From 539e876fc9f6eb09c1d1b0b282c4882ecbc9e38f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Thu, 2 Jan 2025 06:55:32 +0000 Subject: [PATCH] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ARM/vimAuditEventNative/vimAuditEventNative.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventNative/vimAuditEventNative.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventNative/vimAuditEventNative.json index eb107a4a848..ee2a2da0e3b 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventNative/vimAuditEventNative.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventNative/vimAuditEventNative.json @@ -27,7 +27,7 @@ "displayName": "Audit Event ASIM filtering parser for Microsoft Sentinel native Audit Event table", "category": "ASIM", "FunctionAlias": "vimAuditEventNative", - "query": "let parser=\n(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n actorusername_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]),\n object_has_any: dynamic=dynamic([]),\n newvalue_has_any: dynamic=dynamic([]),\n disabled: bool = false\n)\n{\n ASimAuditEventLogs | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0)\n //and (array_length(actorusername_has_any) == 0 )\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 )\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n //and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))\n and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any) or Operation has_any (operation_has_any))\n and (eventresult == '*' or 'Success' =~ eventresult)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | extend EventVendor='Microsoft',\n EventProduct = \"Azure\",\n EventSchema = \"AuditEvent\"\n | extend\n Value\t= NewValue,\n User = ActorUsername,\n Application = TargetAppName,\n Dst = coalesce (TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, TargetAppName),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n Rule=RuleName\n | project-away\n //TenantId, SourceSystem, \n _ResourceId, _SubscriptionId,RuleName,SrcIpAddr\n };\n parser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n eventtype_in=eventtype_in, \n eventresult=eventresult, \n actorusername_has_any=actorusername_has_any, \n operation_has_any=operation_has_any, \n object_has_any=object_has_any, \n newvalue_has_any=newvalue_has_any, \n disabled=disabled\n )\n ", + "query": "let parser=\n(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n actorusername_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]),\n object_has_any: dynamic=dynamic([]),\n newvalue_has_any: dynamic=dynamic([]),\n disabled: bool = false\n)\n{\n ASimAuditEventLogs | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (array_length(srcipaddr_has_any_prefix) == 0)\n //and (array_length(actorusername_has_any) == 0 )\n and (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n //and (array_length(newvalue_has_any) == 0 )\n and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n //and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))\n and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any) or Operation has_any (operation_has_any))\n and (eventresult == '*' or 'Success' =~ eventresult)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | extend EventVendor='Microsoft',\n EventProduct = \"Azure\",\n EventSchema = \"AuditEvent\"\n | extend\n Value\t= NewValue,\n User = ActorUsername,\n Application = TargetAppName,\n Dst = coalesce (TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, TargetAppName),\n Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)),\n Rule=RuleName\n | project-away\n //TenantId, SourceSystem, \n _ResourceId, _SubscriptionId,RuleName,SrcIpAddr\n };\n parser(\n starttime=starttime, \n endtime=endtime, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n eventtype_in=eventtype_in, \n eventresult=eventresult, \n actorusername_has_any=actorusername_has_any, \n operation_has_any=operation_has_any, \n object_has_any=object_has_any, \n newvalue_has_any=newvalue_has_any, \n disabled=disabled\n )\n ", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" }