Merge branch 'asim-ASimAuthenticationSalesforceSC' of https://github.…

…com/Azure/Azure-Sentinel into asim-ASimAuthenticationSalesforceSC
Azure · Aug 30, 2023 · 81d2c25 · 81d2c25
2 parents 30741fa + c8dc964
commit 81d2c25
Show file tree

Hide file tree

Showing 36 changed files with 855 additions and 15 deletions.
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
@@ -35,7 +35,7 @@
             "displayName": "Authentication ASIM parser",
             "category": "ASIM",
             "FunctionAlias": "ASimAuthentication",
-            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n    vimAuthenticationEmpty\n  , ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) ))\n  , ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) ))\n  , ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) ))\n  , ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) ))\n  , ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) ))\n  , ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) ))\n  , ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) ))\n  , ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) ))\n  , ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) ))\n  , ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) ))\n  , ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) ))\n  , ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) ))\n  , ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) ))\n",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) ))\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) ))\n",
             "version": 1,
             "functionParameters": "disabled:bool=False"
           }