Skip to content

Commit

Permalink
authentication native parser
Browse files Browse the repository at this point in the history
  • Loading branch information
@Alekhya0824
Alekhya0824 committed Dec 10, 2024
1 parent d21fa9c commit 834a40f
Show file tree
Hide file tree
Showing 4 changed files with 149 additions and 4 deletions.
6 changes: 4 additions & 2 deletions Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM parser
Version: '0.2.5'
LastUpdated: June 7, 2024
Version: '0.2.6'
LastUpdated: Dece 10, 2024
Product:
Name: Source agnostic
Normalization:
Expand Down Expand Up @@ -52,6 +52,7 @@ ParserQuery: |
ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),
ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),
ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) ))
ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) ))
Parsers:
- _Im_Authentication_Empty
- _ASim_Authentication_AADManagedIdentitySignInLogs
Expand Down Expand Up @@ -82,3 +83,4 @@ Parsers:
- _ASim_Authentication_GoogleWorkspace
- _ASim_Authentication_SalesforceSC
- _ASim_Authentication_IllumioSaaSCore
- _ASim_Authentication_Native
41 changes: 41 additions & 0 deletions Parsers/ASimAuthentication/Parsers/ASimAuthenticationNative.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
Parser:
Title: Authentication Event ASIM parser for Microsoft Sentinel native Authentication table
Version: '0.1.1'
LastUpdated: Dece 10, 2024
Product:
Name: Native
Normalization:
Schema: Authentication
Version: '0.1.1'
References:
- Title: ASIM Authentication Schema
Link: https://aka.ms/ASimAuthenticationDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports normalizing the native Microsoft Sentinel Authentication table (ASimAuthenticationEventLogs) to the ASIM Authentication Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time.
ParserName: ASimAuthenticationNative
EquivalentBuiltInParser: _ASim_Authentication_Native
ParserParams:
- Name: disabled
Type: bool
Default: false
ParserQuery: |
let parser=(disabled:bool=false)
{
ASimAuthenticationEventLogs | where not(disabled)
| project-rename
EventUid = _ItemId
| extend
User = TargetUsername,
Src = coalesce (SrcDvcId, SrcHostname, or SrcIpAddr),
IpAddr=SrcIpAddr,
LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),
Dst = coalesce (TargerDvcId, TargetHostname, TargetIpAddr, TargetAppId,TargetAppName),
Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),
EventStartTime = TimeGenerated,
EventSchema = "Authentication"
| project-away
TenantId, SourceSystem, _ResourceId, _SubscriptionId
};
parser (disabled=disabled)
6 changes: 4 additions & 2 deletions Parsers/ASimAuthentication/Parsers/imAuthentication.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser
Version: '0.3.2'
LastUpdated: May 20, 2024
Version: '0.3.3'
LastUpdated: Dece 10, 2024
Product:
Name: Source agnostic
Normalization:
Expand Down Expand Up @@ -80,6 +80,7 @@ ParserQuery: |
, vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationCrowdStrikeFalconHost' in (DisabledParsers) )))
, vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))
, vimAuthenticationIllumioSaaSCore (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationIllumioSaaS' in (DisabledParsers) )))
, vimAuthenticationNative (starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled= (imAuthenticationBuiltInDisabled or('ExcludevimAuthenticationNative' in (DisabledParsers) )))
};
Generic(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, pack=pack)
Parsers:
Expand Down Expand Up @@ -111,3 +112,4 @@ Parsers:
- _Im_Authentication_VMwareCarbonBlackCloud
- _Im_Authentication_CrowdStrikeFalconHost
- _Im_Authentication_IllumioSaaSCore
- _Im_Authentication_Native
100 changes: 100 additions & 0 deletions Parsers/ASimAuthentication/Parsers/vimAuthenticationNative.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
Parser:
Title: Authentication Event ASIM filtering parser for Microsoft Sentinel native Authentication table
Version: '0.1.1'
LastUpdated: Dece 10, 2024
Product:
Name: Native
Normalization:
Schema: Authentication
Version: '0.1.1'
References:
- Title: ASIM Authentication Schema
Link: https://aka.ms/ASimAuthenticationDoc
- Title: ASIM
Link: https://aka.ms/AboutASIM
Description: |
This ASIM parser supports filtering and normalizing the native Microsoft Sentinel Authentication table (ASimAuthenticationEventLogs) to the ASIM Authentication Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time.
ParserName: vimAuthenticationNative
EquivalentBuiltInParser: _Im_Authentication_Native
ParserParams:
- Name: starttime
Type: datetime
Default: datetime(null)
- Name: endtime
Type: datetime
Default: datetime(null)
- Name: srcipaddr
Type: string
Default: '*'
- Name: domain_has_any
Type: dynamic
Default: dynamic([])
- Name: responsecodename
Type: string
Default: '*'
- Name: response_has_ipv4
Type: string
Default: '*'
- Name: response_has_any_prefix
Type: dynamic
Default: dynamic([])
- Name: eventtype
Type: string
Default: 'Query'
- Name: disabled
Type: bool
Default: false

ParserQuery: |
let parser=
(
starttime: datetime=datetime(null),
endtime: datetime=datetime(null),
username_has_any: dynamic = dynamic([]),
targetappname_has_any: dynamic = dynamic([]),
srcipaddr_has_any_prefix: dynamic = dynamic([]),
srchostname_has_any: dynamic = dynamic([]),
eventtype_in: dynamic = dynamic([]),
eventresultdetails_in: dynamic = dynamic([]),
eventresult: string = '*',
disabled: bool=false
)
{
ASimAuthenticationEventLogs | where not(disabled)
// -- Pre-parsing filtering:
| where
(isnull(starttime) or TimeGenerated >= starttime)
and (isnull(endtime) or TimeGenerated <= endtime)
and ((array_length(username_has_any) == 0) or ActorUsername has_any (username_has_any))
and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source
and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))
and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source
and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))
and (array_length(eventresultdetails_in) == 0)
and (eventresult == "*" or (EventResult == eventresult))
// --
| project-rename
EventUid = _ItemId
| extend
User = TargetUsername,
Src = coalesce (SrcDvcId, SrcHostname, or SrcIpAddr),
IpAddr=SrcIpAddr,
LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),
Dst = coalesce (TargerDvcId, TargetHostname, TargetIpAddr, TargetAppId,TargetAppName),
Rule = coalesce(NetworkRuleName, tostring(NetworkRuleNumber)),
EventStartTime = TimeGenerated,
EventEndTime = TimeGenerated,
EventSchema = "Authentication"
| project-away
TenantId, SourceSystem, _ResourceId, _SubscriptionId
};
parser (starttime=starttime,
endtime=endtime,
username_has_any=username_has_any,
targetappname_has_any=targetappname_has_any,
srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,
srchostname_has_any=srchostname_has_any,
eventtype_in=eventtype_in,
eventresultdetails_in=eventresultdetails_in,
eventresult=eventresult,
disabled=disable)

0 comments on commit 834a40f

Please sign in to comment.