From c8dc964142afafd6709238c54d92583a095c227a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Wed, 30 Aug 2023 17:38:35 +0000
Subject: [PATCH] [ASIM Parsers] Generate deployable ARM templates from KQL
function YAML files.
---
.../ASimAuthentication.json | 2 +-
.../ASimAuthenticationAADManagedIdentity.json | 2 +-
.../ASimAuthenticationAADNonInteractive.json | 2 +-
...ticationAADServicePrincipalSignInLogs.json | 2 +-
.../ASimAuthenticationAADSigninLogs.json | 2 +-
.../ASimAuthenticationAWSCloudTrail.json | 2 +-
.../ASimAuthenticationBarracudaWAF.json | 46 ++++
.../ASimAuthenticationBarracudaWAF/README.md | 18 ++
.../ASimAuthenticationCiscoASA.json | 46 ++++
.../ARM/ASimAuthenticationCiscoASA/README.md | 18 ++
.../ASimAuthenticationCiscoISE.json | 46 ++++
.../ARM/ASimAuthenticationCiscoISE/README.md | 18 ++
.../ASimAuthenticationCiscoMeraki.json | 46 ++++
.../ASimAuthenticationCiscoMeraki/README.md | 18 ++
.../ASimAuthenticationM365Defender.json | 2 +-
.../ASimAuthenticationMicrosoftMD4IoT.json | 2 +-
...imAuthenticationMicrosoftWindowsEvent.json | 2 +-
.../ASimAuthenticationOktaOSS.json | 2 +-
.../ASimAuthenticationPostgreSQL.json | 2 +-
.../ASimAuthenticationSshd.json | 2 +-
.../ASimAuthenticationSu.json | 2 +-
.../ASimAuthenticationSudo.json | 2 +-
.../ASimAuthenticationVectraXDRAudit.json | 46 ++++
.../README.md | 18 ++
.../ARM/FullDeploymentAuthentication.json | 200 ++++++++++++++++++
.../imAuthentication/imAuthentication.json | 2 +-
.../vimAuthenticationBarracudaWAF/README.md | 18 ++
.../vimAuthenticationBarracudaWAF.json | 46 ++++
.../ARM/vimAuthenticationCiscoASA/README.md | 18 ++
.../vimAuthenticationCiscoASA.json | 46 ++++
.../ARM/vimAuthenticationCiscoISE/README.md | 18 ++
.../vimAuthenticationCiscoISE.json | 46 ++++
.../vimAuthenticationCiscoMeraki/README.md | 18 ++
.../vimAuthenticationCiscoMeraki.json | 46 ++++
.../vimAuthenticationVectraXDRAudit/README.md | 18 ++
.../vimAuthenticationVectraXDRAudit.json | 46 ++++
36 files changed, 855 insertions(+), 15 deletions(-)
create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json
create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/README.md
create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json
create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/README.md
create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json
create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/README.md
create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json
create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/README.md
create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json
create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/README.md
create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md
create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json
create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md
create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json
create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md
create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json
create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md
create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json
create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md
create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
index 492f075ed84..b0289436aba 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimAuthentication",
- "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty\n , ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) ))\n , ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) ))\n , ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) ))\n , ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) ))\n , ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) ))\n , ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) ))\n , ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) ))\n , ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) ))\n , ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) ))\n , ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) ))\n",
+ "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) ))\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) ))\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json
index a7f9c3c38d2..e6cd556f988 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for AAD managed identity sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs",
- "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n , EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n , EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n , EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId\n , TargetAppId = ResourceIdentity \n , TargetAppName = ResourceDisplayName\n , TargetUsername = ServicePrincipalName\n , TargetUserId = ServicePrincipalId\n , EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcIpAddr = IPAddress\n , EventUid = _ItemId\n , EventProductVersion = OperationVersion\n | extend \n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.3'\n , Dvc = 'Microsft/AAD'\n , LogonMethod = \"Managed Identity\"\n , TargetAppType = \"Resource\"\n , EventCount = int(1)\n , TargetUserType = 'Service'\n , TargetUsernameType = 'Simple'\n , TargetUserIdType = 'AADID'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n User = TargetUsername\n , LogonTarget = TargetAppName\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , Application = TargetAppName\n , Dst = TargetAppName\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , TargetSimpleUsername = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nparser (disabled=disabled)",
+ "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/AAD',\n EventCount = int(1),\n EventProduct = 'AAD',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Managed Identity\",\n TargetAppType = \"Resource\",\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser (disabled=disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json
index b38bce83623..8bd8bc8ad96 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for AAD non-interactive sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADNonInteractiveUserSignInLogs",
- "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n ];\nlet AADNIAuthentication=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs | where not(disabled)\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchemaVersion='0.1.0'\n , EventCount=int(1)\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , EventSubType='NonInteractive'\n , TargetUsernameType='UPN'\n , TargetUserIdType='AADID'\n , TargetAppName=ResourceDisplayName\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , SrcDvcIpAddr=IPAddress\n | lookup FailedReason on ResultType\n // -- Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor\n // -- Entity identifier explicit aliases\n , TargetUserUpn = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nAADNIAuthentication(disabled)",
+ "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password' ,\n '700016', 'No such user or password'\n ];\nlet parser=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs \n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'AAD',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'NonInteractive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcDvcHostname = tostring(todynamic(DeviceDetail).displayName),\n SrcDvcId = tostring(todynamic(DeviceDetail).deviceId),\n SrcDvcOs = tostring(todynamic(DeviceDetail).operatingSystem),\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'UPN'\n | extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n SrcDvcIpAddr = IPAddress,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n | lookup FailedReason on ResultType\n // -- Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = ResourceIdentity,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n};\nparser \n (\n disabled = disabled\n )",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json
index f3be7e9f403..ab04186cdc3 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for AAD service principal sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADServicePrincipalSignInLogs",
- "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n , EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n , EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n , EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where \n not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId\n , TargetAppId = ResourceIdentity \n , TargetAppName = ResourceDisplayName\n , TargetUsername = ServicePrincipalName\n , TargetUserId = ServicePrincipalId\n , EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcIpAddr = IPAddress\n , EventUid = _ItemId\n , EventProductVersion = OperationVersion\n | extend \n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.3'\n , Dvc = 'Microsft/AAD'\n , LogonMethod = \"Service Principal\"\n , TargetAppType = \"Resource\"\n , EventCount = int(1)\n , TargetUserType = 'Service'\n , TargetUsernameType = 'Simple'\n , TargetUserIdType = 'AADID'\n | extend\n LocationDetails = todynamic(LocationDetails)\n | extend\n SrcGeoCity = tostring(LocationDetails.city)\n , SrcGeoCountry = Location\n , SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude)\n , SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude)\n , SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n User = TargetUsername\n , LogonTarget = TargetAppName\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , Application = TargetAppName\n , Dst = TargetAppName\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , TargetSimpleUsername = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nparser \n(\n disabled = disabled\n)",
+ "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (\n disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/AAD',\n EventCount = int(1),\n EventProduct = 'AAD',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Service Principal\",\n LocationDetails = todynamic(LocationDetails),\n TargetAppType = \"Resource\",\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | extend\n SrcGeoCity = tostring(LocationDetails.city),\n SrcGeoCountry = Location,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude),\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser \n(\n disabled = disabled\n)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
index 518d0178770..d7093b5169b 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for AAD interactive sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationSigninLogs",
- "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Member', 'Regular',\n 'Guest','Guest', \n '',''\n];\nlet AADSigninLogs=(disabled:bool=false){\nSigninLogs | where not(disabled)\n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , EventSubType = 'Interactive'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='UPN'\n , TargetUserIdType='AADID'\n , SrcDvcIpAddr=IPAddress\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n //\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor\n // -- Entity identifier explicit aliases\n , TargetUserUpn = TargetUsername\n , TargetUserAadId = TargetUserId\n };\n AADSigninLogs(disabled)\n",
+ "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password',\n '700016', 'No such user or password', \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Guest','Guest', \n 'Member', 'Regular',\n '',''\n];\nlet parser=(disabled:bool=false){\nSigninLogs \n| where not(disabled)\n| extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'AAD',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcDvcHostname = tostring(DeviceDetail.displayName),\n SrcDvcId = tostring(DeviceDetail.deviceId),\n SrcDvcIpAddr = IPAddress,\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'UPN'\n| extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n //\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = TargetAppName,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n };\n parser \n (\n disabled = disabled\n )",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json
index f451771481a..ef59fc9cb07 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for AWS sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAWSCloudTrail",
- "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType:string, TargetUserType:string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role' ,'Service', \n 'FederatedUser', 'Regular',\n 'Directory','Other',\n 'AWSAccount','Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (EventOriginalResultDetails:string, EventOriginalDetails:string) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username:string) { \n case ( \n username contains \"@\" , \"UPN\"\n , username contains \"\\\\\", \"Windows\"\n , (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\"\n , isempty(username), \"\"\n , \"Simple\"\n )\n};\nlet parser=(disabled:bool=false){\n AWSCloudTrail \n | where not(disabled)\n | where EventName == 'ConsoleLogin'\n | project-rename\n EventOriginalUid = AwsEventId,\n EventOriginalResultDetails = ErrorMessage,\n TargetOriginalUserType = UserIdentityType,\n EventProductVersion = EventVersion,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetUserScopeId = UserIdentityAccountId,\n HttpUserAgent = UserAgent,\n EventUid = _ItemId\n | extend\n EventVendor = 'AWS',\n Dvc = 'AWS',\n EventProduct = 'CloudTrail',\n EventCount = int(1),\n EventSchemaVersion = '0.1.3',\n EventSchema = 'Authentication',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n EventSubType = 'Interactive',\n TargetUserIdType = 'AWSId',\n LogonProtocol = 'HTTPS',\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA',''),\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure'),\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\", \"\",\n TargetOriginalUserType == 'IAMUser' , UserIdentityUserName,\n TargetOriginalUserType == 'Root' , 'root',\n TargetOriginalUserType == 'AssumedRole' , tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl:string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n LogonTarget=tostring(split(TargetUrl,'?')[0]),\n EventSeverity = iff(EventResult == 'Failure', 'Low','Informational')\n // -- Specific idetifier aliases\n | extend \n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = EventVendor,\n Dst = LogonTarget,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away EventSource, EventTypeName, EventName, ResponseElements, AdditionalEventData, Session*, Category, ErrorCode, Aws*, ManagementEvent, OperationName, ReadOnly, RequestParameters, Resources, ServiceEventDetails, SharedEventId, SourceSystem, UserIdentity*, VpcEndpointId, APIVersion, RecipientAccountId, TenantId, EC2RoleDelivery\n };\n parser (disabled=disabled) ",
+ "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType:string, TargetUserType:string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role' ,'Service', \n 'FederatedUser', 'Regular',\n 'Directory','Other',\n 'AWSAccount','Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (EventOriginalResultDetails:string, EventOriginalDetails:string) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username:string) { \n case ( \n username contains \"@\" , \"UPN\",\n username contains \"\\\\\", \"Windows\",\n (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\",\n isempty(username), \"\",\n \"Simple\"\n )\n};\nlet parser=(disabled:bool=false){\n AWSCloudTrail \n | where not(disabled)\n | where EventName == 'ConsoleLogin'\n | project-rename\n EventOriginalResultDetails = ErrorMessage,\n EventOriginalUid = AwsEventId,\n EventProductVersion = EventVersion,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetOriginalUserType = UserIdentityType,\n TargetUserScopeId = UserIdentityAccountId\n | extend\n Dvc = 'AWS',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'CloudTrail',\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'AWS',\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA',''),\n LogonProtocol = 'HTTPS',\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n TargetUserIdType = 'AWSId',\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\", \"\",\n TargetOriginalUserType == 'IAMUser' , UserIdentityUserName,\n TargetOriginalUserType == 'Root' , 'root',\n TargetOriginalUserType == 'AssumedRole' , tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl:string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n EventSeverity = iff(EventResult == 'Failure', 'Low','Informational'),\n LogonTarget=tostring(split(TargetUrl,'?')[0]),\n // -- Specific identifier aliases\n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n Dst = LogonTarget,\n Dvc = EventVendor,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n User = TargetUsername\n | project-away EventSource, EventTypeName, EventName, ResponseElements, AdditionalEventData, Session*, Category, ErrorCode, Aws*, ManagementEvent, OperationName, ReadOnly, RequestParameters, Resources, ServiceEventDetails, SharedEventId, SourceSystem, UserIdentity*, VpcEndpointId, APIVersion, RecipientAccountId, TenantId, EC2RoleDelivery\n };\n parser \n (\n disabled = disabled\n )",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json
new file mode 100644
index 00000000000..070f3cfe65f
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "ASimAuthenticationBarracudaWAF",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "ASIM Authentication parser for Barracuda WAF",
+ "category": "ASIM",
+ "FunctionAlias": "ASimAuthenticationBarracudaWAF",
+ "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n)\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n];\nlet EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n)\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_s,\n *_d,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername= DestinationUserName\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\nunion isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(disabled=disabled)",
+ "version": 1,
+ "functionParameters": "disabled:bool=False"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/README.md
new file mode 100644
index 00000000000..c798a479c18
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/README.md
@@ -0,0 +1,18 @@
+# Barracuda WAF ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Barracuda WAF.
+
+This ASIM parser supports normalizing the Barracuda WAF logs to the ASIM authentication normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationBarracudaWAF%2FASimAuthenticationBarracudaWAF.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationBarracudaWAF%2FASimAuthenticationBarracudaWAF.json)
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json
new file mode 100644
index 00000000000..0777b3bdadc
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "ASimAuthenticationCiscoASA",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "Authentication ASIM parser for Cisco Device Logon Events",
+ "category": "ASIM",
+ "FunctionAlias": "ASimAuthenticationCiscoASA",
+ "query": "let parser = (\n disabled:bool=false\n){\n let DeviceEventClassIDLookup = datatable (DeviceEventClassID:string, EventResultDetails:string, EventType:string, EventResult:string, DvcAction:string, EventSubType:string)\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor =~ \"Cisco\"\n | where DeviceProduct == \"ASA\"\n | where DeviceEventClassID in(FilteredDeviceEventClassID)\n | extend EventOriginalSeverity = tostring(split(Message,\"-\",1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project TimeGenerated, Type, Computer, _ItemId, DeviceEventClassID, Message, DeviceAddress,EventOriginalSeverity, EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID;\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004,605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber:int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101,611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008,113012)\n | parse Message with * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039,716002,716039,722022,722023,722028,722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003,772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | project-away Message\n ) \n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n};\nparser (\n disabled = disabled\n)",
+ "version": 1,
+ "functionParameters": "disabled:bool=False"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/README.md
new file mode 100644
index 00000000000..a5736c74ab9
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/README.md
@@ -0,0 +1,18 @@
+# Cisco Adaptive Security Appliance (ASA) ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Cisco Adaptive Security Appliance (ASA).
+
+This ASIM parser supports normalizing authentication events, collected from Cisco ASA devices, to the ASIM Authentication schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoASA%2FASimAuthenticationCiscoASA.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoASA%2FASimAuthenticationCiscoASA.json)
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json
new file mode 100644
index 00000000000..4511c0681c7
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "ASimAuthenticationCiscoISE",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "Authentication ASIM parser for Cisco ISE",
+ "category": "ASIM",
+ "FunctionAlias": "ASimAuthenticationCiscoISE",
+ "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n)[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n ];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType \n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n , TargetIpAddr=DestinationIPAddress\n , TargetPortNumber=DestinationPort\n , TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n , SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"Authentication\"\n , EventSchemaVersion = \"0.1.3\"\n // **************** *****************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , IpAddr = SrcIpAddr\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = TargetUsername\n // **************** ****************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(disabled=disabled)",
+ "version": 1,
+ "functionParameters": "disabled:bool=False"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/README.md
new file mode 100644
index 00000000000..6451de3a36f
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/README.md
@@ -0,0 +1,18 @@
+# Cisco ISE ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Cisco ISE.
+
+This ASIM parser supports normalizing Cisco ISE events produced by the Microsoft Sentinel Cisco ISE connector to the ASIM Authentication schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoISE%2FASimAuthenticationCiscoISE.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoISE%2FASimAuthenticationCiscoISE.json)
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json
new file mode 100644
index 00000000000..d3bebebf18d
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "ASimAuthenticationCiscoMeraki",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "ASIM Authentication parser for Cisco Meraki",
+ "category": "ASIM",
+ "FunctionAlias": "ASimAuthenticationCiscoMeraki",
+ "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool=false) {\n union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n TargetUsername = identity,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n TargetUsername = trim('\"', TargetUsername),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n};\nparser(disabled=disabled)\n",
+ "version": 1,
+ "functionParameters": "disabled:bool=False"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/README.md
new file mode 100644
index 00000000000..cbaeaa28df2
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/README.md
@@ -0,0 +1,18 @@
+# Cisco Meraki ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Cisco Meraki.
+
+This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Authentication normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoMeraki%2FASimAuthenticationCiscoMeraki.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoMeraki%2FASimAuthenticationCiscoMeraki.json)
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json
index 4d1c5c28f8b..ad62a970a48 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for M365 Defender Device Logon Events",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationM365Defender",
- "query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Interactive', 'Interactive',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'Network', 'Remote',\n 'Batch', 'Service',\n 'Service', 'Service',\n 'Unknown', '',\n 'RemoteInteractive', 'RemoteInteractive',\n 'CachedInteractive', 'Interactive'\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonSuccess', 'Success',\n 'LogonFailed', 'Failure',\n 'LogonAttempted', 'NA'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n TargetDvcOs = \"Linux\"\n , ActorUsernameType = \"Simple\"\n , TargetUsernameType = \"Simple\"\n | project-rename \n ActorUsername = InitiatingProcessAccountName\n , ActingProcessName = InitiatingProcessFolderPath\n , TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n TargetDvcOs = \"Windows\"\n , TargetUserIdType = 'SID'\n , ActorUserIdType = 'SID'\n , ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n )\n , TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ) \n , TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n , ActorUsernameType = iff (InitiatingProcessAccountDomain == '','Simple', 'Windows')\n , ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName)\n | project-rename \n ActorUserId = InitiatingProcessAccountSid\n , TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId\n , ActorUserSid = ActorUserId\n , TargetWindowsUsername = TargetUsername\n , ActorWindowsUsername = ActorUsername\n , ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n EventOriginalResultDetails = FailureReason \n , EventOriginalType = LogonType\n , EventUid = _ItemId\n , LogonProtocol = Protocol\n , TargetDvcId = DeviceId\n , SrcHostname = RemoteDeviceName\n , ActingProcessCommandLine = InitiatingProcessCommandLine\n , ActingProcessCreationTime = InitiatingProcessCreationTime\n , ActingProcessMD5 = InitiatingProcessMD5\n , ActingProcessSHA1 = InitiatingProcessSHA1 \n , ActingProcessSHA256 = InitiatingProcessSHA256\n , ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel\n , ActingProcessTokenElevation = InitiatingProcessTokenElevation\n , ParentProcessName = InitiatingProcessParentFileName\n , ParentProcessCreationTime = InitiatingProcessParentCreationTime\n //??, ActingProcessName = InitiatingProcessFolderPath \n , ActorUserUpn = InitiatingProcessAccountUpn\n , ActorUserAadId = InitiatingProcessAccountObjectId\n , SrcPortNumber = RemotePort\n | extend \n EventCount = int(1)\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventSchemaVersion = '0.1.3'\n , EventType = 'Logon'\n , EventVendor = 'Microsoft'\n , EventProduct = 'M365 Defender for EndPoint'\n , EventSchema = 'Authentication'\n , TargetDvcIdType = 'MDEid'\n , ActingProcessId = tostring (InitiatingProcessId)\n , ParentProcessId = tostring (InitiatingProcessParentId)\n , EventOriginalUid = tostring (ReportId)\n , TargetSessionId = tostring (LogonId)\n , SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP)\n | extend\n Hash = coalesce(\n ActingProcessSHA256\n , ActingProcessSHA1\n , ActingProcessMD5\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetFQDN = FQDN\n , TargetHostname = ExtractedHostname\n , TargetDomainType = DomainType\n , TargetDomain = Domain \n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n TargetDvcMDEid = TargetDvcId\n , DvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n User = TargetUsername \n , Prcess = ActingProcessName\n , IpAddr = SrcIpAddr\n , ActingAppName = ActingProcessName\n , ActingAppType = \"Process\"\n , Dvc = coalesce (TargetFQDN, TargetHostname)\n , Src = coalesce (SrcIpAddr, SrcHostname)\n // -- Alias Dvc to Target\n , DvcFQDN = TargetFQDN\n , DvcHostname = TargetHostname\n , DvcDomain = TargetDomain\n , DvcDomainType = TargetDomainType\n , DvcId = TargetDvcId\n , DvcIdType = TargetDvcIdType\n , DvcOs = TargetDvcOs\n | extend \n LogonTarget = Dvc\n , Dst = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)",
+ "query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Batch', 'Service',\n 'CachedInteractive', 'Interactive',\n 'Interactive', 'Interactive',\n 'Network', 'Remote',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'RemoteInteractive', 'RemoteInteractive',\n 'Service', 'Service',\n 'Unknown', ''\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonAttempted', 'NA',\n 'LogonFailed', 'Failure',\n 'LogonSuccess', 'Success'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n ActorUsernameType = \"Simple\",\n TargetDvcOs = \"Linux\",\n TargetUsernameType = \"Simple\"\n | project-rename \n ActingProcessName = InitiatingProcessFolderPath,\n ActorUsername = InitiatingProcessAccountName,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\n ActorUserIdType = 'SID',\n ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n ),\n ActorUsernameType = iff (\n InitiatingProcessAccountDomain == '','Simple',\n 'Windows'\n ),\n TargetDvcOs = \"Windows\",\n TargetUserIdType = 'SID',\n TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ),\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n | project-rename \n ActorUserId = InitiatingProcessAccountSid,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n TargetWindowsUsername = TargetUsername,\n ActorWindowsUsername = ActorUsername,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n EventOriginalResultDetails = FailureReason,\n EventOriginalType = LogonType,\n EventUid = _ItemId,\n LogonProtocol = Protocol,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n ParentProcessName = InitiatingProcessParentFileName,\n SrcHostname = RemoteDeviceName,\n SrcPortNumber = RemotePort,\n TargetDvcId = DeviceId\n | extend \n ActingProcessId = tostring (InitiatingProcessId),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalUid = tostring (ReportId),\n EventProduct = 'M365 Defender for EndPoint',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n ParentProcessId = tostring (InitiatingProcessParentId),\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\n TargetDvcIdType = 'MDEid',\n TargetSessionId = tostring (LogonId)\n | extend\n Hash = coalesce(\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetDomain = Domain, \n TargetDomainType = DomainType,\n TargetFQDN = FQDN,\n TargetHostname = ExtractedHostname\n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n DvcMDEid = TargetDvcId,\n TargetDvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n ActingAppName = ActingProcessName,\n ActingAppType = \"Process\",\n Dvc = coalesce (TargetFQDN, TargetHostname),\n IpAddr = SrcIpAddr,\n Prcess = ActingProcessName,\n Src = coalesce (SrcIpAddr, SrcHostname),\n User = TargetUsername,\n // -- Alias Dvc to Target,\n DvcDomain = TargetDomain,\n DvcDomainType = TargetDomainType,\n DvcFQDN = TargetFQDN,\n DvcHostname = TargetHostname,\n DvcId = TargetDvcId,\n DvcIdType = TargetDvcIdType,\n DvcOs = TargetDvcOs\n | extend \n Dst = Dvc,\n LogonTarget = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json
index 378e59e75a2..1e3a7d8b4a2 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for Microsoft Defender for IoT endpoint logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationMD4IoT",
- "query": "let Authentication_MD4IoT=(disabled:bool=false)\n {\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\" \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n //\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName),\n SrcIpAddr = tostring(EventDetails.RemoteAddress) \n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n };\n Authentication_MD4IoT(disabled)",
+ "query": "let parser=(disabled:bool=false)\n{\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\" \n | project-rename EventUid = _ItemId\n | extend\n EventDetails = todynamic(EventDetails)\n | extend\n EventCount = int(1),\n EventEndTime = todatetime(TimeGenerated), \n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success'), \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventVendor = 'Microsoft'\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n SrcIpAddr = tostring(EventDetails.RemoteAddress), \n TargetUsername = tostring(EventDetails.UserName),\n TargetUsernameType = \"Simple\"\n | project-rename\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion // -- Not available in Windows\n // -- aliases\n | extend \n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Process = ActingProcessName, \n SrcDvcIpAddr = SrcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled = disabled\n )",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json
index 86928df5cf7..b5a1546bf08 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for Windows Security Events",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationMicrosoftWindowsEvent",
- "query": "let LogonEvents=dynamic([4624,4625]);\nlet LogoffEvents=dynamic([4634,4647]);\nlet LogonTypes=datatable(LogonType:int, EventSubType:string)[\n 2, 'Interactive',\n 3, 'Network',\n 4, 'Batch',\n 5, 'Service',\n 7, 'Unlock',\n 8, 'NetworkCleartext',\n 9, 'NewCredentials',\n 10, 'RemoteInteractive',\n 11, 'CachedInteractive'];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN','Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE','Other',\n '0xc0000017', 'STATUS_NO_MEMORY','Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED','Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE','Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED','Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];\n let WinLogon=(disabled:bool=false){ \n WindowsEvent | where not(disabled)\n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | extend LogonProtocol = tostring(EventData.AuthenticationPackageName),\n SrcDvcIpAddr = tostring(EventData.IpAddress),\n TargetPortNumber = toint(EventData.IpPort),\n LogonGuid = tostring(EventData.LogonGuid),\n LogonType = toint(EventData.LogonType),\n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n Status = tostring(EventData.Status),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-',''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))),\n ActorUserId = tostring(EventData.SubjectUserSid),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-',''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\" , EventData.TargetUserName))),\n SrcDvcHostname = tostring(EventData.WorkstationName),\n EventProduct = \"Security Events\"\n | extend EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend EventMessage = case(EventID == 4634, \"4634 - An account was logged off.\", \n EventID == 4625, \"4625 - An account failed to log on.\",\n EventID == 4624 ,\"4624 - An account was successfully logged on.\",\n \"4647 - User initiated logoff.\"),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n TargetDvcHostname = Computer\n , EventOriginalUid=EventOriginId \n , EventOriginalType=EventID\n | extend EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , ActorUserIdType='SID'\n , TargetUserIdType='SID'\n , EventVendor='Microsoft' \n , EventStartTime =TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') \n , ActorUsernameType= iff(EventData.SubjectDomainName in ('-',''),'Simple', 'Windows' ) \n , TargetUsernameType=iff(TargetDomainName in ('-',''), 'Simple', 'Windows')\n , SrcDvcOs = 'Windows'\n , EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n , LogonTarget=TargetDvcHostname\n , Dvc=SrcDvcHostname\n};\nlet SecEventLogon=(disabled:bool=false){\n SecurityEvent | where not(disabled)\n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project-rename \n EventMessage = Activity\n , ActorSessionId=SubjectLogonId\n , TargetSessionId=TargetLogonId\n , ActorUserId=SubjectUserSid\n , TargetUserId =TargetUserSid\n , SrcDvcHostname = WorkstationName\n , TargetDvcHostname = Computer\n , EventOriginalUid = EventOriginId\n , LogonProtocol=AuthenticationPackageName\n , SrcDvcIpAddr=IpAddress\n , EventOriginalType=EventID\n | extend EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventProduct = \"Security Events\"\n , ActorUserIdType='SID'\n , TargetUserIdType='SID'\n , EventVendor='Microsoft' \n , EventStartTime =TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\n , ActorUsername = iff (SubjectDomainName in ('-',''), SubjectUserName, SubjectAccount)\n , ActorUsernameType= iff(SubjectDomainName in ('-',''), 'Simple', 'Windows' )\n , TargetUsername = iff (TargetDomainName in ('-',''), trim(@'\\\\',TargetUserName), trim(@'\\\\',TargetAccount))\n , TargetUsernameType=iff (TargetDomainName in ('-',''), 'Simple', 'Windows')\n , SrcDvcOs = 'Windows'\n , EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n , LogonTarget=TargetDvcHostname\n , Dvc=SrcDvcHostname\n };\nunion isfuzzy=true SecEventLogon(disabled), WinLogon(disabled)\n",
+ "query": "let LogonEvents=dynamic([4624,4625]);\nlet LogoffEvents=dynamic([4634,4647]);\nlet LogonTypes=datatable(LogonType:int, EventSubType:string)[\n 2, 'Interactive',\n 3, 'Network',\n 4, 'Batch',\n 5, 'Service',\n 7, 'Unlock',\n 8, 'NetworkCleartext',\n 9, 'NewCredentials',\n 10, 'RemoteInteractive',\n 11, 'CachedInteractive'];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN','Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE','Other',\n '0xc0000017', 'STATUS_NO_MEMORY','Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED','Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE','Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED','Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];\nlet WinLogon=(disabled:bool=false){ \n WindowsEvent \n | where not(disabled)\n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | extend \n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-',''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))),\n EventProduct = \"Security Events\",\n LogonGuid = tostring(EventData.LogonGuid),\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n LogonType = toint(EventData.LogonType),\n SrcDvcHostname = tostring(EventData.WorkstationName),\n SrcDvcIpAddr = tostring(EventData.IpAddress),\n Status = tostring(EventData.Status),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetPortNumber = toint(EventData.IpPort),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-',''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\" , EventData.TargetUserName)))\n | extend \n EventStatus = iff(SubStatus=='0x0',Status,SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend \n EventMessage = case(\n EventID == 4624 ,\"4624 - An account was successfully logged on.\",\n EventID == 4625, \"4625 - An account failed to log on.\",\n EventID == 4634, \"4634 - An account was logged off.\", \n \"4647 - User initiated logoff.\"),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId, \n EventUid = _ItemId, \n TargetDvcHostname = Computer\n | extend \n ActorUserIdType = 'SID',\n ActorUsernameType = iff(EventData.SubjectDomainName in ('-',''),'Simple', 'Windows' ),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus=='0x0',Status,SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsernameType = iff(TargetDomainName in ('-',''), 'Simple', 'Windows')\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcDvcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername\n};\nlet SecEventLogon=(disabled:bool=false){\n SecurityEvent \n | where not(disabled)\n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project-rename \n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n EventMessage = Activity,\n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId,\n LogonProtocol = AuthenticationPackageName,\n SrcDvcHostname = WorkstationName,\n SrcDvcIpAddr = IpAddress,\n TargetDvcHostname = Computer,\n TargetSessionId = TargetLogonId,\n TargetUserId = TargetUserSid\n | extend \n ActorUserIdType = 'SID',\n ActorUsername = iff (SubjectDomainName in ('-',''), SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName in ('-',''), 'Simple', 'Windows' ),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Security Events\",\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus=='0x0',Status,SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsername = iff (TargetDomainName in ('-',''), trim(@'\\\\',TargetUserName), trim(@'\\\\',TargetAccount)),\n TargetUsernameType = iff (TargetDomainName in ('-',''), 'Simple', 'Windows')\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcDvcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername\n };\nunion isfuzzy=true \n SecEventLogon(disabled=disabled), \n WinLogon(disabled=disabled)\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json
index b9ca13c2f11..a12916786e4 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for Okta",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationOktaSSO",
- "query": "let OktaSignin=(disabled:bool=false){\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n Okta_CL | where not(disabled)\n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventVendor='Okta'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n , EventSubType=legacyEventType_s\n , TargetUserIdType='OktaId'\n , TargetUsernameType='UPN'\n , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n , ActingAppType = \"Browser\"\n | project-rename \n EventMessage=displayMessage_s\n ,EventOriginalResultDetails=outcome_reason_s\n , LogonMethod = authenticationContext_credentialType_s\n , TargetSessionId=authenticationContext_externalSessionId_s\n , TargetUserId= actor_id_s\n , TargetUsername=actor_alternateId_s\n , TargetUserType=actor_type_s\n , SrcDvcOs=client_userAgent_os_s\n , HttpUserAgent=client_userAgent_rawUserAgent_s\n , ActingAppName = client_userAgent_browser_s\n , SrcIsp=securityContext_isp_s\n , SrcGeoCity=client_geographicalContext_city_s\n , SrcGeoCountry=client_geographicalContext_country_s\n , EventOriginalUid = uuid_g\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n | project-away *_s, *_d, *_b, *_g, *_t\n };\nOktaSignin(disabled)\n",
+ "query": "let parser=(disabled:bool=false){\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n Okta_CL \n | where not(disabled)\n | where eventType_s in (OktaSigninEvents)\n | extend \n ActingAppType = \"Browser\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Okta',\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = legacyEventType_s,\n EventType = iff(eventType_s hassuffix 'start', 'Logon', 'Logoff'),\n EventVendor = 'Okta',\n SrcGeoLatitude = toreal(client_geographicalContext_geolocation_lat_d),\n SrcGeoLongitude = toreal(client_geographicalContext_geolocation_lon_d),\n TargetUserIdType = 'OktaId',\n TargetUsernameType = 'UPN'\n | project-rename \n ActingAppName = client_userAgent_browser_s,\n EventMessage = displayMessage_s,\n EventOriginalResultDetails = outcome_reason_s,\n EventOriginalUid = uuid_g,\n HttpUserAgent = client_userAgent_rawUserAgent_s,\n LogonMethod = authenticationContext_credentialType_s,\n SrcDvcOs = client_userAgent_os_s,\n SrcGeoCity = client_geographicalContext_city_s,\n SrcGeoCountry = client_geographicalContext_country_s,\n SrcIsp = securityContext_isp_s,\n TargetSessionId = authenticationContext_externalSessionId_s,\n TargetUserId = actor_id_s,\n TargetUsername = actor_alternateId_s,\n TargetUserType = actor_type_s,\n EventUid = _ItemId\n // ** Aliases\n | extend \n Dvc = EventVendor,\n User = TargetUsername\n | project-away *_s, *_d, *_b, *_g, *_t\n };\nparser(disabled=disabled)\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json
index 7b42e3b357e..89c5ce196a9 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for PostgreSQL",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationPostgreSQL",
- "query": "let PostgreSQLSignInAuthorized=(disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n | where RawData has 'connection authorized'\n | extend\n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData)\n , EventOriginalRestultDetails = 'Connection authorized'\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure1=(disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n | where RawData has 'authentication failed'\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'User authentication failed'\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure2=(disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n | where RawData has_all ('role', 'does', 'not', 'exist')\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'Role does not exist'\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure3=(disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n | where RawData has_all ('no', 'entry', 'user')\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData)\n , SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'No entry for user'\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLDisconnect=(disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n | where RawData has 'disconnection'\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logoff'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData)\n , SrcIpAddr = extract(@'host=\\[?(.*?)\\]?', 1, RawData)\n , EventResultDetails = 'Session expired'\n , EventOriginalRestultDetails = 'User session closed'\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nunion isfuzzy=false PostgreSQLSignInAuthorized(disabled), PostgreSQLAuthFailure1(disabled), PostgreSQLAuthFailure2(disabled), PostgreSQLAuthFailure3(disabled), PostgreSQLDisconnect(disabled)\n",
+ "query": "let PostgreSQLSignInAuthorized=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'connection authorized'\n| project-rename \n EventUid = _ItemId\n| extend\n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Connection authorized',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc=Computer,\n User=TargetUsername\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure1=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'authentication failed'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure2=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('role', 'does', 'not', 'exist')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Role does not exist',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure3=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('no', 'entry', 'user')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'No entry for user',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData),\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLDisconnect=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'disconnection'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventResultDetails = 'Session expired',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host=\\[?(.*?)\\]?', 1, RawData),\n TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nunion isfuzzy=false \n PostgreSQLSignInAuthorized(disabled = disabled), \n PostgreSQLAuthFailure1(disabled = disabled), \n PostgreSQLAuthFailure2(disabled = disabled), \n PostgreSQLAuthFailure3(disabled = disabled), \n PostgreSQLDisconnect(disabled = disabled)\n",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json
index c7943e41adf..a370118546f 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for OpenSSH sshd",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationSshd",
- "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | parse SyslogMessage with \"Accepted password for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventResult = 'Success'\n , EventSeverity = 'Informational'\n , EventType = 'Logon'\n , EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format \"Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventResult = 'Failure'\n , EventSeverity = 'Low' \n , EventType = 'Logon'\n , LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n , EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password')\n , EventCount = toint(coalesce(EventCount,1))\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventSeverity = 'Informational'\n , EventType = 'Logoff'\n , EventResult = 'Success'\n , EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend\n EventResult = 'Failure'\n , EventSeverity = 'Low'\n , EventType = 'Logon'\n , EventResultDetails = 'No such user'\n , EventCount = int(1)\n , SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser)\n , SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Reverse mapping failed\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Address to host to address mapping does not map back to address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Nasty PTR record set for IP Address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled)\n , SSHDFailed (disabled=disabled)\n , SSHDInvalidUser (disabled=disabled)\n , SSHDTimeout (disabled=disabled)\n , SSHDABreakInAttemptMappingFailed (disabled=disabled)\n , SSHDABreakInAttemptMappingMismatch (disabled=disabled)\n , SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n EventVendor = 'OpenBSD'\n , EventProduct = 'OpenSSH'\n , DvcOs = 'Linux'\n , TargetDvcOs = 'Linux'\n , LogonProtocol = 'ssh'\n , TargetAppName = 'sshd'\n , TargetAppType = 'Service'\n , EventSubType = 'Remote'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.2'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetUsernameType = 'Simple'\n , DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n , TargetAppId = tostring(ProcessID)\n | project-away Computer, ProcessID\n | project-rename \n EventUid = _ItemId\n , DvcScopeId = _SubscriptionId\n , DvcId = _ResourceId\n , DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n , Dvc = DvcHostname\n , Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n , TargetDomain = DvcDomain\n , TargetFQDN = DvcFQDN\n , TargetDomainType = DvcDomainType\n , TargetHostname = DvcHostname\n , TargetDvcId = DvcId\n , TargetDvcScopeId = DvcScopeId\n , TargetDvcIdType = DvcDomainType\n , IpAddr = DvcIpAddr\n , TargetIpAddr = DvcIpAddr\n };\n parser (disabled=disabled)",
+ "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | parse SyslogMessage with \"Accepted password for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format \"Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon',\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled=disabled\n )",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json
index 5e9205fd09c..d9ffad48a12 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for Linux su",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationSu",
- "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | parse SyslogMessage with * \"for \" TargetUsername:string \" by \" ActorUsername:string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n };\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SuSignInAuthorized (disabled = disabled)\n , SuDisconnect(disabled = disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n EventVendor = 'Linux'\n , EventProduct = 'su'\n , DvcOs = 'Linux'\n , TargetDvcOs = 'Linux'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.2'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , ActorUsernameType = 'Simple'\n , TargetUsernameType = 'Simple'\n , EventSeverity = 'Informational'\n , ActingAppType = 'Process'\n , DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n , ActingAppId = tostring(ProcessID)\n | project-away Computer, ProcessID\n | project-rename \n EventUid = _ItemId\n , DvcScopeId = _SubscriptionId\n , DvcId = _ResourceId\n , DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n , Dvc = DvcHostname\n , Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n , TargetDomain = DvcDomain\n , TargetFQDN = DvcFQDN\n , TargetDomainType = DvcDomainType\n , TargetHostname = DvcHostname\n , TargetDvcId = DvcId\n , TargetDvcScopeId = DvcScopeId\n , TargetDvcIdType = DvcDomainType\n , IpAddr = DvcIpAddr\n , TargetIpAddr = DvcIpAddr\n};\n parser (disabled=disabled) ",
+ "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | parse SyslogMessage with * \"for \" TargetUsername:string \" by \" ActorUsername:string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n };\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SuDisconnect(disabled = disabled),\n SuSignInAuthorized (disabled = disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n ActingAppId = tostring(ProcessID),\n ActingAppType = 'Process',\n ActorUsernameType = 'Simple',\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'su',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventSeverity = 'Informational',\n EventStartTime = TimeGenerated,\n EventVendor = 'Linux',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n};\n parser (\n disabled=disabled\n) ",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json
index 8c43f376256..787a1217f61 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM parser for Syslog sudo",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationSudo",
- "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and SyslogMessage has 'TTY=' and SyslogMessage has 'USER='and SyslogMessage has 'COMMAND='\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo'\n , EventProduct = 'sudo'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , ActorUsernameType = 'Simple'\n , ActorUsername = extract(@'^(.*?):', 1, SyslogMessage)\n , TargetUsernameType = 'Simple'\n , EventResultDetails = 'Other'\n , EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo'\n , EventProduct = 'sudo'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , ActorUsernameType = 'Simple'\n , ActorUsername = extract(@'^(.*?):', 1, SyslogMessage)\n , TargetUsernameType = 'Simple'\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'User authentication failed'\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoDisconnect=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and SyslogMessage has 'session closed for user '\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n EventVendor = 'sudo'\n , EventProduct = 'sudo'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logoff'\n , DvcHostname = Computer\n , TargetUsernameType = 'Simple'\n , EventResultDetails = 'Other'\n , EventOriginalRestultDetails = 'User session closed'\n// ************************\n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nunion isfuzzy=false SudoSignInAuthorized(disabled), SudoAuthFailure1(disabled), SudoDisconnect(disabled)",
+ "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n// \n// ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoDisconnect=(disabled:bool=false){\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'session closed for user '\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n// ************************\n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nunion isfuzzy=false \n SudoSignInAuthorized(disabled = disabled), \n SudoAuthFailure1(disabled = disabled), \n SudoDisconnect(disabled = disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json
new file mode 100644
index 00000000000..1d1acc98e3a
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "ASimAuthenticationVectraXDRAudit",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "Authentication ASIM parser for Vectra XDR Audit Logs Event",
+ "category": "ASIM",
+ "FunctionAlias": "ASimAuthenticationVectraXDRAudit",
+ "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s in (\"login\",\"logout\")\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)",
+ "version": 1,
+ "functionParameters": "disabled:bool=False"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/README.md
new file mode 100644
index 00000000000..45a71334feb
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/README.md
@@ -0,0 +1,18 @@
+# Vectra ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Vectra.
+
+This ASIM parser supports normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Authentication schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationVectraXDRAudit%2FASimAuthenticationVectraXDRAudit.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationVectraXDRAudit%2FASimAuthenticationVectraXDRAudit.json)
diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
index 68301cc5322..ad8e5b99bed 100644
--- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
+++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
@@ -138,6 +138,86 @@
}
}
},
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedASimAuthenticationBarracudaWAF",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedASimAuthenticationCiscoASA",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedASimAuthenticationCiscoISE",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedASimAuthenticationCiscoMeraki",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@@ -318,6 +398,26 @@
}
}
},
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedASimAuthenticationVectraXDRAudit",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@@ -438,6 +538,86 @@
}
}
},
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedvimAuthenticationBarracudaWAF",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedvimAuthenticationCiscoASA",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedvimAuthenticationCiscoISE",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedvimAuthenticationCiscoMeraki",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
+ },
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
@@ -617,6 +797,26 @@
}
}
}
+ },
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "linkedvimAuthenticationVectraXDRAudit",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json",
+ "contentVersion": "1.0.0.0"
+ },
+ "parameters": {
+ "Workspace": {
+ "value": "[parameters('Workspace')]"
+ },
+ "WorkspaceRegion": {
+ "value": "[parameters('WorkspaceRegion')]"
+ }
+ }
+ }
}
],
"outputs": {}
diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
index fdbcc4f0f74..d17b9962222 100644
--- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
+++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json
@@ -35,7 +35,7 @@
"displayName": "Authentication ASIM filtering parser",
"category": "ASIM",
"FunctionAlias": "imAuthentication",
- "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n",
+ "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'"
}
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md
new file mode 100644
index 00000000000..653affdcc9f
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md
@@ -0,0 +1,18 @@
+# Barracuda WAF ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Barracuda WAF.
+
+This ASIM parser supports normalizing the Barracuda WAF logs to the ASIM authentication normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationBarracudaWAF%2FvimAuthenticationBarracudaWAF.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationBarracudaWAF%2FvimAuthenticationBarracudaWAF.json)
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json
new file mode 100644
index 00000000000..732f70611bb
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "vimAuthenticationBarracudaWAF",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "ASIM Authentication parser for Barracuda WAF",
+ "category": "ASIM",
+ "FunctionAlias": "vimAuthenticationBarracudaWAF",
+ "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string,\n TimeGenerated: datetime\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n)\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n];\nlet EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n)\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n];\nlet parser = (\n starttime: datetime = datetime(null),\n endtime: datetime = datetime(null),\n targetusername_has: string = \"*\",\n disabled: bool = false) { \n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (AdminName_s has targetusername_has))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (DestinationUserName has targetusername_has))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"), \n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\n union isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n targetusername_has = targetusername_has,\n disabled=disabled\n)",
+ "version": 1,
+ "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md
new file mode 100644
index 00000000000..98149d223ff
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md
@@ -0,0 +1,18 @@
+# Cisco Adaptive Security Appliance (ASA) ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Cisco Adaptive Security Appliance (ASA).
+
+This ASIM parser supports normalizing authentication events, collected from Cisco ASA devices, to the ASIM Authentication schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoASA%2FvimAuthenticationCiscoASA.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoASA%2FvimAuthenticationCiscoASA.json)
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json
new file mode 100644
index 00000000000..080a87ca1f0
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "ASimAuthenticationCiscoASA",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "Authentication ASIM filtering for Cisco Device Logon Events",
+ "category": "ASIM",
+ "FunctionAlias": "ASimAuthenticationCiscoASA",
+ "query": "let parser = (\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , targetusername_has:string=\"*\"\n , disabled:bool=false\n) {\n let DeviceEventClassIDLookup = datatable (DeviceEventClassID:string, EventResultDetails:string, EventType:string, EventResult:string, DvcAction:string, EventSubType:string)\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime) \n | where DeviceVendor =~ \"Cisco\"\n | where DeviceProduct == \"ASA\"\n | where (targetusername_has=='*' or (Message has targetusername_has))\n | where DeviceEventClassID in(FilteredDeviceEventClassID)\n | extend EventOriginalSeverity = tostring(split(Message,\"-\",1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project TimeGenerated, Type, Computer, _ItemId, DeviceEventClassID, Message, DeviceAddress, EventOriginalSeverity, EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID;\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004,605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber:int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101,611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008,113012)\n | parse Message with * 'user = ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039,716002,716039,722022,722023,722028,722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003,772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | project-away Message\n )\n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , targetusername_has = targetusername_has\n , disabled = disabled\n) ",
+ "version": 1,
+ "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md
new file mode 100644
index 00000000000..ff0a2814501
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md
@@ -0,0 +1,18 @@
+# Cisco ISE ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Cisco ISE.
+
+This ASIM parser supports normalizing Cisco ISE events produced by the Microsoft Sentinel Cisco ISE connector to the ASIM Authentication schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoISE%2FvimAuthenticationCiscoISE.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoISE%2FvimAuthenticationCiscoISE.json)
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json
new file mode 100644
index 00000000000..b9cb22b3228
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "vimAuthenticationCiscoISE",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "Authentication ASIM filtering parser for Cisco ISE",
+ "category": "ASIM",
+ "FunctionAlias": "vimAuthenticationCiscoISE",
+ "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n )[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n ];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\", \n disabled: bool=false) {\n Syslog\n | where not(disabled)\n // ************************** ******************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or SyslogMessage has targetusername_has)\n // ************************** *****************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType \n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n ,\n TargetIpAddr=DestinationIPAddress\n ,\n TargetPortNumber=DestinationPort\n ,\n TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n ,\n SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n ,\n EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n ,\n SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n // ********************** **********************************\n | where (targetusername_has == '*' or TargetUsername has targetusername_has)\n // ********************** *********************************\n | extend \n EventVendor = \"Cisco\"\n ,\n EventProduct = \"ISE\"\n ,\n EventProductVersion = \"3.2\"\n ,\n EventCount = int(1)\n ,\n EventSchema = \"Authentication\"\n ,\n EventSchemaVersion = \"0.1.3\" \n // ************************* **********************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n ,\n IpAddr = SrcIpAddr\n ,\n Dst = TargetIpAddr\n ,\n Src = SrcIpAddr\n ,\n User = TargetUsername\n // ************************* ******************** \n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(\n starttime=starttime, \n endtime=endtime,\n targetusername_has=targetusername_has, \n disabled=disabled)\n",
+ "version": 1,
+ "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md
new file mode 100644
index 00000000000..a36bf373a9a
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md
@@ -0,0 +1,18 @@
+# Cisco Meraki ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Cisco Meraki.
+
+This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Authentication normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoMeraki%2FvimAuthenticationCiscoMeraki.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoMeraki%2FvimAuthenticationCiscoMeraki.json)
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json
new file mode 100644
index 00000000000..412ad7f6428
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "vimAuthenticationCiscoMeraki",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "ASIM Authentication parser for Cisco Meraki",
+ "category": "ASIM",
+ "FunctionAlias": "vimAuthenticationCiscoMeraki",
+ "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), targetusername_has: string='*') {\n union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and targetusername_has == \"*\" or LogMessage has targetusername_has\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n | where (targetusername_has == \"*\" or TargetUsername has targetusername_has)\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, targetusername_has=targetusername_has)\n",
+ "version": 1,
+ "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md
new file mode 100644
index 00000000000..cb7cfd9ba2d
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md
@@ -0,0 +1,18 @@
+# Vectra ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Vectra.
+
+This ASIM parser supports filtering and normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Authentication schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+
+
+[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVectraXDRAudit%2FvimAuthenticationVectraXDRAudit.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVectraXDRAudit%2FvimAuthenticationVectraXDRAudit.json)
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json
new file mode 100644
index 00000000000..c0e1080bac8
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json
@@ -0,0 +1,46 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "Workspace": {
+ "type": "string",
+ "metadata": {
+ "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+ }
+ },
+ "WorkspaceRegion": {
+ "type": "string",
+ "defaultValue": "[resourceGroup().location]",
+ "metadata": {
+ "description": "The region of the selected workspace. The default value will use the Region selection above."
+ }
+ }
+ },
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/workspaces",
+ "apiVersion": "2017-03-15-preview",
+ "name": "[parameters('Workspace')]",
+ "location": "[parameters('WorkspaceRegion')]",
+ "resources": [
+ {
+ "type": "savedSearches",
+ "apiVersion": "2020-08-01",
+ "name": "vimAuthenticationVectraXDRAudit",
+ "dependsOn": [
+ "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+ ],
+ "properties": {
+ "etag": "*",
+ "displayName": "Authentication ASIM filtering parser for Vectra XDR Audit Logs Event",
+ "category": "ASIM",
+ "FunctionAlias": "vimAuthenticationVectraXDRAudit",
+ "query": "let parser = (disabled:bool = false, starttime:datetime=datetime(null), endtime:datetime=datetime(null))\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s in (\"login\",\"logout\") and (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime)\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, starttime=starttime, endtime=endtime)",
+ "version": 1,
+ "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null)"
+ }
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file