Skip to content

Commit

Permalink
Multiple ASIM Parser Changes
Browse files Browse the repository at this point in the history
  • Loading branch information
vakohl committed Sep 18, 2023
1 parent 52c2784 commit 1fd5f4d
Show file tree
Hide file tree
Showing 28 changed files with 136 additions and 99 deletions.
5 changes: 3 additions & 2 deletions Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Audit event ASIM parser
Version: '0.1'
LastUpdated: Dec 13, 2022
Version: '0.1.1'
LastUpdated: Sept 18, 2023
Product:
Name: Source agnostic
Normalization:
Expand All @@ -24,6 +24,7 @@ Parsers:
- _ASim_AuditEvent_CiscoISE
- _ASim_AuditEvent_CiscoMeraki
- _ASim_AuditEvent_BarracudaWAF
- _ASim_AuditEvent_VectraXDRAudit

ParserParams:
- Name: pack
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Audit Event ASIM parser for Vectra XDR Audit Logs Event
Version: '0.1'
LastUpdated: Mar 17 2023
Version: '0.1.1'
LastUpdated: Sept 18, 2023
Product:
Name: Vectra
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Audit Event schema.
ParserName: ASimAuditEventVectraXDRAudit
EquivalentBuiltInParser: _ASim_AuditEvent_VectraXDRAudit
ParserParams:
- Name: disabled
Type: bool
Expand Down
5 changes: 3 additions & 2 deletions Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Audit event ASIM filtering parser.
Version: '0.1'
LastUpdated: Dec 13, 2022
Version: '0.1.1'
LastUpdated: Sept 18, 2023
Product:
Name: Source agnostic
Normalization:
Expand All @@ -24,6 +24,7 @@ Parsers:
- _Im_AuditEvent_CiscoISE
- _Im_AuditEvent_CiscoMeraki
- _Im_AuditEvent_BarracudaWAF
- _Im_AuditEvent_VectraXDRAudit
ParserParams:
- Name: starttime
Type: datetime
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Audit Event ASIM filtering parser for Vectra XDR Audit Logs Event
Version: '0.1'
LastUpdated: Mar 17 2023
Version: '0.1.1'
LastUpdated: Sept 18, 2023
Product:
Name: Vectra
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Audit Event schema.
ParserName: vimAuditEventVectraXDRAudit
EquivalentBuiltInParser: _Im_AuditEvent_VectraXDRAudit
ParserParams:
- Name: disabled
Type: bool
Expand Down
38 changes: 19 additions & 19 deletions Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM parser
Version: '0.2.1'
LastUpdated: Aug 1, 2023
Version: '0.2.2'
LastUpdated: Sept 18, 2023
Product:
Name: Source agnostic
Normalization:
Expand Down Expand Up @@ -44,21 +44,21 @@ ParserQuery: |
ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) ))
Parsers:
- vimAuthenticationEmpty
- ASimAuthenticationAADManagedIdentitySignInLogs
- ASimAuthenticationAADNonInteractiveUserSignInLog
- ASimAuthenticationAADServicePrincipalSignInLogs
- ASimAuthenticationAWSCloudTrail
- ASimAuthenticationBarracudaWAF
- ASimAuthenticationCiscoISE
- ASimAuthenticationCiscoMeraki
- ASimAuthenticationM365Defender
- ASimAuthenticationMD4IoT
- ASimAuthenticationMicrosoftWindowsEvent
- ASimAuthenticationOktaSSO
- ASimAuthenticationPostgreSQL
- ASimAuthenticationSigninLogs
- ASimAuthenticationSshd
- ASimAuthenticationSu
- ASimAuthenticationVectraXDRAudit
- _Im_Authentication_Empty
- _ASim_Authentication_AADManagedIdentitySignInLogs
- _ASim_Authentication_AADNonInteractiveUserSignInLog
- _ASim_Authentication_AADServicePrincipalSignInLogs
- _ASim_Authentication_AWSCloudTrail
- _ASim_Authentication_BarracudaWAF
- _ASim_Authentication_CiscoISE
- _ASim_Authentication_CiscoMeraki
- _ASim_Authentication_M365Defender
- _ASim_Authentication_MD4IoT
- _ASim_Authentication_MicrosoftWindowsEvent
- _ASim_Authentication_OktaSSO
- _ASim_Authentication_PostgreSQL
- _ASim_Authentication_SigninLogs
- _ASim_Authentication_Sshd
- _ASim_Authentication_Su
- _ASim_Authentication_VectraXDRAudit

Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM parser for PostgreSQL
Version: '0.1.1'
LastUpdated: 21 Jul 2023
Version: '0.1.3'
LastUpdated: Sept 18, 2023
Product:
Name: PostgreSQL
Normalization:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM parser for OpenSSH sshd
Version: '0.2.1'
LastUpdated: 21 Jul 2023
Version: '0.2.2'
LastUpdated: Sept 18, 2023
Product:
Name: OpenSSH
Normalization:
Expand Down
37 changes: 19 additions & 18 deletions Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser
Version: '0.2'
LastUpdated: Jul 27, 2023
Version: '0.2.2'
LastUpdated: Sept 18, 2023
Product:
Name: Source agnostic
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing Authentication logs from all supported sources to the ASIM Authentication normalized schema.
ParserName: imAuthentication
EquivalentBuiltInParser: _Im_Authentication
ParserParams:
- Name: starttime
Type: datetime
Expand Down Expand Up @@ -51,20 +52,20 @@ ParserQuery: |
Generic(starttime, endtime, targetusername_has)
Parsers:
- vimAuthenticationEmpty
- vimAuthenticationAADManagedIdentitySignInLogs
- vimAuthenticationAADNonInteractiveUserSignInLog
- vimAuthenticationAADServicePrincipalSignInLogs
- vimAuthenticationSigninLogs
- vimAuthenticationAWSCloudTrail
- vimAuthenticationOktaSSO
- vimAuthenticationM365Defender
- vimAuthenticationMicrosoftWindowsEvent
- vimAuthenticationMD4IoT
- vimAuthenticationSshd
- vimAuthenticationSu
- vimAuthenticationCiscoMeraki
- vimAuthenticationCiscoISE
- vimAuthenticationBarracudaWAF
- vimAuthenticationVectraXDRAudit
- _Im_Authentication_Empty
- _Im_Authentication_AADManagedIdentitySignInLogs
- _Im_Authentication_AADNonInteractiveUserSignInLog
- _Im_Authentication_AADServicePrincipalSignInLogs
- _Im_Authentication_SigninLogs
- _Im_Authentication_AWSCloudTrail
- _Im_Authentication_OktaSSO
- _Im_Authentication_M365Defender
- _Im_Authentication_MicrosoftWindowsEvent
- _Im_Authentication_MD4IoT
- _Im_Authentication_Sshd
- _Im_Authentication_Su
- _Im_Authentication_CiscoMeraki
- _Im_Authentication_CiscoISE
- _Im_Authentication_BarracudaWAF
- _Im_Authentication_VectraXDRAudit

Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for AAD managed identity sign-in logs
Version: '0.1.1'
LastUpdated: Feb 1, 2023
Version: '0.2.1'
LastUpdated: Sept 18, 2023
Product:
Name: AAD
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing Azure Active Directory Managed Identity sign in logs, stored in the AADManagedIdentitySignInLogs table, to the ASIM Authentication schema.
ParserName: vimAuthenticationAADManagedIdentitySignInLogs
EquivalentBuiltInParser: _Im_Authentication_AADManagedIdentitySignInLogs
ParserParams:
- Name: starttime
Type: datetime
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for AAD non-interactive sign-in logs
Version: '0.2'
LastUpdated: Feb 19 2023
Version: '0.2.1'
LastUpdated: Sept 18, 2023
Product:
Name: AAD
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing Azure Active Directory Non Interactive sign in logs, stored in the AADNonInteractiveUserSignInLogs table, to the ASIM Authentication schema.
ParserName: vimAuthenticationAADNonInteractiveUserSignInLogs
EquivalentBuiltInParser: _Im_Authentication_AADNonInteractiveUserSignInLogs
ParserParams:
- Name: starttime
Type: datetime
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for AAD service principal sign-in logs
Version: '0.1.1'
LastUpdated: Feb 1, 2023
Version: '0.2.1'
LastUpdated: Sept 18, 2023
Product:
Name: AAD
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing Azure Active Directory Service Principal sign in logs, stored in the AADServicePrincipalSignInLogs table, to the ASIM Authentication schema.
ParserName: vimAuthenticationAADServicePrincipalSignInLogs
EquivalentBuiltInParser: _Im_Authentication_AADServicePrincipalSignInLogs
ParserParams:
- Name: starttime
Type: datetime
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for AAD interactive sign-in logs
Version: '0.2'
LastUpdated: Frb 19 2023
Version: '0.3.1'
LastUpdated: Sept 18, 2023
Product:
Name: AAD
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing Azure Active Directory Interactive sign in logs, stored in the SigninLogs table, to the ASIM Authentication schema.
ParserName: vimAuthenticationSigninLogs
EquivalentBuiltInParser: _Im_Authentication_SigninLogs
ParserParams:
- Name: starttime
Type: datetime
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for AWS sign-in logs
Version: '0.2'
LastUpdated: Feb 26 2023
Version: '0.2.1'
LastUpdated: Sept 18, 2023
Product:
Name: AWS
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing Amazon Web Service sign in logs, stored in the AWSCloudTrail table, to the ASIM Authentication schema.
ParserName: vimAuthenticationAWSCloudTrail
EquivalentBuiltInParser: _Im_Authentication_AWSCloudTrail
ParserParams:
- Name: starttime
Type: datetime
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM schema function
Version: '0.0'
LastUpdated: June 9, 2021
Version: '0.1.1'
LastUpdated: Sept 18, 2023
Product:
Name: Microsoft Sentinel
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This function returns an empty ASIM Authentication schema.
ParserName: vimAuthenticationEmpty
EquivalentBuiltInParser: _Im_Authentication_Empty
ParserQuery: |
let EmptyAuthenticationTable=datatable(
EventProduct:string
Expand Down Expand Up @@ -147,4 +148,4 @@ ParserQuery: |
, ThreatLastReportedTime:datetime
, Application:string
)[];
EmptyAuthenticationTable
EmptyAuthenticationTable
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for M365 Defender Device Logon Events
Version: '0.1.0'
LastUpdated: July 1, 2021
Version: '0.1.1'
LastUpdated: Sept 18, 2023
Product:
Name: M365 Defender for EndPoint
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
ParserName: vimAuthenticationM365Defender
EquivalentBuiltInParser: _Im_Authentication_M365Defender
ParserParams:
- Name: starttime
Type: datetime
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for Microsoft Defender for IoT endpoint logs
Version: '0.1.1'
LastUpdated: June 13, 2022
Version: '0.1.2'
LastUpdated: Sept 18, 2023
Product:
Name: Microsoft Defender for IoT
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing Microsoft Defender for IoT endpoint logs to the ASIM Authentication schema.
ParserName: vimAuthenticationMD4IoT
EquivalentBuiltInParser: _Im_Authentication_MD4IoT
ParserParams:
- Name: starttime
Type: datetime
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for Windows Security Events
Version: '0.2'
LastUpdated: Feb 23 2023
Version: '0.2.1'
LastUpdated: Sept 18, 2023
Product:
Name: Windows Security Events
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing Windows Authentication events (4624, 4625, 4634, and 4647), collected either by the Log Analytics Agent or the Azure Monitor Agent, into either the WindowsEvent (WEF) or SecurityEvent tables, to the ASIM Authentication schema.
ParserName: vimAuthenticationMicrosoftWindowsEvent
EquivalentBuiltInParser: _Im_Authentication_MicrosoftWindowsEvent
ParserParams:
- Name: starttime
Type: datetime
Expand Down
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for Okta
Version: '0.2'
LastUpdated: Dec 11, 2022
Version: '0.2.1'
LastUpdated: Sept 18, 2023
Product:
Name: Okta
Normalization:
Expand All @@ -15,6 +15,7 @@ References:
Description: |
This ASIM parser supports filtering and normalizing Okta sign in logs, stored in the Okta_CL table, to the ASIM Authentication schema.
ParserName: vimAuthenticationOktaSSO
EquivalentBuiltInParser: _Im_Authentication_OktaSSO
ParserParams:
- Name: starttime
Type: datetime
Expand Down
Loading

0 comments on commit 1fd5f4d

Please sign in to comment.