Merge pull request #8726 from KustoKing/asim/kustoking/add-linux-user…

…management

Add-UserManagement-Linux

ASIM/dev/ASimTester/ASimTester.csv

@@ -353,7 +353,6 @@ DvcInterface,string,Optional,FileEvent,,,
 DvcInterface,string,Optional,NetworkSession,,,
 DvcInterface,string,Optional,ProcessEvent,,,
 DvcInterface,string,Optional,UserManagement,,,
-DvcIpAddr,IP address,Recommended,UserManagement,,,
 DvcIpAddr,string,Recommended,AuditEvent,IP Address,,
 DvcIpAddr,string,Recommended,Authentication,IP Address,,
 DvcIpAddr,string,Recommended,Common,IP Address,,
@@ -363,6 +362,7 @@ DvcIpAddr,string,Recommended,FileEvent,IP Address,,
 DvcIpAddr,string,Recommended,NetworkSession,IP Address,,
 DvcIpAddr,string,Recommended,ProcessEvent,IP Address,,
 DvcIpAddr,string,Recommended,RegistryEvent,IP Address,,
+DvcIpAddr,string,Recommended,UserManagement,,,
 DvcIpAddr,string,Recommended,WebSession,IP Address,,
 DvcMacAddr,MAC address,Optional,UserManagement,,,
 DvcMacAddr,string,Optional,AuditEvent,MAC address,,
@@ -543,7 +543,7 @@ EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365
 EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio|SentinelOne,
 EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events,
 EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne,
-EventProduct,string,Mandatory,UserManagement,Enumerated,SentinelOne,
+EventProduct,string,Mandatory,UserManagement,Enumerated,Security Events|Authpriv|ISE|SentinelOne,
 EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki MX|Web Security Gateway|Zeek|Dataminr Pulse,
 EventProductVersion,string,Optional,AuditEvent,,,
 EventProductVersion,string,Optional,Authentication,,,
@@ -638,7 +638,7 @@ EventSubType,string,Optional,Dns,Enumerated,request|response,
 EventSubType,string,Optional,FileEvent,Enumerated,Upload|Checkin|Download|Preview|Checkout|Extended|Recycle|Versions|Site,
 EventSubType,string,Optional,NetworkSession,Enumerated,Start|End|,
 EventSubType,string,Optional,ProcessEvent,,,
-EventSubType,string,Optional,UserManagement,Enumerated,UserRead|UserCreated|GroupCreated|UserModified|GroupModified,
+EventSubType,string,Optional,UserManagement,Enumerated,UserRead|UserCreated|GroupCreated|UserModified|GroupModified|password|shell|GID|expiration|UID,
 EventSubType,string,Optional,WebSession,,,
 EventType,string,Mandatory,AuditEvent,Enumerated,Set|Read|Create|Delete|Execute|Install|Clear|Enable|Disable|Initialize|Start|Stop|Terminate|Execute|Other,
 EventType,string,Mandatory,Authentication,Enumerated,Logon|Logoff|Elevate,
@@ -673,7 +673,7 @@ EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microso
 EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne,
 EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio,
 EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft,
-EventVendor,string,Mandatory,UserManagement,Enumerated,SentinelOne,
+EventVendor,string,Mandatory,UserManagement,Enumerated,Microsoft|Linux|Cisco|SentinelOne,
 EventVendor,string,Mandatory,WebSession,Enumerated,Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr,
 EventVendor,string,Mandatory,RegistryEvent,Enumerated,SentinelOne,
 FileContentType,string,Optional,WebSession,Enumerated,,

Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml

@@ -1,7 +1,7 @@
 Parser:
   Title: User Management ASIM parser
   Version: '0.1.0'
-  LastUpdated: 16 Jul, 2023
+  LastUpdated: 15 Oct, 2023
 Product:
   Name: Source agnostic
 Normalization:
@@ -18,6 +18,8 @@ ParserName: ASimUserManagement
 EquivalentBuiltInParser: _ASim_UserManagement
 Parsers:
   - _Im_UserManagement_Empty
+  - _ASim_UserManagement_CiscoISE 
+  - _ASim_UserManagement_LinuxAuthpriv
   - _ASim_UserManagement_MicrosoftSecurityEvent
   - _ASim_UserManagement_SentinelOne 
 ParserParams:
@@ -34,7 +36,8 @@ ParserQuery: |
     vimUserManagementEmpty,
     ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),
     ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE in (DisabledParsers))),
-    ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne in (DisabledParsers)))
+    ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne in (DisabledParsers))),
+    ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),
   }; 
   parser (
       pack=pack

Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml

@@ -0,0 +1,317 @@
+Parser:
+  Title: User Management ASIM parser for Linux Authpriv logs
+  Version: '0.1.0'
+  LastUpdated: 4 Oct, 2023
+Product:
+  Name: Microsoft
+Normalization:
+  Schema: UserManagement
+  Version: '0.1.1'
+References:
+- Title: ASIM User Management Schema
+  Link: https://aka.ms/ASimUserManagementDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+- Title: Ubuntu remote logging
+  Link: https://manpages.ubuntu.com/manpages/lunar/en/man5/rsyslog.conf.5.html 
+- Title: gpasswd
+  Link: https://manpages.ubuntu.com/manpages/lunar/en/man1/gpasswd.1.html
+- Title: groupadd
+  Link: https://manpages.ubuntu.com/manpages/lunar/en/man8/groupadd.8.html
+- Title: groupdel
+  Link: https://manpages.ubuntu.com/manpages/lunar/en/man8/groupdel.8.html
+- Title: groupmod
+  Link: https://manpages.ubuntu.com/manpages/lunar/en/man8/groupmod.8.html
+- Title: useradd
+  Link: https://manpages.ubuntu.com/manpages/lunar/en/man8/useradd.8.html
+- Title: userdel
+  Link: https://manpages.ubuntu.com/manpages/lunar/en/man8/userdel.8.html
+- Title: usermod
+  Link: https://manpages.ubuntu.com/manpages/lunar/en/man8/usermod.8.html
+Description: |
+  This ASIM parser supports normalizing Linux authpriv logs delivered using Syslog to the ASIM UserManagement normalized schema.
+ParserName: ASimUserManagementLinuxAuthpriv
+EquivalentBuiltInParser: _ASim_UserManagement_LinuxAuthpriv
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+      disabled:bool = false
+  ) {
+  let ActionLookup = datatable (Action:string, EventType:string)
+  [
+      "added",  "UserAddedToGroup",
+      "removed","UserRemovedFromGroup"
+  ];
+  let SeverityLookup = datatable (SeverityLevel:string, EventSeverity:string)
+  [
+      "info", "Informational",
+      "warn", "Low",
+      "err",  "Medium",
+      "crit", "High"
+  ];    
+  let ItemParser = (T:(SyslogMessage:string,SeverityLevel:string,ProcessID:int)) {
+      T
+      | lookup SeverityLookup on SeverityLevel
+      | extend ActingAppId = tostring(ProcessID)
+      | project-away SyslogMessage,SeverityLevel, ProcessID
+  };
+  let SyslogParsed = (
+      Syslog
+      | where not(disabled)
+      | where Computer in (_ASIM_GetSourceBySourceType('LinuxAuthpriv'))
+      | where Facility == "authpriv"
+          and ProcessName in ("useradd","usermod","userdel","groupadd","groupmod","groupdel","gpasswd")
+      | project-away EventTime,Facility,MG,CollectorHostName,SourceSystem,TenantId
+  );
+  union (
+      SyslogParsed
+      | where ProcessName == "useradd"
+          and SyslogMessage startswith "new user: name="
+      | parse SyslogMessage with "new user: name=" TargetUsername ", UID=" TargetUserId ", GID=" GroupId ", " *
+      | extend 
+          EventType   = "UserCreated", 
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "useradd"
+          and SyslogMessage startswith "failed adding user '"
+      | parse SyslogMessage with "failed adding user '" TargetUsername "', exit code: " EventOriginalResultDetails
+      | extend 
+          EventType          = "UserCreated", 
+          EventResult        = "Failure",
+          EventResultDetails = "Other"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "useradd"
+          and SyslogMessage startswith "new group: name="
+      | parse SyslogMessage with "new user: name=" GroupName ", GID=" GroupId
+      | extend 
+          EventType   = "UserCreated", 
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "useradd"
+          and SyslogMessage startswith "cannot open login definitions"
+      | extend EventType     = "UserCreated", 
+          EventResult        = "Failure",
+          EventResultDetails = "NotAuthorized"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName =="useradd" 
+          and SyslogMessage startswith "add '"
+      | parse SyslogMessage with "add '" TargetUsername "'" * "group '" GroupName "'" 
+      | extend 
+          EventType   = "UserCreated",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "usermod"
+          and SyslogMessage startswith "change user name '"
+      | parse SyslogMessage with "change user name '" TargetUsername "'" *
+      | extend 
+          EventType   = "UserModified",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName =="usermod" 
+          and SyslogMessage startswith "add '"
+      | parse SyslogMessage with "add '" TargetUsername "'" * "group '" GroupName "'" 
+      | extend 
+          EventType   = "UserAddedToGroup",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "usermod"
+          and SyslogMessage startswith "change user '"
+          and not (SyslogMessage endswith "' password")
+      | parse SyslogMessage with "change user '" TargetUsername "' " EventSubType " from '" PreviousPropertyValue "' to '" NewPropertyValue "'"
+      | extend 
+          EventType = case (
+              EventSubType == "expiration" and PreviousPropertyValue == "never", "UserDisabled",
+              EventSubType == "expiration" and NewPropertyValue == "never", "UserEnabled",
+              "UserModified"
+          ),
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "usermod"
+          and SyslogMessage startswith "cannot open login definitions"
+      | extend 
+          EventType          = "UserCreated", 
+          EventResult        = "Failure",
+          EventResultDetails = "NotAuthorized"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "usermod"
+          and SyslogMessage startswith "change user '"
+          and SyslogMessage endswith "password"
+      | parse SyslogMessage with "change user '" TargetUsername "' " EventSubType
+      | extend 
+          EventType   = "PasswordChanged",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "usermod"
+          and SyslogMessage startswith "lock user '"
+          and SyslogMessage endswith "' password"
+      | parse SyslogMessage with "lock user '" TargetUsername "' password"
+      | extend 
+          EventType   = "UserLocked",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "userdel"
+          and SyslogMessage startswith "delete '"
+      | parse SyslogMessage with "delete '" TargetUsername "'" * "group '" GroupName "'" *
+      | extend 
+          EventType   = "UserDeleted",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "userdel"
+          and SyslogMessage startswith "delete user '"
+      | parse SyslogMessage with "delete user '" TargetUsername "'" *
+      | extend 
+          EventType   = "UserDeleted",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "userdel"
+          and (SyslogMessage startswith "removed group '" 
+          or SyslogMessage startswith "removed shadow group '")
+      | parse SyslogMessage with "removed" * "group '" GroupName "' owned by '" TargetUsername "'"
+      | extend 
+          EventType   = "UserDeleted",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "groupadd"
+          and SyslogMessage startswith "group added to "
+          and SyslogMessage has "GID="
+      | parse SyslogMessage with "group added to " * "name=" GroupName ", GID=" GroupId
+      | extend 
+          EventType   = "GroupCreated",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "groupadd"
+          and SyslogMessage startswith "group added to "
+          and not(SyslogMessage has "GID=")
+      | parse SyslogMessage with "group added to " * "name=" GroupName
+      | extend 
+          EventType   = "GroupCreated",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "groupadd"
+          and SyslogMessage startswith "new group: name="
+      | parse SyslogMessage with "new group: name=" GroupName ", GID=" GroupId
+      | extend 
+          EventType   = "GroupCreated",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "groupadd"
+          and SyslogMessage startswith "cannot open login definitions"
+      | extend 
+          EventType          = "GroupCreated", 
+          EventResult        = "Failure",
+          EventResultDetails = "NotAuthorized"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "groupmod"
+          and SyslogMessage startswith "group changed in "
+      | parse SyslogMessage with "group changed in " * " (group " Temp_GroupName ", new name: " *
+      | extend 
+          split(Temp_GroupName, "/")
+      | extend 
+          GroupName = tostring(Temp_GroupName[0]),
+          GroupId   = tostring(Temp_GroupName[1])
+      | project-away Temp_GroupName
+      | extend 
+          EventType   = "GroupModified",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "groupmod"
+          and SyslogMessage startswith "failed to change "
+      | parse SyslogMessage with "failed to change " * " (group " Temp_GroupName ", new name: " *
+      | extend split(Temp_GroupName, "/")
+      | extend 
+          GroupName = tostring(Temp_GroupName[0]),
+          GroupId   = tostring(Temp_GroupName[1])
+      | project-away Temp_GroupName
+      | extend 
+          EventType   = "GroupModified",
+          EventResult = "Failure"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "groupdel"
+      | parse SyslogMessage with "group '" GroupName "' removed" *
+      | extend 
+          EventType   = "GroupDeleted",
+          EventResult = "Success"
+      | invoke ItemParser()
+  ),(
+      SyslogParsed
+      | where ProcessName == "gpasswd"
+      | parse SyslogMessage with "user " TargetUsername " " Action " by " ActorUsername " " * " group " GroupName
+      | lookup ActionLookup on Action
+      | project-away Action
+      | extend 
+          EventResult = "Success"
+      | invoke ItemParser()
+  )
+  | invoke _ASIM_ResolveDvcFQDN ("HostName")
+  | project-rename 
+      ActingAppName = ProcessName,
+      DvcId         = _ResourceId,
+      EventUid      = _ItemId
+  | extend
+      ActingAppType       = "Process",
+      ActorUsernameType   = iif(isnotempty(ActorUsername), "Simple", ""),
+      DvcIdType           = iff (DvcId == "", "", "AzureResourceID"),
+      DvcIpAddr           = iif(HostIP == "Unknown IP","",HostIP),
+      DvcOs               = "Linux",
+      EventCount          = int(1),
+      EventEndTime        = TimeGenerated,
+      EventProduct        = "Authpriv",
+      EventSchema         = "UserManagement",
+      EventSchemaVersion  = "0.1.1",
+      EventStartTime      = TimeGenerated,
+      EventVendor         = "Linux",
+      GroupIdType         = iif(isnotempty(GroupId), "UID", ""),
+      GroupNameType       = iif(isnotempty(GroupName), "Simple", ""),
+      Hostname            = DvcHostname,
+      TargetUserIdType    = iif(isnotempty(TargetUserId), "UID", ""),
+      TargetUsernameType  = iif(isnotempty(TargetUsername), "Simple", ""),
+      UpdatedPropertyName = EventSubType,
+      User                = ActorUsername
+  | project-away Computer, HostIP, HostName
+  };
+  parser (
+    disabled = disabled
+  )