diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml index 2abafc2be82..d142c25e349 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml @@ -1,7 +1,7 @@ Parser: Title: Audit event ASIM parser - Version: '0.1.2' - LastUpdated: Jun 7, 2024 + Version: '0.1.3' + LastUpdated: Dec 13, 2024 Product: Name: Source agnostic Normalization: @@ -34,6 +34,7 @@ Parsers: - _ASim_AuditEvent_VMwareCarbonBlackCloud - _ASim_AuditEvent_InfobloxBloxOne - _ASim_AuditEvent_IllumioSaaSCore + - _ASim_AuditEvent_Native ParserParams: - Name: pack Type: bool @@ -59,3 +60,4 @@ ParserQuery: | ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))), ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))), ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers))) + ASimAuditEventNative(BuiltInDisabled or ('ExcludeASimAuditEventNative' in (DisabledParsers))) \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventNative.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventNative.yaml new file mode 100644 index 00000000000..cd70ba346cb --- /dev/null +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventNative.yaml @@ -0,0 +1,37 @@ +Parser: + Title: Audit Event ASIM parser for Microsoft Sentinel native Audit Event table + Version: '0.1.1' + LastUpdated: Dec 13, 2024 +Product: + Name: Native +Normalization: + Schema: AuditEvent + Version: '0.1' +References: +- Title: ASIM Audit Event Schema + Link: https://aka.ms/ASimAuditEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing the native Microsoft Sentinel Audit Event table (ASimAuditEventLogs) to the ASIM Audit Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. +ParserName: ASimAuditEventNative +EquivalentBuiltInParser: _ASim_AuditEvent_Native +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let parser=(disabled:bool=false) + { + ASimAuditEventLogs | where not(disabled) + | project-rename + EventUid = _ItemId + | extend + Value = NewValue, + User = ActorUsername, + Application = TargetAppName, + Dst = coalesce (TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, TargetAppName) + | project-away + TenantId, SourceSystem, _ResourceId, _SubscriptionId + }; + parser (disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml index 5860d33976a..53253578a24 100644 --- a/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml @@ -1,7 +1,7 @@ Parser: Title: Audit event ASIM filtering parser. - Version: '0.1.3' - LastUpdated: Jun 7, 2024 + Version: '0.1.4' + LastUpdated: Dec 13, 2024 Product: Name: Source agnostic Normalization: @@ -34,6 +34,7 @@ Parsers: - _Im_AuditEvent_VMwareCarbonBlackCloud - _Im_AuditEvent_InfobloxBloxOne - _Im_AuditEvent_IllumioSaaSCore + - _Im_AuditEvent_Native ParserParams: - Name: starttime Type: datetime @@ -90,4 +91,4 @@ ParserQuery: | vimAuditEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers)))), vimAuditEventInfbloxBloxOne(starttime=starttime, endtime=endtime, eventresult=eventresult,operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventInfbloxBloxOne' in (DisabledParsers)))), vimAuditEventIllumioSaaSCore(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventIllumioSaaSCore' in (DisabledParsers)))) - + vimAuditEventNative(starttime=starttime, endtime=endtime, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, eventresult=eventresult, actorusername_has_any=actorusername_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any, disabled=(BuiltInDisabled or ('ExcludevimAuditEventNative' in (DisabledParsers)))) diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventNative.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventNative.yaml new file mode 100644 index 00000000000..b7fa7133b0d --- /dev/null +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventNative.yaml @@ -0,0 +1,97 @@ +Parser: + Title: Audit Event ASIM filtering parser for Microsoft Sentinel native Audit Event table + Version: '0.1.1' + LastUpdated: Dec 13, 2024 +Product: + Name: Native +Normalization: + Schema: AuditEvent + Version: '0.1' +References: +- Title: ASIM Audit Event Schema + Link: https://aka.ms/ASimAuditEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +Description: | + This ASIM parser supports filtering and normalizing the native Microsoft Sentinel Audit Event table (ASimAuditEventLogs) to the ASIM Audit Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. +ParserName: vimAuditEventNative +EquivalentBuiltInParser: _Im_AuditEvent_Native +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: actorusername_has_any + Type: dynamic + Default: dynamic([]) + - Name: operation_has_any + Type: dynamic + Default: dynamic([]) + - Name: eventtype_in + Type: dynamic + Default: dynamic([]) + - Name: eventresult + Type: string + Default: "*" + - Name: object_has_any + Type: dynamic + Default: dynamic([]) + - Name: newvalue_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false + +ParserQuery: | + let parser= + ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + srcipaddr_has_any_prefix: dynamic=dynamic([]), + eventtype_in: dynamic=dynamic([]), + eventresult: string='*', + actorusername_has_any: dynamic=dynamic([]), + operation_has_any: dynamic=dynamic([]), + object_has_any: dynamic=dynamic([]), + newvalue_has_any: dynamic=dynamic([]), + disabled: bool = false + ) + { + ASimAuditEventLogs | where not(disabled) + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and (array_length(srcipaddr_has_any_prefix) == 0) + and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) + and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any)) + and (array_length(eventtype_in) == 0 or 'Delete' in (eventtype_in)) + and (array_length(operation_has_any) == 0 or 'Delete Logs' has_any (operation_has_any)) + and (eventresult == '*' or 'Success' =~ eventresult) + and (array_length(object_has_any) == 0 or Object has_any (object_has_any)) + | project-rename + EventUid = _ItemId + | extend + Value = NewValue, + User = ActorUsername, + Application = TargetAppName, + Dst = coalesce (TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, TargetAppName) + | project-away + TenantId, SourceSystem, _ResourceId, _SubscriptionId + }; + parser( + starttime=starttime, + endtime=endtime, + srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, + eventtype_in=eventtype_in, + eventresult=eventresult, + actorusername_has_any=actorusername_has_any, + operation_has_any=operation_has_any, + object_has_any=object_has_any, + newvalue_has_any=newvalue_has_any, + disabled=disabled + ) \ No newline at end of file diff --git a/Playbooks/Get-MDATPVulnerabilities/report_template.docx b/Playbooks/Get-MDATPVulnerabilities/report_template.docx index 8e332f06d9b..f31af6508df 100644 Binary files a/Playbooks/Get-MDATPVulnerabilities/report_template.docx and b/Playbooks/Get-MDATPVulnerabilities/report_template.docx differ diff --git a/Solutions/ContentHubCatalog.xlsx b/Solutions/ContentHubCatalog.xlsx index 93a603d6266..3a43819df49 100644 Binary files a/Solutions/ContentHubCatalog.xlsx and b/Solutions/ContentHubCatalog.xlsx differ diff --git a/Solutions/Infoblox NIOS/TSG/TSG-Infoblox-Delete Existing Funtions.docx b/Solutions/Infoblox NIOS/TSG/TSG-Infoblox-Delete Existing Funtions.docx index 5abbd86e376..7b2def0ce81 100644 Binary files a/Solutions/Infoblox NIOS/TSG/TSG-Infoblox-Delete Existing Funtions.docx and b/Solutions/Infoblox NIOS/TSG/TSG-Infoblox-Delete Existing Funtions.docx differ diff --git a/Solutions/Salesforce Service Cloud/TSG/Salesforce Service Cloud Account Setup.docx b/Solutions/Salesforce Service Cloud/TSG/Salesforce Service Cloud Account Setup.docx index 057f5ff9095..2827cf1d604 100644 Binary files a/Solutions/Salesforce Service Cloud/TSG/Salesforce Service Cloud Account Setup.docx and b/Solutions/Salesforce Service Cloud/TSG/Salesforce Service Cloud Account Setup.docx differ diff --git a/Tools/RuleMigration/Data table mapping.xlsx b/Tools/RuleMigration/Data table mapping.xlsx index 217f54b2df6..7c8816c05bb 100644 Binary files a/Tools/RuleMigration/Data table mapping.xlsx and b/Tools/RuleMigration/Data table mapping.xlsx differ diff --git a/docs/Azure Sentinel management.docx b/docs/Azure Sentinel management.docx index 5e8aa6c94bc..5bd91ddc7e8 100644 Binary files a/docs/Azure Sentinel management.docx and b/docs/Azure Sentinel management.docx differ