic specific to this vim parser. + Here are the filtering parameters defined in ParserParams: + + | Name | Type | Default | + |------|------|---------| + ${paramsTable} + + These are the ONLY filter parameters available. The query should use \ + these parameters to filter rows as early as possible. + + **Important:** Some filter parameters may not have a matching column \ + in the source data. In that case, the parser will simply check \ + \`array_length() == 0\` (or equivalent) without actually \ + filtering any rows. This is correct and expected — do NOT flag \ + these as issues. Only flag a parameter as unused if it is completely \ + absent from the query. + Here is the ParserQuery from the vim-prefixed YAML file: ### ${vimParserQuery.file} From dd9ca8eefb6665063cb38b0b8a90bdee352f1e0f Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Thu, 11 Jun 2026 11:35:18 -0700 Subject: [PATCH 22/30] Changes to validation script and purposely break yamls --- .../workflows/asimFileAndParserValidation.yml | 157 ++++++++++++++++-- .../Parsers/ASimAuthentication.yaml | 4 +- .../Parsers/vimAuthenticationTestProduct.yaml | 4 +- 3 files changed, 150 insertions(+), 15 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index f21bbd5cc61..bd57dab4be4 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -27,6 +27,34 @@ jobs: check-asim-label: runs-on: ubuntu-latest steps: + # ---------------------------------------------------------------- + # Step 0: Remove the "SafeToRun" label on forked PRs. + # Forked PRs run with a read-only GITHUB_TOKEN and cannot + # be trusted to run LLM analysis. Removing the label + # ensures step 7 blocks them from proceeding. + # ---------------------------------------------------------------- + - name: Remove SafeToRun label on forked PRs + if: github.event.pull_request.head.repo.fork == true && github.event.action == 'synchronize' + uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c + with: + script: | + const labels = context.payload.pull_request.labels.map(l => l.name); + if (labels.includes('SafeToRun')) { + core.info('Forked PR detected — removing SafeToRun label.'); + try { + await github.rest.issues.removeLabel({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + name: 'SafeToRun' + }); + } catch (err) { + core.setFailed(`Failed to remove SafeToRun label: ${err.message}`); + } + } else { + core.info('Forked PR detected — SafeToRun label not present.'); + } + # ---------------------------------------------------------------- # Step 1: Check if the PR has the "ASIM" label. # If not, all subsequent steps are skipped. @@ -204,8 +232,13 @@ jobs: run: npm install js-yaml # ---------------------------------------------------------------- - # Step 6: Validate Parser.Version against CHANGELOG entries. + # Step 6: Validate parser YAML files and CHANGELOG entries. # For each new parser YAML file: + # - Checks that EquivalentBuiltInParser exists + # - ASim-prefixed: verifies its EquivalentBuiltInParser value + # is listed in the ASim unifying parser's Parsers list + # - vim-prefixed: verifies its EquivalentBuiltInParser value + # is listed in the im unifying parser's Parsers list # - Reads Parser.Version from the YAML # - Checks that the corresponding CHANGELOG .md file # contains a matching "Version X.X" entry @@ -214,7 +247,7 @@ jobs: # - Same version-to-CHANGELOG validation # Outputs the parsed file contents as JSON for later steps. # ---------------------------------------------------------------- - - name: Check parser and changelog for matching versions + - name: Validate parser files and changelog versions id: read-yaml if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c @@ -227,6 +260,36 @@ jobs: const newYamlFiles = newFiles.filter(f => parserPattern.test(f)); const errors = []; + // Derive the schema directory and names from the first new parser file + const sampleMatch = newYamlFiles[0]?.match(parserPattern); + let schemaDir, schemaName, shortSchema, asimUnifyingParsers, imUnifyingParsers; + let asimUnifyingQuery, imUnifyingQuery; + + if (sampleMatch) { + schemaDir = sampleMatch[1]; // e.g. Parsers/ASimAuthentication + schemaName = schemaDir.split('/')[1]; // e.g. ASimAuthentication + shortSchema = schemaName.replace(/^ASim/, ''); // e.g. Authentication + + // Load the Parsers lists from the unifying parser YAML files + try { + const asimContent = fs.readFileSync(`${schemaDir}/Parsers/${schemaName}.yaml`, 'utf8'); + const asimParsed = yaml.load(asimContent); + asimUnifyingParsers = asimParsed?.Parsers || []; + asimUnifyingQuery = asimParsed?.ParserQuery || ''; + } catch (err) { + errors.push(`Could not read ASim unifying parser: ${schemaDir}/Parsers/${schemaName}.yaml - ${err.message}`); + } + + try { + const imContent = fs.readFileSync(`${schemaDir}/Parsers/im${shortSchema}.yaml`, 'utf8'); + const imParsed = yaml.load(imContent); + imUnifyingParsers = imParsed?.Parsers || []; + imUnifyingQuery = imParsed?.ParserQuery || ''; + } catch (err) { + errors.push(`Could not read im unifying parser: ${schemaDir}/Parsers/im${shortSchema}.yaml - ${err.message}`); + } + } + const parsedFiles = {}; for (const filePath of newYamlFiles) { try { @@ -235,7 +298,85 @@ jobs: parsedFiles[filePath] = parsed; core.info(`Read file: ${filePath}`); - // Extract Parser.Version and validate against CHANGELOG + const fileName = filePath.match(parserPattern)[2]; // e.g. ASimAuthenticationTestProduct + + // --- Validate EquivalentBuiltInParser --- + const equivalentParser = parsed?.EquivalentBuiltInParser; + if (!equivalentParser) { + errors.push(`Missing EquivalentBuiltInParser in: ${filePath}`); + } else { + core.info(` EquivalentBuiltInParser: ${equivalentParser}`); + + // Validate naming format + if (fileName.startsWith('ASim')) { + const expectedPrefix = `_ASim_${shortSchema}_`; + if (!equivalentParser.startsWith(expectedPrefix)) { + errors.push(`EquivalentBuiltInParser in ${filePath} must follow the format _ASim_${shortSchema}_, but found: ${equivalentParser}`); + } + } + if (fileName.startsWith('vim')) { + const expectedPrefix = `_Im_${shortSchema}_`; + if (!equivalentParser.startsWith(expectedPrefix)) { + errors.push(`EquivalentBuiltInParser in ${filePath} must follow the format _Im_${shortSchema}_, but found: ${equivalentParser}`); + } + } + + // Validate ParserName exists and is referenced in the unifying parser's ParserQuery + const parserName = parsed?.ParserName; + if (!parserName) { + errors.push(`Missing ParserName in: ${filePath}`); + } else { + // Validate ParserName format + if (fileName.startsWith('ASim')) { + const expectedPrefix = `ASim${shortSchema}`; + if (!parserName.startsWith(expectedPrefix) || parserName === expectedPrefix) { + errors.push(`ParserName in ${filePath} must follow the format ASim${shortSchema}, but found: ${parserName}`); + } + } + if (fileName.startsWith('vim')) { + const expectedPrefix = `vim${shortSchema}`; + if (!parserName.startsWith(expectedPrefix) || parserName === expectedPrefix) { + errors.push(`ParserName in ${filePath} must follow the format vim${shortSchema}, but found: ${parserName}`); + } + } + + // Validate ParserName is referenced in the unifying parser's ParserQuery + if (fileName.startsWith('ASim') && asimUnifyingQuery) { + if (asimUnifyingQuery.includes(parserName)) { + core.info(` ParserName ${parserName} found in ${schemaName}.yaml ParserQuery`); + } else { + errors.push(`ParserName ${parserName} from ${filePath} is not referenced in ${schemaDir}/Parsers/${schemaName}.yaml ParserQuery`); + } + } + if (fileName.startsWith('vim') && imUnifyingQuery) { + if (imUnifyingQuery.includes(parserName)) { + core.info(` ParserName ${parserName} found in im${shortSchema}.yaml ParserQuery`); + } else { + errors.push(`ParserName ${parserName} from ${filePath} is not referenced in ${schemaDir}/Parsers/im${shortSchema}.yaml ParserQuery`); + } + } + } + + // ASim-prefixed parsers must be in ASim unifying parser's Parsers list + if (fileName.startsWith('ASim') && asimUnifyingParsers) { + if (asimUnifyingParsers.includes(equivalentParser)) { + core.info(` ${equivalentParser} found in ${schemaName}.yaml Parsers list`); + } else { + errors.push(`${equivalentParser} from ${filePath} is not listed in ${schemaDir}/Parsers/${schemaName}.yaml Parsers list`); + } + } + + // vim-prefixed parsers must be in im unifying parser's Parsers list + if (fileName.startsWith('vim') && imUnifyingParsers) { + if (imUnifyingParsers.includes(equivalentParser)) { + core.info(` ${equivalentParser} found in im${shortSchema}.yaml Parsers list`); + } else { + errors.push(`${equivalentParser} from ${filePath} is not listed in ${schemaDir}/Parsers/im${shortSchema}.yaml Parsers list`); + } + } + } + + // --- Validate Parser.Version against CHANGELOG --- const version = parsed?.Parser?.Version; if (!version) { errors.push(`Missing Parser.Version in: ${filePath}`); @@ -265,13 +406,7 @@ jobs: // Also validate the unifying (edited) parsers: ASim.yaml and im.yaml // These are existing files modified in the PR, not new files. - // Derive the schema directory from one of the new parser files. - const sampleMatch = newYamlFiles[0]?.match(parserPattern); if (sampleMatch) { - const schemaDir = sampleMatch[1]; // e.g. Parsers/ASimWebSession - const schemaName = schemaDir.split('/')[1]; // e.g. ASimWebSession - const shortSchema = schemaName.replace(/^ASim/, ''); // e.g. WebSession - const unifyingParsers = [ { yaml: `${schemaDir}/Parsers/${schemaName}.yaml`, changelog: `${schemaDir}/CHANGELOG/${schemaName}.md` }, { yaml: `${schemaDir}/Parsers/im${shortSchema}.yaml`, changelog: `${schemaDir}/CHANGELOG/im${shortSchema}.md` } @@ -306,7 +441,7 @@ jobs: } if (errors.length > 0) { - const body = `## ASIM Version Validation Failed\n\nThe following version/CHANGELOG mismatches were found:\n\n${errors.map(e => '- ' + e).join('\n')}\n\n---\n*This comment was generated automatically by the ASIM File and Parser Validation workflow.*`; + const body = `## ASIM Parser Validation Failed\n\nThe following validation errors were found:\n\n${errors.map(e => '- ' + e).join('\n')}\n\n---\n*This comment was generated automatically by the ASIM File and Parser Validation workflow.*`; await github.rest.issues.createComment({ owner: context.repo.owner, repo: context.repo.repo, @@ -314,7 +449,7 @@ jobs: body: body }); errors.forEach(e => core.error(e)); - core.setFailed('YAML/CHANGELOG version validation failed. See PR comment for details.'); + core.setFailed('Parser validation failed. See PR comment for details.'); } # ---------------------------------------------------------------- diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index 435545496b8..0cd98f64ce0 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -62,7 +62,7 @@ ParserQuery: | ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack), ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack), ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack), - ASimAuthenticationTestProduct (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack), + ASimAuthenticationTestProduct1234 (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack), Parsers: - _Im_Authentication_Empty - _ASim_Authentication_AADManagedIdentitySignInLogs @@ -103,4 +103,4 @@ Parsers: - _ASim_Authentication_Native - _ASim_Authentication_VMwareESXi - _ASim_Authentication_PaloAltoGlobalProtect - - _ASim_Authentication_TestProduct + - _ASim_Authentication_TestProduct1234 diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml index 5bdf824d3ed..3f87fa4e3cc 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | TEST DESCRIPTION -ParserName: vimAuthenticationTestProduct -EquivalentBuiltInParser: _Im_Authentication_TestProduct +ParserName: vimNetworkSessionTestProduct +EquivalentBuiltInParser: Im_Authentication_TestProduct ParserParams: - Name: starttime Type: datetime From eb733cb16e2cf3ff42f564663b632703493cd80d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Thu, 11 Jun 2026 18:48:44 +0000 Subject: [PATCH 23/30] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ARM/ASimAuthentication/ASimAuthentication.json | 2 +- .../vimAuthenticationTestProduct.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index 56cd04c140d..6fc38448dad 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoDNAC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoDNAC' in (DisabledParsers) )),\n ASimAuthenticationCiscoIOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoISEAdministrator (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISEAdministrator' in (DisabledParsers) ),pack=pack),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationFortinetFortigate (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationVMwareVCenter (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack),\n ASimAuthenticationTestProduct (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack),\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoDNAC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoDNAC' in (DisabledParsers) )),\n ASimAuthenticationCiscoIOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoISEAdministrator (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISEAdministrator' in (DisabledParsers) ),pack=pack),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationFortinetFortigate (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationVMwareVCenter (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack),\n ASimAuthenticationTestProduct1234 (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack),\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json index 9da8b86f9ea..d48460114bc 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json @@ -20,13 +20,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "apiVersion": "2020-08-01", - "name": "[concat(parameters('Workspace'), '/vimAuthenticationTestProduct')]", + "name": "[concat(parameters('Workspace'), '/vimNetworkSessionTestProduct')]", "location": "[parameters('WorkspaceRegion')]", "properties": { "etag": "*", "displayName": "Authentication filter ASIM parser for TestProduct", "category": "ASIM", - "FunctionAlias": "vimAuthenticationTestProduct", + "FunctionAlias": "vimNetworkSessionTestProduct", "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\nlet LogonMethodLookup = datatable(Method: string, LogonMethod: string)\n[\n 'password', 'Username & password',\n 'publickey', 'PKI',\n 'keyboard-interactive/pam', 'PAM'\n];\nlet prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'sshd' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n// eventresultdetails_in filtering done later in the parser\n// eventresult filtering done later in the parser \n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled: bool=false)\n { \n // -- Parse events with the format \"Accepted (password|none|publickey|etc.) for from port ssh2\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | invoke prefilter()\n | parse SyslogMessage with \"Accepted \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = case(\n isnotempty(LogonMethod), LogonMethod,\n SyslogMessage has \"key RSA\", \"PKI\",\n \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled: bool=false)\n {\n // -- Parse events with the format Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | invoke prefilter()\n | parse SyslogMessage with * \"Failed \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = coalesce(LogonMethod, \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled: bool=false)\n {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | invoke prefilter()\n | parse-where SyslogMessage with * \"user \" TargetUsername: string \" \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled: bool=false)\n {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | invoke prefilter()\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be \"0.0.0.0 port 0\" or just \"0.0.0.0\"\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend SrcInfo = split(SrcIpAddrAndPort, \" \")\n | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] (\"port\"). [2] will be null if there is no port.\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled: bool=false)\n {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | invoke prefilter()\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false)\n {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | invoke prefilter()\n | parse SyslogMessage with \"Address \" SrcIpAddr: string \" maps to \" Src: string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled: bool=false)\n {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | invoke prefilter()\n | parse SyslogMessage with * \"set up for \" SrcIpAddr: string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0, \"-\",\n temp_isMatchTargetUsername, \"TargetUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple',\n Type = 'Syslog'\n | project-away Computer, ProcessID, temp*\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcIdType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername,\n Application = TargetAppName\n | extend Dvc = Dst\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" From 6965c8b3050f97c07da4264cba7a78ff24a7c5bb Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Thu, 11 Jun 2026 12:25:13 -0700 Subject: [PATCH 24/30] Fix validation issues --- Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml | 4 ++-- .../Parsers/vimAuthenticationTestProduct.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index 0cd98f64ce0..435545496b8 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -62,7 +62,7 @@ ParserQuery: | ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack), ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack), ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack), - ASimAuthenticationTestProduct1234 (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack), + ASimAuthenticationTestProduct (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack), Parsers: - _Im_Authentication_Empty - _ASim_Authentication_AADManagedIdentitySignInLogs @@ -103,4 +103,4 @@ Parsers: - _ASim_Authentication_Native - _ASim_Authentication_VMwareESXi - _ASim_Authentication_PaloAltoGlobalProtect - - _ASim_Authentication_TestProduct1234 + - _ASim_Authentication_TestProduct diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml index 3f87fa4e3cc..5bdf824d3ed 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml @@ -14,8 +14,8 @@ References: Link: https://aka.ms/AboutASIM Description: | TEST DESCRIPTION -ParserName: vimNetworkSessionTestProduct -EquivalentBuiltInParser: Im_Authentication_TestProduct +ParserName: vimAuthenticationTestProduct +EquivalentBuiltInParser: _Im_Authentication_TestProduct ParserParams: - Name: starttime Type: datetime From 1936529476a60f15b66910617a402c4920abf8bc Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Thu, 11 Jun 2026 12:29:43 -0700 Subject: [PATCH 25/30] Update comments --- .../workflows/asimFileAndParserValidation.yml | 116 ++++++++++-------- 1 file changed, 66 insertions(+), 50 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index bd57dab4be4..84d66b62218 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -5,11 +5,17 @@ # It checks: # 1. The PR has the "ASIM" label # 2. New files follow the expected directory structure -# 3. Required companion files (union parsers, changelogs) are present -# 4. Parser.Version in new and unifying parser YAML files matches +# 3. Required companion files (unifying parsers, changelogs) are present +# 4. EquivalentBuiltInParser exists, follows naming conventions, and +# is listed in the unifying parser's Parsers list +# 5. ParserName exists, follows naming conventions, and is +# referenced in the unifying parser's ParserQuery +# 6. Parser.Version in new and unifying parser YAML files matches # a corresponding entry in their CHANGELOG files -# 5. The KQL ParserQuery from the new ASim-prefixed parser is -# analyzed by an LLM for correctness and ASIM compliance +# 7. On forked PRs with synchronize events, the SafeToRun label +# is removed to prevent untrusted LLM execution +# 8. The KQL ParserQuery from new ASim and vim parsers is +# analyzed by an LLM for performance and best practices # ============================================================================ name: New ASIM File and Parser Validation @@ -27,34 +33,6 @@ jobs: check-asim-label: runs-on: ubuntu-latest steps: - # ---------------------------------------------------------------- - # Step 0: Remove the "SafeToRun" label on forked PRs. - # Forked PRs run with a read-only GITHUB_TOKEN and cannot - # be trusted to run LLM analysis. Removing the label - # ensures step 7 blocks them from proceeding. - # ---------------------------------------------------------------- - - name: Remove SafeToRun label on forked PRs - if: github.event.pull_request.head.repo.fork == true && github.event.action == 'synchronize' - uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c - with: - script: | - const labels = context.payload.pull_request.labels.map(l => l.name); - if (labels.includes('SafeToRun')) { - core.info('Forked PR detected — removing SafeToRun label.'); - try { - await github.rest.issues.removeLabel({ - owner: context.repo.owner, - repo: context.repo.repo, - issue_number: context.payload.pull_request.number, - name: 'SafeToRun' - }); - } catch (err) { - core.setFailed(`Failed to remove SafeToRun label: ${err.message}`); - } - } else { - core.info('Forked PR detected — SafeToRun label not present.'); - } - # ---------------------------------------------------------------- # Step 1: Check if the PR has the "ASIM" label. # If not, all subsequent steps are skipped. @@ -217,11 +195,14 @@ jobs: # Requires file validation to pass and ASIM YAML files to exist. # Step 4: Checkout the repository to read files from disk. # Step 5: Install js-yaml for YAML parsing. - # Step 6: Validate Parser.Version in new parser YAML files and - # unifying parsers against their CHANGELOG entries. + # Step 6: Validate parser YAML fields (EquivalentBuiltInParser, + # ParserName, Parser.Version) and cross-reference + # against unifying parsers and CHANGELOG entries. # Step 7: Check if the PR has the "SafeToRun" label. - # Step 8: Send the ASim-prefixed parser's KQL query to an LLM - # for analysis (only if last commit touched the file). + # Then remove it on forked PRs (synchronize events) + # to prevent untrusted LLM execution on next push. + # Step 8: Send ASim and vim parser KQL queries to an LLM + # for performance and best practices review. # ---------------------------------------------------------------- - name: Checkout repository if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' @@ -232,20 +213,21 @@ jobs: run: npm install js-yaml # ---------------------------------------------------------------- - # Step 6: Validate parser YAML files and CHANGELOG entries. + # Step 6: Validate parser YAML fields and CHANGELOG entries. # For each new parser YAML file: - # - Checks that EquivalentBuiltInParser exists - # - ASim-prefixed: verifies its EquivalentBuiltInParser value - # is listed in the ASim unifying parser's Parsers list - # - vim-prefixed: verifies its EquivalentBuiltInParser value - # is listed in the im unifying parser's Parsers list - # - Reads Parser.Version from the YAML - # - Checks that the corresponding CHANGELOG .md file - # contains a matching "Version X.X" entry + # - EquivalentBuiltInParser: must exist, follow naming format + # (_ASim__ or _Im__), + # and be listed in the corresponding unifying parser's + # Parsers array + # - ParserName: must exist, follow naming format + # (ASim or vim), + # and be referenced in the corresponding unifying + # parser's ParserQuery + # - Parser.Version: must exist and have a matching + # "Version X.X" entry in the corresponding CHANGELOG # For the unifying (edited) parsers (ASim.yaml, # im.yaml): - # - Same version-to-CHANGELOG validation - # Outputs the parsed file contents as JSON for later steps. + # - Parser.Version to CHANGELOG validation # ---------------------------------------------------------------- - name: Validate parser files and changelog versions id: read-yaml @@ -472,9 +454,43 @@ jobs: } # ---------------------------------------------------------------- - # Step 8: LLM-based analysis of the new parser's KQL query. - # Extracts the ParserQuery from the new ASim-prefixed YAML file - # and sends it to the GitHub Models API (GPT-5) for review. + # Remove the "SafeToRun" label on forked PRs. + # Forked PRs run with a read-only GITHUB_TOKEN and cannot + # be trusted to run LLM analysis. Removing the label on + # synchronize events ensures the SafeToRun check above + # blocks them from proceeding on subsequent pushes. + # ---------------------------------------------------------------- + - name: Remove SafeToRun label on forked PRs + if: github.event.pull_request.head.repo.fork == true && github.event.action == 'synchronize' + uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c + with: + script: | + const labels = context.payload.pull_request.labels.map(l => l.name); + if (labels.includes('SafeToRun')) { + core.info('Forked PR detected — removing SafeToRun label.'); + try { + await github.rest.issues.removeLabel({ + owner: context.repo.owner, + repo: context.repo.repo, + issue_number: context.payload.pull_request.number, + name: 'SafeToRun' + }); + } catch (err) { + core.setFailed(`Failed to remove SafeToRun label: ${err.message}`); + } + } else { + core.info('Forked PR detected — SafeToRun label not present.'); + } + + # ---------------------------------------------------------------- + # Step 8: LLM-based analysis of the new parser KQL queries. + # Extracts ParserQuery from the new ASim-prefixed and + # vim-prefixed YAML files. Sends two sequential LLM calls: + # 1. ASim parser: reviewed for KQL performance, operator + # efficiency, and ASIM best practices + # 2. vim parser: reviewed for filter parameter placement, + # efficiency, and completeness (includes ParserParams) + # Results are posted as separate PR comments. # Only runs if the PR has the "SafeToRun" label. # ---------------------------------------------------------------- - name: Analyze parsers for ASIM best practices From c52d4fb9b02ba68ece213226b628cb2b89defa2b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Thu, 11 Jun 2026 19:36:47 +0000 Subject: [PATCH 26/30] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ARM/ASimAuthentication/ASimAuthentication.json | 2 +- .../vimAuthenticationTestProduct.json | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index 6fc38448dad..56cd04c140d 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoDNAC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoDNAC' in (DisabledParsers) )),\n ASimAuthenticationCiscoIOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoISEAdministrator (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISEAdministrator' in (DisabledParsers) ),pack=pack),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationFortinetFortigate (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationVMwareVCenter (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack),\n ASimAuthenticationTestProduct1234 (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack),\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoDNAC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoDNAC' in (DisabledParsers) )),\n ASimAuthenticationCiscoIOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoISEAdministrator (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISEAdministrator' in (DisabledParsers) ),pack=pack),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationFortinetFortigate (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationVMwareVCenter (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack),\n ASimAuthenticationTestProduct (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack),\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json index d48460114bc..9da8b86f9ea 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json @@ -20,13 +20,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/savedSearches", "apiVersion": "2020-08-01", - "name": "[concat(parameters('Workspace'), '/vimNetworkSessionTestProduct')]", + "name": "[concat(parameters('Workspace'), '/vimAuthenticationTestProduct')]", "location": "[parameters('WorkspaceRegion')]", "properties": { "etag": "*", "displayName": "Authentication filter ASIM parser for TestProduct", "category": "ASIM", - "FunctionAlias": "vimNetworkSessionTestProduct", + "FunctionAlias": "vimAuthenticationTestProduct", "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\nlet LogonMethodLookup = datatable(Method: string, LogonMethod: string)\n[\n 'password', 'Username & password',\n 'publickey', 'PKI',\n 'keyboard-interactive/pam', 'PAM'\n];\nlet prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'sshd' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n// eventresultdetails_in filtering done later in the parser\n// eventresult filtering done later in the parser \n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled: bool=false)\n { \n // -- Parse events with the format \"Accepted (password|none|publickey|etc.) for from port ssh2\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | invoke prefilter()\n | parse SyslogMessage with \"Accepted \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = case(\n isnotempty(LogonMethod), LogonMethod,\n SyslogMessage has \"key RSA\", \"PKI\",\n \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled: bool=false)\n {\n // -- Parse events with the format Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | invoke prefilter()\n | parse SyslogMessage with * \"Failed \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = coalesce(LogonMethod, \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled: bool=false)\n {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | invoke prefilter()\n | parse-where SyslogMessage with * \"user \" TargetUsername: string \" \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled: bool=false)\n {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | invoke prefilter()\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be \"0.0.0.0 port 0\" or just \"0.0.0.0\"\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend SrcInfo = split(SrcIpAddrAndPort, \" \")\n | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] (\"port\"). [2] will be null if there is no port.\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled: bool=false)\n {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | invoke prefilter()\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false)\n {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | invoke prefilter()\n | parse SyslogMessage with \"Address \" SrcIpAddr: string \" maps to \" Src: string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled: bool=false)\n {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | invoke prefilter()\n | parse SyslogMessage with * \"set up for \" SrcIpAddr: string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0, \"-\",\n temp_isMatchTargetUsername, \"TargetUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple',\n Type = 'Syslog'\n | project-away Computer, ProcessID, temp*\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcIdType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername,\n Application = TargetAppName\n | extend Dvc = Dst\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" From a5dcc72620d3a8172aebf704c2874cd7cf99d7c4 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Thu, 11 Jun 2026 13:54:14 -0700 Subject: [PATCH 27/30] Remove TestProduct --- .../workflows/asimFileAndParserValidation.yml | 2 +- .../ASimAuthenticationTestProduct.json | 36 -- .../ASimAuthenticationTestProduct/README.md | 21 -- .../vimAuthenticationTestProduct/README.md | 21 -- .../vimAuthenticationTestProduct.json | 36 -- .../CHANGELOG/ASimAuthentication.md | 4 - .../ASimAuthenticationTestProduct.md | 5 - .../CHANGELOG/imAuthentication.md | 4 - .../CHANGELOG/vimAuthenticationTestProduct.md | 5 - .../Parsers/ASimAuthentication.yaml | 4 +- .../ASimAuthenticationTestProduct.yaml | 226 ------------ .../Parsers/imAuthentication.yaml | 4 +- .../Parsers/vimAuthenticationTestProduct.yaml | 328 ------------------ 13 files changed, 3 insertions(+), 693 deletions(-) delete mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json delete mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json delete mode 100644 Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md delete mode 100644 Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationTestProduct.md delete mode 100644 Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml delete mode 100644 Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index 84d66b62218..87d44028375 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -30,7 +30,7 @@ permissions: models: read # Access GitHub Models API for LLM analysis jobs: - check-asim-label: + validate-asim-files-parsers: runs-on: ubuntu-latest steps: # ---------------------------------------------------------------- diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json deleted file mode 100644 index 7666c027635..00000000000 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2020-08-01", - "name": "[concat(parameters('Workspace'), '/ASimAuthenticationTestProduct')]", - "location": "[parameters('WorkspaceRegion')]", - "properties": { - "etag": "*", - "displayName": "Authentication ASIM parser for TestProduct", - "category": "ASIM", - "FunctionAlias": "ASimAuthenticationTestProduct", - "query": "let parser = (disabled:bool=false) {\n let LogonMethodLookup = datatable(Method: string, LogonMethod: string)\n [\n 'password', 'Username & password',\n 'publickey', 'PKI',\n 'keyboard-interactive/pam', 'PAM'\n ];\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login \n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted (password|none|publickey|etc.) for from port ssh2\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | parse SyslogMessage with \"Accepted \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = case(\n isnotempty(LogonMethod), LogonMethod,\n SyslogMessage has \"key RSA\", \"PKI\",\n \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format \"Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | parse SyslogMessage with * \"Failed \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = case(\n isnotempty(LogonMethod), LogonMethod,\n SyslogMessage has \"key RSA\", \"PKI\",\n \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be \"0.0.0.0 port 0\" or just \"0.0.0.0\"\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend SrcInfo = split(SrcIpAddrAndPort, \" \")\n | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] (\"port\"). [2] will be null if there is no port.\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple',\n Type = 'Syslog'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcIdType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername,\n Application = TargetAppName\n | extend Dvc = Dst\n };\n parser (\n disabled=disabled\n )", - "version": 1, - "functionParameters": "disabled:bool=False" - } - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/README.md deleted file mode 100644 index 9076173c326..00000000000 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/README.md +++ /dev/null @@ -1,21 +0,0 @@ -# TestProduct ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for TestProduct. - -TEST DESCRIPTION - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -For the changelog, see: -- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationTestProduct%2FASimAuthenticationTestProduct.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationTestProduct%2FASimAuthenticationTestProduct.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/README.md deleted file mode 100644 index f54f1872eee..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/README.md +++ /dev/null @@ -1,21 +0,0 @@ -# TestProduct ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for TestProduct. - -TEST DESCRIPTION - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -For the changelog, see: -- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationTestProduct.md) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationTestProduct%2FvimAuthenticationTestProduct.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationTestProduct%2FvimAuthenticationTestProduct.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json deleted file mode 100644 index d48460114bc..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces/savedSearches", - "apiVersion": "2020-08-01", - "name": "[concat(parameters('Workspace'), '/vimNetworkSessionTestProduct')]", - "location": "[parameters('WorkspaceRegion')]", - "properties": { - "etag": "*", - "displayName": "Authentication filter ASIM parser for TestProduct", - "category": "ASIM", - "FunctionAlias": "vimNetworkSessionTestProduct", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\nlet LogonMethodLookup = datatable(Method: string, LogonMethod: string)\n[\n 'password', 'Username & password',\n 'publickey', 'PKI',\n 'keyboard-interactive/pam', 'PAM'\n];\nlet prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime))\n{\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or 'sshd' in~ (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n// eventresultdetails_in filtering done later in the parser\n// eventresult filtering done later in the parser \n};\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled: bool=false)\n { \n // -- Parse events with the format \"Accepted (password|none|publickey|etc.) for from port ssh2\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | invoke prefilter()\n | parse SyslogMessage with \"Accepted \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = case(\n isnotempty(LogonMethod), LogonMethod,\n SyslogMessage has \"key RSA\", \"PKI\",\n \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled: bool=false)\n {\n // -- Parse events with the format Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | invoke prefilter()\n | parse SyslogMessage with * \"Failed \" Method: string \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon'\n | lookup LogonMethodLookup on Method\n | extend LogonMethod = coalesce(LogonMethod, \"Other\")\n | project-away SyslogMessage, ProcessName, Method\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled: bool=false)\n {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | invoke prefilter()\n | parse-where SyslogMessage with * \"user \" TargetUsername: string \" \" SrcIpAddr: string \" port \" SrcPortNumber: int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled: bool=false)\n {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | invoke prefilter()\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be \"0.0.0.0 port 0\" or just \"0.0.0.0\"\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend SrcInfo = split(SrcIpAddrAndPort, \" \")\n | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] (\"port\"). [2] will be null if there is no port.\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled: bool=false)\n {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | invoke prefilter()\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false)\n {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | invoke prefilter()\n | parse SyslogMessage with \"Address \" SrcIpAddr: string \" maps to \" Src: string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled: bool=false)\n {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | invoke prefilter()\n | parse SyslogMessage with * \"set up for \" SrcIpAddr: string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0, \"-\",\n temp_isMatchTargetUsername, \"TargetUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple',\n Type = 'Syslog'\n | project-away Computer, ProcessID, temp*\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcIdType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername,\n Application = TargetAppName\n | extend Dvc = Dst\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False,pack:bool=False" - } - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md index c3fef0705b9..ab08dac1d76 100644 --- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md +++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthentication.md @@ -1,9 +1,5 @@ # Changelog for ASimAuthentication.yaml -## Version 0.2.16 - -- Test - ## Version 0.2.15 - (2026-04-13) ASIM Authentication Parser for VMware ESXi - [PR #13989](https://github.com/Azure/Azure-Sentinel/pull/13989) diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md deleted file mode 100644 index 2b27a97183e..00000000000 --- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationTestProduct.md +++ /dev/null @@ -1,5 +0,0 @@ -# Changelog for ASimAuthenticationTestProduct.yaml - -## Version 0.1.0 - -- Test \ No newline at end of file diff --git a/Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md b/Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md index 175a78e0cd9..c8497c1151a 100644 --- a/Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md +++ b/Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md @@ -1,9 +1,5 @@ # Changelog for imAuthentication.yaml -## Version 0.3.13 - -- Test - ## Version 0.3.12 - (2026-05-05) ASIM Authentication Parser for VMware ESXi - [PR #13989](https://github.com/Azure/Azure-Sentinel/pull/13989) diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationTestProduct.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationTestProduct.md deleted file mode 100644 index c50334a1d89..00000000000 --- a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationTestProduct.md +++ /dev/null @@ -1,5 +0,0 @@ -# Changelog for vimAuthenticationTestProduct.yaml - -## Version 0.1.0 - -- Test \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index 435545496b8..9f4d6f5ccdb 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -1,6 +1,6 @@ Parser: Title: Authentication ASIM parser - Version: '0.2.16' + Version: '0.2.15' LastUpdated: May 05, 2026 Product: Name: Source agnostic @@ -62,7 +62,6 @@ ParserQuery: | ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack), ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack), ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack), - ASimAuthenticationTestProduct (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack), Parsers: - _Im_Authentication_Empty - _ASim_Authentication_AADManagedIdentitySignInLogs @@ -103,4 +102,3 @@ Parsers: - _ASim_Authentication_Native - _ASim_Authentication_VMwareESXi - _ASim_Authentication_PaloAltoGlobalProtect - - _ASim_Authentication_TestProduct diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml deleted file mode 100644 index eb7915441f6..00000000000 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationTestProduct.yaml +++ /dev/null @@ -1,226 +0,0 @@ -Parser: - Title: Authentication ASIM parser for TestProduct - Version: '0.1.0' - LastUpdated: Mar 11, 2026 -Product: - Name: TestProduct -Normalization: - Schema: Authentication - Version: '0.1.3' -References: - - Title: ASIM Authentication Schema - Link: https://aka.ms/ASimAuthenticationDoc - - Title: ASIM - Link: https://aka.ms/AboutASIM -Description: | - TEST DESCRIPTION -ParserName: ASimAuthenticationTestProduct -EquivalentBuiltInParser: _ASim_Authentication_TestProduct -ParserParams: - - Name: disabled - Type: bool - Default: false -ParserQuery: | - let parser = (disabled:bool=false) { - let LogonMethodLookup = datatable(Method: string, LogonMethod: string) - [ - 'password', 'Username & password', - 'publickey', 'PKI', - 'keyboard-interactive/pam', 'PAM' - ]; - let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId; - // - // -- Successful login - let SSHDAccepted=(disabled:bool=false) { - // -- Parse events with the format "Accepted (password|none|publickey|etc.) for from port ssh2" - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage startswith 'Accepted' - | parse SyslogMessage with "Accepted " Method: string " for " TargetUsername:string " from " SrcIpAddr:string " port" SrcPortNumber:int * - | extend - EventCount = int(1), - EventResult = 'Success', - EventSeverity = 'Informational', - EventType = 'Logon' - | lookup LogonMethodLookup on Method - | extend LogonMethod = case( - isnotempty(LogonMethod), LogonMethod, - SyslogMessage has "key RSA", "PKI", - "Other") - | project-away SyslogMessage, ProcessName, Method - }; - // - // -- Failed login - incorrect password - let SSHDFailed=(disabled:bool=false) { - // -- Parse events with the format "Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]" - // -- Or a number of such events message repeated times: [ ] - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and ( - SyslogMessage startswith 'Failed' - or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed') - ) - | parse SyslogMessage with * "Failed " Method: string " for " TargetUsername:string " from " SrcIpAddr:string " port" SrcPortNumber:int * - | parse SyslogMessage with "message repeated" EventCount:int " times:" * - | extend - EventCount = toint(coalesce(EventCount,1)), - EventResult = 'Failure', - EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'), - EventSeverity = 'Low' , - EventType = 'Logon' - | lookup LogonMethodLookup on Method - | extend LogonMethod = case( - isnotempty(LogonMethod), LogonMethod, - SyslogMessage has "key RSA", "PKI", - "Other") - | project-away SyslogMessage, ProcessName, Method - }; - // - // -- Logoff - Timeout - let SSHDTimeout=(disabled:bool=false) { - // -- Parse events with the format "Timeout, client not responding from user yanivsh 131.107.174.198 port 7623" - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage startswith 'Timeout' - | parse-where SyslogMessage with * "user " TargetUsername:string " " SrcIpAddr:string " port " SrcPortNumber:int - | extend - EventCount = int(1), - EventResult = 'Success', - EventSeverity = 'Informational', - EventType = 'Logoff' - | project-away SyslogMessage, ProcessName - }; - // - // -- Failed login - invalid user - let SSHDInvalidUser=(disabled:bool=false) { - // -- Parse events with the format "Invalid user [] from port " - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage startswith 'Invalid user' - | parse SyslogMessage with "Invalid user " TargetUsername:string " from " SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be "0.0.0.0 port 0" or just "0.0.0.0" - | parse SyslogMessage with "Invalid user from " SrcIpAddrNoUser:string " port " SrcPortNumberNoUser:int - | extend SrcInfo = split(SrcIpAddrAndPort, " ") - | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] ("port"). [2] will be null if there is no port. - | extend - EventCount = int(1), - EventResult = 'Failure', - EventResultDetails = 'No such user', - EventSeverity = 'Low', - EventType = 'Logon', - SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser), - SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser) - | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo - }; - // - // -- Blocked intrusion attempts - let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) { - // -- Parse events with the format "reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!" - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage startswith "reverse mapping checking getaddrinfo for" - | parse SyslogMessage with * " for " Src " [" SrcIpAddr "]" * - | invoke _ASIM_ResolveSrcFQDN ('Src') - | extend - DvcAction = 'Block', - EventCount = int(1), - EventResult = 'Failure', - EventResultDetails = 'Logon violates policy', - EventSeverity = 'Medium', - EventType = 'Logon', - RuleName = "Reverse mapping failed", - TargetUsername = '' - | extend - Rule = RuleName - | project-away SyslogMessage, ProcessName, Src - }; - let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) { - // -- Parse events with the format "Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!" - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage has "but this does not map back to the address" - | parse SyslogMessage with "Address " SrcIpAddr:string " maps to " Src:string ", but this" * - | invoke _ASIM_ResolveSrcFQDN ('Src') - | extend - DvcAction = 'Block', - EventCount = int(1), - EventResult = 'Failure', - EventResultDetails = 'Logon violates policy', - EventSeverity = 'Medium', - EventType = 'Logon', - RuleName = "Address to host to address mapping does not map back to address", - TargetUsername = '' - | extend - Rule = RuleName - | project-away SyslogMessage, ProcessName, Src - }; - let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) { - // -- Parse events with the format "Nasty PTR record "" is set up for , ignoring" - SyslogProjects | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage startswith "Nasty PTR record" - | parse SyslogMessage with * "set up for " SrcIpAddr:string ", ignoring" - | extend - DvcAction = 'Block', - EventCount = int(1), - EventResult = 'Failure', - EventResultDetails = 'Logon violates policy', - EventSeverity = 'Medium', - EventType = 'Logon', - RuleName = "Nasty PTR record set for IP Address", - TargetUsername = '' - | extend - Rule = RuleName - | project-away SyslogMessage, ProcessName - }; - union isfuzzy=false - SSHDAccepted (disabled=disabled), - SSHDFailed (disabled=disabled), - SSHDInvalidUser (disabled=disabled), - SSHDTimeout (disabled=disabled), - SSHDABreakInAttemptMappingFailed (disabled=disabled), - SSHDABreakInAttemptMappingMismatch (disabled=disabled), - SSHDABreakInAttemptNastyPtr (disabled=disabled) - | invoke _ASIM_ResolveDvcFQDN ('Computer') - | extend - DvcIdType = iff (isnotempty(_ResourceId), "AzureResourceId", ""), - DvcOs = 'Linux', - EventEndTime = TimeGenerated, - EventProduct = 'OpenSSH', - EventSchema = 'Authentication', - EventSchemaVersion = '0.1.3', - EventStartTime = TimeGenerated, - EventSubType = 'Remote', - EventVendor = 'OpenBSD', - LogonProtocol = 'ssh', - TargetAppId = tostring(ProcessID), - TargetAppName = 'sshd', - TargetAppType = 'Service', - TargetDvcOs = 'Linux', - TargetUsernameType = 'Simple', - Type = 'Syslog' - | project-away Computer, ProcessID - | project-rename - DvcId = _ResourceId, - DvcIpAddr = HostIP, - DvcScopeId = _SubscriptionId, - EventUid = _ItemId - // - // -- Aliases - | extend - Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr), - IpAddr = SrcIpAddr, - Src = SrcIpAddr, - TargetDomain = DvcDomain, - TargetDomainType = DvcDomainType, - TargetDvcId = DvcId, - TargetDvcIdType = DvcIdType, - TargetDvcScopeId = DvcScopeId, - TargetFQDN = DvcFQDN, - TargetHostname = DvcHostname, - TargetIpAddr = DvcIpAddr, - User = TargetUsername, - Application = TargetAppName - | extend Dvc = Dst - }; - parser ( - disabled=disabled - ) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml index 66e2e768e80..1f1c4546338 100644 --- a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml @@ -90,7 +90,6 @@ ParserQuery: | , vimAuthenticationVMwareESXi (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareESXi' in (DisabledParsers) )), pack=pack) , vimAuthenticationPaloAltoPanOS (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) )), pack=pack) , vimAuthenticationPaloAltoGlobalProtect (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) )), pack=pack) - , vimAuthenticationTestProduct (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationTestProduct' in (DisabledParsers) )), pack=pack) }; Generic(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack) Parsers: @@ -131,5 +130,4 @@ Parsers: - _Im_Authentication_CrowdStrikeFalconHost - _Im_Authentication_IllumioSaaSCore - _Im_Authentication_Native - - _Im_Authentication_VMwareESXi - - _Im_Authentication_TestProduct \ No newline at end of file + - _Im_Authentication_VMwareESXi \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml deleted file mode 100644 index 5bdf824d3ed..00000000000 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationTestProduct.yaml +++ /dev/null @@ -1,328 +0,0 @@ -Parser: - Title: Authentication filter ASIM parser for TestProduct - Version: '0.1.0' - LastUpdated: Mar 11, 2026 -Product: - Name: TestProduct -Normalization: - Schema: Authentication - Version: '0.1.3' -References: - - Title: ASIM Authentication Schema - Link: https://aka.ms/ASimAuthenticationDoc - - Title: ASIM - Link: https://aka.ms/AboutASIM -Description: | - TEST DESCRIPTION -ParserName: vimAuthenticationTestProduct -EquivalentBuiltInParser: _Im_Authentication_TestProduct -ParserParams: - - Name: starttime - Type: datetime - Default: datetime(null) - - Name: endtime - Type: datetime - Default: datetime(null) - - Name: username_has_any - Type: dynamic - Default: dynamic([]) - - Name: targetappname_has_any - Type: dynamic - Default: dynamic([]) - - Name: srcipaddr_has_any_prefix - Type: dynamic - Default: dynamic([]) - - Name: srchostname_has_any - Type: dynamic - Default: dynamic([]) - - Name: eventtype_in - Type: dynamic - Default: dynamic([]) - - Name: eventresultdetails_in - Type: dynamic - Default: dynamic([]) - - Name: eventresult - Type: string - Default: '*' - - Name: disabled - Type: bool - Default: false - - Name: pack - Type: bool - Default: false -ParserQuery: | - let parser = ( - starttime: datetime=datetime(null), - endtime: datetime=datetime(null), - username_has_any: dynamic = dynamic([]), - targetappname_has_any: dynamic = dynamic([]), - srcipaddr_has_any_prefix: dynamic = dynamic([]), - srchostname_has_any: dynamic = dynamic([]), - eventtype_in: dynamic = dynamic([]), - eventresultdetails_in: dynamic = dynamic([]), - eventresult: string = '*', - disabled: bool=false - ) - { - let LogonMethodLookup = datatable(Method: string, LogonMethod: string) - [ - 'password', 'Username & password', - 'publickey', 'PKI', - 'keyboard-interactive/pam', 'PAM' - ]; - let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime)) - { - T - | where - (isnull(starttime) or TimeGenerated >= starttime) - and (isnull(endtime) or TimeGenerated <= endtime) - and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any)) - and ((array_length(targetappname_has_any) == 0) or 'sshd' in~ (targetappname_has_any)) - and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))) - and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source - // eventresultdetails_in filtering done later in the parser - // eventresult filtering done later in the parser - }; - let SyslogProjects = Syslog - | project - TimeGenerated, - Computer, - SyslogMessage, - ProcessName, - ProcessID, - HostIP, - Type, - _ItemId, - _ResourceId, - _SubscriptionId; - // - // -- Successful login - let SSHDAccepted=(disabled: bool=false) - { - // -- Parse events with the format "Accepted (password|none|publickey|etc.) for from port ssh2" - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage startswith 'Accepted' - | invoke prefilter() - | parse SyslogMessage with "Accepted " Method: string " for " TargetUsername:string " from " SrcIpAddr:string " port" SrcPortNumber:int * - | extend - EventCount = int(1), - EventResult = 'Success', - EventSeverity = 'Informational', - EventType = 'Logon' - | lookup LogonMethodLookup on Method - | extend LogonMethod = case( - isnotempty(LogonMethod), LogonMethod, - SyslogMessage has "key RSA", "PKI", - "Other") - | project-away SyslogMessage, ProcessName, Method - }; - // - // -- Failed login - incorrect password - let SSHDFailed=(disabled: bool=false) - { - // -- Parse events with the format Failed (password|none|publickey|etc.) for from port ssh2[: RSA :]" - // -- Or a number of such events message repeated times: [ ] - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and ( - SyslogMessage startswith 'Failed' - or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed') - ) - | invoke prefilter() - | parse SyslogMessage with * "Failed " Method: string " for " TargetUsername:string " from " SrcIpAddr:string " port" SrcPortNumber:int * - | parse SyslogMessage with "message repeated" EventCount:int " times:" * - | extend - EventCount = toint(coalesce(EventCount,1)), - EventResult = 'Failure', - EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'), - EventSeverity = 'Low' , - EventType = 'Logon' - | lookup LogonMethodLookup on Method - | extend LogonMethod = coalesce(LogonMethod, "Other") - | project-away SyslogMessage, ProcessName, Method - }; - // - // -- Logoff - Timeout - let SSHDTimeout=(disabled: bool=false) - { - // -- Parse events with the format "Timeout, client not responding from user yanivsh 131.107.174.198 port 7623" - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage startswith 'Timeout' - | invoke prefilter() - | parse-where SyslogMessage with * "user " TargetUsername: string " " SrcIpAddr: string " port " SrcPortNumber: int - | extend - EventCount = int(1), - EventResult = 'Success', - EventSeverity = 'Informational', - EventType = 'Logoff' - | project-away SyslogMessage, ProcessName - }; - // - // -- Failed login - invalid user - let SSHDInvalidUser=(disabled: bool=false) - { - // -- Parse events with the format "Invalid user [] from port " - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage startswith 'Invalid user' - | invoke prefilter() - | parse SyslogMessage with "Invalid user " TargetUsername:string " from " SrcIpAddrAndPort:string // SrcIpAddrAndPort can either be "0.0.0.0 port 0" or just "0.0.0.0" - | parse SyslogMessage with "Invalid user from " SrcIpAddrNoUser:string " port " SrcPortNumberNoUser:int - | extend SrcInfo = split(SrcIpAddrAndPort, " ") - | extend SrcIpAddr = tostring(SrcInfo[0]), SrcPortNumber = toint(SrcInfo[2]) // Ignore [1] ("port"). [2] will be null if there is no port. - | extend - EventCount = int(1), - EventResult = 'Failure', - EventResultDetails = 'No such user', - EventSeverity = 'Low', - EventType = 'Logon', - SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser), - SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser) - | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser, SrcIpAddrAndPort, SrcInfo - }; - // - // -- Blocked intrusion attempts - let SSHDABreakInAttemptMappingFailed=(disabled: bool=false) - { - // -- Parse events with the format "reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!" - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage startswith "reverse mapping checking getaddrinfo for" - | invoke prefilter() - | parse SyslogMessage with * " for " Src " [" SrcIpAddr "]" * - | invoke _ASIM_ResolveSrcFQDN ('Src') - | extend - DvcAction = 'Block', - EventCount = int(1), - EventResult = 'Failure', - EventResultDetails = 'Logon violates policy', - EventSeverity = 'Medium', - EventType = 'Logon', - RuleName = "Reverse mapping failed", - TargetUsername = '' - | extend - Rule = RuleName - | project-away SyslogMessage, ProcessName, Src - }; - let SSHDABreakInAttemptMappingMismatch=(disabled: bool=false) - { - // -- Parse events with the format "Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!" - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage has "but this does not map back to the address" - | invoke prefilter() - | parse SyslogMessage with "Address " SrcIpAddr: string " maps to " Src: string ", but this" * - | invoke _ASIM_ResolveSrcFQDN ('Src') - | extend - DvcAction = 'Block', - EventCount = int(1), - EventResult = 'Failure', - EventResultDetails = 'Logon violates policy', - EventSeverity = 'Medium', - EventType = 'Logon', - RuleName = "Address to host to address mapping does not map back to address", - TargetUsername = '' - | extend - Rule = RuleName - | project-away SyslogMessage, ProcessName, Src - }; - let SSHDABreakInAttemptNastyPtr=(disabled: bool=false) - { - // -- Parse events with the format "Nasty PTR record "" is set up for , ignoring" - SyslogProjects - | where not(disabled) - | where ProcessName == "sshd" and SyslogMessage startswith "Nasty PTR record" - | invoke prefilter() - | parse SyslogMessage with * "set up for " SrcIpAddr: string ", ignoring" - | extend - DvcAction = 'Block', - EventCount = int(1), - EventResult = 'Failure', - EventResultDetails = 'Logon violates policy', - EventSeverity = 'Medium', - EventType = 'Logon', - RuleName = "Nasty PTR record set for IP Address", - TargetUsername = '' - | extend - Rule = RuleName - | project-away SyslogMessage, ProcessName - }; - union isfuzzy=false - SSHDAccepted (disabled=disabled), - SSHDFailed (disabled=disabled), - SSHDInvalidUser (disabled=disabled), - SSHDTimeout (disabled=disabled), - SSHDABreakInAttemptMappingFailed (disabled=disabled), - SSHDABreakInAttemptMappingMismatch (disabled=disabled), - SSHDABreakInAttemptNastyPtr (disabled=disabled) - // Post-filtering - | where ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any)) - and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))) - and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in)) - and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in)) - and (eventresult == "*" or (EventResult == eventresult)) - // mapping ASimMatchingUsername - | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any) - // ActorUsername not coming from source. Hence, not mapped. - | extend ASimMatchingUsername = case - ( - array_length(username_has_any) == 0, "-", - temp_isMatchTargetUsername, "TargetUsername", - "No match" - ) - | invoke _ASIM_ResolveDvcFQDN ('Computer') - | extend - DvcIdType = iff (isnotempty(_ResourceId), "AzureResourceId", ""), - DvcOs = 'Linux', - EventEndTime = TimeGenerated, - EventProduct = 'OpenSSH', - EventSchema = 'Authentication', - EventSchemaVersion = '0.1.2', - EventStartTime = TimeGenerated, - EventSubType = 'Remote', - EventVendor = 'OpenBSD', - LogonProtocol = 'ssh', - TargetAppId = tostring(ProcessID), - TargetAppName = 'sshd', - TargetAppType = 'Service', - TargetDvcOs = 'Linux', - TargetUsernameType = 'Simple', - Type = 'Syslog' - | project-away Computer, ProcessID, temp* - | project-rename - DvcId = _ResourceId, - DvcIpAddr = HostIP, - DvcScopeId = _SubscriptionId, - EventUid = _ItemId - // - // -- Aliases - | extend - Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr), - IpAddr = SrcIpAddr, - Src = SrcIpAddr, - TargetDomain = DvcDomain, - TargetDomainType = DvcDomainType, - TargetDvcId = DvcId, - TargetDvcIdType = DvcIdType, - TargetDvcScopeId = DvcScopeId, - TargetFQDN = DvcFQDN, - TargetHostname = DvcHostname, - TargetIpAddr = DvcIpAddr, - User = TargetUsername, - Application = TargetAppName - | extend Dvc = Dst - }; - parser( - starttime=starttime, - endtime=endtime, - username_has_any=username_has_any, - targetappname_has_any=targetappname_has_any, - srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, - srchostname_has_any=srchostname_has_any, - eventtype_in=eventtype_in, - eventresultdetails_in=eventresultdetails_in, - eventresult=eventresult, - disabled=disabled - ) \ No newline at end of file From 5223c69fc26c5dbfc5463288455a9a734ccbd0a2 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Thu, 11 Jun 2026 13:55:50 -0700 Subject: [PATCH 28/30] Remove comma --- Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index 9f4d6f5ccdb..9abd7c0c154 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -61,7 +61,7 @@ ParserQuery: | ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )), ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack), ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack), - ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack), + ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack) Parsers: - _Im_Authentication_Empty - _ASim_Authentication_AADManagedIdentitySignInLogs From 61b947cbc708f5703987671d477eb2cc0ae0a3e3 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Thu, 11 Jun 2026 14:03:17 -0700 Subject: [PATCH 29/30] Fixes --- .../workflows/asimFileAndParserValidation.yml | 49 ++++++++----------- 1 file changed, 20 insertions(+), 29 deletions(-) diff --git a/.github/workflows/asimFileAndParserValidation.yml b/.github/workflows/asimFileAndParserValidation.yml index 87d44028375..eed16fc618b 100644 --- a/.github/workflows/asimFileAndParserValidation.yml +++ b/.github/workflows/asimFileAndParserValidation.yml @@ -53,8 +53,8 @@ jobs: # ---------------------------------------------------------------- # Step 2: Fetch all files in the PR and categorize them. - # Outputs: files, new_files, asim_yaml_files, - # has_new_files, has_asim_yaml_files + # Outputs: files, new_asim_yaml_files, + # has_new_asim_yaml_files # ---------------------------------------------------------------- - name: Get changed files if: steps.check-label.outputs.has_label == 'true' @@ -79,21 +79,18 @@ jobs: const allFiles = files.map(f => f.filename); const newFiles = files.filter(f => f.status === 'added').map(f => f.filename); - // Filter for YAML files under Parsers/ASim/Parsers/ + // Filter for new YAML files under Parsers/ASim/Parsers/ const parserPattern = /^Parsers\/ASim\w+\/Parsers\/.+\.yaml$/; - const asimYamlFiles = allFiles.filter(f => parserPattern.test(f)); const newAsimYamlFiles = newFiles.filter(f => parserPattern.test(f)); core.info(`Changed files (${allFiles.length}):`); allFiles.forEach(f => core.info(` - ${f}`)); - core.info(`ASIM YAML files (${asimYamlFiles.length}):`); - asimYamlFiles.forEach(f => core.info(` - ${f}`)); + core.info(`New ASIM YAML files (${newAsimYamlFiles.length}):`); + newAsimYamlFiles.forEach(f => core.info(` - ${f}`)); core.info(`New files (${newFiles.length}):`); newFiles.forEach(f => core.info(` - ${f}`)); core.setOutput('files', JSON.stringify(allFiles)); - core.setOutput('new_files', JSON.stringify(newFiles)); - core.setOutput('asim_yaml_files', JSON.stringify(asimYamlFiles)); - core.setOutput('has_new_files', newFiles.length > 0 ? 'true' : 'false'); - core.setOutput('has_asim_yaml_files', asimYamlFiles.length > 0 ? 'true' : 'false'); + core.setOutput('new_asim_yaml_files', JSON.stringify(newAsimYamlFiles)); + core.setOutput('has_new_asim_yaml_files', newAsimYamlFiles.length > 0 ? 'true' : 'false'); # ---------------------------------------------------------------- # Step 3: Validate the PR's file structure. @@ -106,22 +103,17 @@ jobs: # ---------------------------------------------------------------- - name: Validate new file paths id: validate-paths - if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_new_files == 'true' + if: steps.check-label.outputs.has_label == 'true' && steps.changed-files.outputs.has_new_asim_yaml_files == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c with: script: | - const newFiles = JSON.parse('${{ steps.changed-files.outputs.new_files }}'); + const newAsimYamlFiles = JSON.parse('${{ steps.changed-files.outputs.new_asim_yaml_files }}'); const allFiles = JSON.parse('${{ steps.changed-files.outputs.files }}'); const errors = []; // 1. Validate new YAML files are in Parsers/ASim/Parsers/ const parserPattern = /^Parsers\/(ASim\w+)\/Parsers\/(.+\.yaml)$/; - const newYamlFiles = newFiles.filter(f => parserPattern.test(f)); - const invalidNewFiles = newFiles.filter(f => f.endsWith('.yaml') && !parserPattern.test(f)); - - if (invalidNewFiles.length > 0) { - errors.push(`New YAML files not in expected directory (Parsers/ASim/Parsers/):\n${invalidNewFiles.map(f => ' - ' + f).join('\n')}`); - } + const newYamlFiles = newAsimYamlFiles; if (newYamlFiles.length !== 2) { errors.push(`Expected exactly 2 new YAML files in Parsers/ASim/Parsers/, found ${newYamlFiles.length}.`); @@ -147,7 +139,7 @@ jobs: `Parsers/${schema}/Parsers/${schema}.yaml`, `Parsers/${schema}/Parsers/im${schemaName}.yaml` ]; - const modifiedFiles = allFiles.filter(f => !newFiles.includes(f)); + const modifiedFiles = allFiles.filter(f => !newAsimYamlFiles.includes(f)); for (const expected of expectedEdited) { if (!modifiedFiles.includes(expected)) { errors.push(`Expected modified file not found: ${expected}`); @@ -158,7 +150,7 @@ jobs: const newYamlBasenames = newYamlFiles.map(f => f.match(parserPattern)[2].replace('.yaml', '')); const expectedNewChangelogs = newYamlBasenames.map(name => `Parsers/${schema}/CHANGELOG/${name}.md`); for (const expected of expectedNewChangelogs) { - if (!newFiles.includes(expected)) { + if (!allFiles.includes(expected)) { errors.push(`Expected new CHANGELOG file not found: ${expected}`); } } @@ -205,11 +197,11 @@ jobs: # for performance and best practices review. # ---------------------------------------------------------------- - name: Checkout repository - if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_new_asim_yaml_files == 'true' uses: actions/checkout@v4 - name: Install js-yaml - if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_new_asim_yaml_files == 'true' run: npm install js-yaml # ---------------------------------------------------------------- @@ -231,15 +223,14 @@ jobs: # ---------------------------------------------------------------- - name: Validate parser files and changelog versions id: read-yaml - if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_new_asim_yaml_files == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c with: script: | const fs = require('fs'); const yaml = require('js-yaml'); - const newFiles = JSON.parse('${{ steps.changed-files.outputs.new_files }}'); + const newYamlFiles = JSON.parse('${{ steps.changed-files.outputs.new_asim_yaml_files }}'); const parserPattern = /^(Parsers\/ASim\w+)\/Parsers\/(.+)\.yaml$/; - const newYamlFiles = newFiles.filter(f => parserPattern.test(f)); const errors = []; // Derive the schema directory and names from the first new parser file @@ -440,7 +431,7 @@ jobs: # ---------------------------------------------------------------- - name: Check for SafeToRun label id: check-safe-to-run - if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_asim_yaml_files == 'true' + if: steps.validate-paths.outcome == 'success' && steps.changed-files.outputs.has_new_asim_yaml_files == 'true' uses: actions/github-script@b7fb2001b410c9390cbe9e2c7d5cab7eefb7b29c with: script: | @@ -502,15 +493,15 @@ jobs: script: | const fs = require('fs'); const yaml = require('js-yaml'); - const newFiles = JSON.parse('${{ steps.changed-files.outputs.new_files }}'); + const newAsimYamlFiles = JSON.parse('${{ steps.changed-files.outputs.new_asim_yaml_files }}'); const parserPattern = /^Parsers\/ASim\w+\/Parsers\/(.+)\.yaml$/; // Separate new YAML files into ASim-prefixed and vim-prefixed parsers - const asimFiles = newFiles.filter(f => { + const asimFiles = newAsimYamlFiles.filter(f => { const match = f.match(parserPattern); return match && match[1].startsWith('ASim'); }); - const vimFiles = newFiles.filter(f => { + const vimFiles = newAsimYamlFiles.filter(f => { const match = f.match(parserPattern); return match && match[1].startsWith('vim'); }); From 88f5ae3556a4519656de1bacb9574b3b9428ce86 Mon Sep 17 00:00:00 2001 From: Derrick Lee Date: Thu, 11 Jun 2026 14:15:11 -0700 Subject: [PATCH 30/30] Move ARM templates back to original state --- .../ASimAuthentication.json | 2 +- .../ARM/FullDeploymentAuthentication.json | 40 ------------------- .../imAuthentication/imAuthentication.json | 2 +- 3 files changed, 2 insertions(+), 42 deletions(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index 56cd04c140d..f860bd49296 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoDNAC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoDNAC' in (DisabledParsers) )),\n ASimAuthenticationCiscoIOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoISEAdministrator (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISEAdministrator' in (DisabledParsers) ),pack=pack),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationFortinetFortigate (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationVMwareVCenter (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack),\n ASimAuthenticationTestProduct (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationTestProduct' in (DisabledParsers)), pack=pack),\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoDNAC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoDNAC' in (DisabledParsers) )),\n ASimAuthenticationCiscoIOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoISEAdministrator (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISEAdministrator' in (DisabledParsers) ),pack=pack),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationFortinetFortigate (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationVMwareVCenter (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationVMwareESXi (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers)), pack=pack)\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json index 8067d58110c..0f66a239e44 100644 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -698,26 +698,6 @@ } } }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationTestProduct", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationTestProduct/ASimAuthenticationTestProduct.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -1498,26 +1478,6 @@ } } }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationTestProduct", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationTestProduct/vimAuthenticationTestProduct.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json index 360c78b9560..d4dbabeada1 100644 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json @@ -27,7 +27,7 @@ "displayName": "Authentication ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imAuthentication", - "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationOktaSystemLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSystemLogs' in (DisabledParsers) )))\n , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoDNAC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoDNAC' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n , vimAuthenticationCiscoIOS (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoIOS' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationCiscoISEAdministrator (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISEAdministrator' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n , vimAuthenticationVMwareVCenter (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))\n , vimAuthenticationNative (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationNative' in (DisabledParsers) )))\n , vimAuthenticationFortinetFortigate (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) )))\n , vimAuthenticationVMwareESXi (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareESXi' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationPaloAltoPanOS (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationPaloAltoGlobalProtect (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationTestProduct (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationTestProduct' in (DisabledParsers) )), pack=pack)\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", + "query": "let Generic=(starttime: datetime=datetime(null), endtime: datetime=datetime(null), username_has_any: dynamic = dynamic([]), targetappname_has_any: dynamic = dynamic([]), srcipaddr_has_any_prefix: dynamic = dynamic([]), srchostname_has_any: dynamic = dynamic([]), eventtype_in: dynamic = dynamic([]), eventresultdetails_in: dynamic = dynamic([]), eventresult: string = '*', pack: bool=false) {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationBuiltInDisabled=toscalar('ExcludeimAuthenticationBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled = (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationOktaSystemLogs (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaSystemLogs' in (DisabledParsers) )))\n , vimAuthenticationOktaV2 (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationOktaV2' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSudo (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSudo' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoDNAC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoDNAC' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoMerakiSyslog (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )))\n , vimAuthenticationCiscoIOS (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoIOS' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationCiscoISEAdministrator (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCiscoISEAdministrator' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationBarracudaWAF (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationGoogleWorkspace (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationGoogleWorkspace' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n , vimAuthenticationVMwareVCenter (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))\n , vimAuthenticationNative (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationNative' in (DisabledParsers) )))\n , vimAuthenticationFortinetFortigate (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) )))\n , vimAuthenticationVMwareESXi (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareESXi' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationPaloAltoPanOS (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationFortigate' in (DisabledParsers) )), pack=pack)\n , vimAuthenticationPaloAltoGlobalProtect (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) )), pack=pack)\n};\nGeneric(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',pack:bool=False" }