update

Azure · Dec 13, 2024 · b41352e · b41352e
1 parent c6c1afd
commit b41352e
Show file tree

Hide file tree

Showing 10 changed files with 142 additions and 5 deletions.
diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml
@@ -1,7 +1,7 @@
 Parser:
   Title: Audit event ASIM parser
-  Version: '0.1.2'
-  LastUpdated: Jun 7, 2024
+  Version: '0.1.3'
+  LastUpdated: Dec 13, 2024
 Product:
   Name: Source agnostic
 Normalization:
@@ -34,6 +34,7 @@ Parsers:
   - _ASim_AuditEvent_VMwareCarbonBlackCloud
   - _ASim_AuditEvent_InfobloxBloxOne
   - _ASim_AuditEvent_IllumioSaaSCore
+  - _ASim_AuditEvent_Native
 ParserParams:
   - Name: pack
     Type: bool
@@ -59,3 +60,4 @@ ParserQuery: |
     ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))),
     ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))),
     ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers)))
+    ASimAuditEventNative(BuiltInDisabled or ('ExcludeASimAuditEventNative' in (DisabledParsers)))
diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventNative.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventNative.yaml
@@ -0,0 +1,37 @@
+Parser:
+  Title: Audit Event ASIM parser for Microsoft Sentinel native Audit Event table
+  Version: '0.1.1'
+  LastUpdated: Dec 13, 2024
+Product:
+  Name: Native
+Normalization:
+  Schema: AuditEvent
+  Version: '0.1'
+References:
+- Title: ASIM Audit Event Schema
+  Link: https://aka.ms/ASimAuditEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing the native Microsoft Sentinel Audit Event table (ASimAuditEventLogs) to the ASIM Audit Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. 
+ParserName: ASimAuditEventNative
+EquivalentBuiltInParser: _ASim_AuditEvent_Native
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser=(disabled:bool=false) 
+  {
+    ASimAuditEventLogs  | where not(disabled)
+      | project-rename
+          EventUid = _ItemId
+      | extend
+          Value	= NewValue,
+          User =  ActorUsername,
+          Application =  TargetAppName,
+          Dst = coalesce (TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, TargetAppName)  
+      | project-away
+          TenantId, SourceSystem, _ResourceId, _SubscriptionId
+  };
+  parser  (disabled=disabled)
diff --git a/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml
@@ -1,7 +1,7 @@
 Parser:
   Title: Audit event ASIM filtering parser.
-  Version: '0.1.3'
-  LastUpdated: Jun 7, 2024
+  Version: '0.1.4'
+  LastUpdated: Dec 13, 2024
 Product:
   Name: Source agnostic
 Normalization:
@@ -34,6 +34,7 @@ Parsers:
   - _Im_AuditEvent_VMwareCarbonBlackCloud
   - _Im_AuditEvent_InfobloxBloxOne
   - _Im_AuditEvent_IllumioSaaSCore
+  - _Im_AuditEvent_Native
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -90,4 +91,4 @@ ParserQuery: |
       vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))),
       vimAuditEventInfbloxBloxOne(starttime=starttime, endtime=endtime, eventresult=eventresult,operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventInfbloxBloxOne' in (DisabledParsers)))),
       vimAuditEventIllumioSaaSCore(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventIllumioSaaSCore' in (DisabledParsers))))
-
+      vimAuditEventNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventNative' in (DisabledParsers))))
diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventNative.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventNative.yaml
@@ -0,0 +1,97 @@
+Parser:
+  Title: Audit Event ASIM filtering parser for Microsoft Sentinel native Audit Event table
+  Version: '0.1.1'
+  LastUpdated: Dec 13, 2024
+Product:
+  Name: Native
+Normalization:
+  Schema: AuditEvent
+  Version: '0.1'
+References:
+- Title: ASIM Audit Event Schema
+  Link: https://aka.ms/ASimAuditEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports filtering and normalizing the native Microsoft Sentinel Audit Event table (ASimAuditEventLogs) to the ASIM Audit Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. 
+ParserName: vimAuditEventNative
+EquivalentBuiltInParser: _Im_AuditEvent_Native
+ParserParams:
+    - Name: starttime
+      Type: datetime
+      Default: datetime(null)
+    - Name: endtime
+      Type: datetime
+      Default: datetime(null)
+    - Name: srcipaddr_has_any_prefix
+      Type: dynamic
+      Default: dynamic([])
+    - Name: actorusername_has_any
+      Type: dynamic
+      Default: dynamic([])
+    - Name: operation_has_any
+      Type: dynamic
+      Default: dynamic([])
+    - Name: eventtype_in
+      Type: dynamic
+      Default: dynamic([])
+    - Name: eventresult
+      Type: string
+      Default: "*"
+    - Name: object_has_any
+      Type: dynamic
+      Default: dynamic([])
+    - Name: newvalue_has_any
+      Type: dynamic
+      Default: dynamic([])
+    - Name: disabled
+      Type: bool
+      Default: false
+
+ParserQuery: |
+  let parser=
+  (
+    starttime: datetime=datetime(null), 
+    endtime: datetime=datetime(null),
+    srcipaddr_has_any_prefix: dynamic=dynamic([]), 
+    eventtype_in: dynamic=dynamic([]),
+    eventresult: string='*',
+    actorusername_has_any: dynamic=dynamic([]),
+    operation_has_any: dynamic=dynamic([]),
+    object_has_any: dynamic=dynamic([]),
+    newvalue_has_any: dynamic=dynamic([]),
+    disabled: bool = false
+  )
+  {
+    ASimAuditEventLogs  | where not(disabled)
+    | where (isnull(starttime) or TimeGenerated >= starttime) 
+                    and (isnull(endtime) or TimeGenerated <= endtime)
+                    and (array_length(srcipaddr_has_any_prefix) == 0)
+                    and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))
+                    and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))
+                    and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in))
+                    and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any))
+                    and (eventresult == '*' or 'Success' =~ eventresult)
+                    and (array_length(object_has_any) == 0 or Object has_any (object_has_any))
+    | project-rename
+          EventUid = _ItemId
+      | extend
+          Value	= NewValue,
+          User =  ActorUsername,
+          Application =  TargetAppName,
+          Dst = coalesce (TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, TargetAppName)  
+      | project-away
+          TenantId, SourceSystem, _ResourceId, _SubscriptionId
+    };
+    parser(
+      starttime=starttime, 
+      endtime=endtime, 
+      srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, 
+      eventtype_in=eventtype_in, 
+      eventresult=eventresult, 
+      actorusername_has_any=actorusername_has_any, 
+      operation_has_any=operation_has_any, 
+      object_has_any=object_has_any, 
+      newvalue_has_any=newvalue_has_any, 
+      disabled=disabled
+    )
diff --git a/Playbooks/Get-MDATPVulnerabilities/report_template.docx b/Playbooks/Get-MDATPVulnerabilities/report_template.docx
diff --git a/Solutions/ContentHubCatalog.xlsx b/Solutions/ContentHubCatalog.xlsx
diff --git a/Solutions/Infoblox NIOS/TSG/TSG-Infoblox-Delete Existing Funtions.docx b/Solutions/Infoblox NIOS/TSG/TSG-Infoblox-Delete Existing Funtions.docx
diff --git a/Solutions/Salesforce Service Cloud/TSG/Salesforce Service Cloud Account Setup.docx b/Solutions/Salesforce Service Cloud/TSG/Salesforce Service Cloud Account Setup.docx
diff --git a/Tools/RuleMigration/Data table mapping.xlsx b/Tools/RuleMigration/Data table mapping.xlsx
diff --git a/docs/Azure Sentinel management.docx b/docs/Azure Sentinel management.docx