Skip to content

Commit

Permalink
Merge branch 'Google-Workspace-File-Parser' of https://github.com/Azu…
Browse files Browse the repository at this point in the history 
…re/Azure-Sentinel into Google-Workspace-File-Parser
  • Loading branch information
@vakohl
vakohl committed Dec 21, 2023
2 parents fcf609d + 39e2542 commit cb86be3
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 6 deletions.
6 changes: 3 additions & 3 deletions Parsers/ASimFileEvent/ARM/vimFileEventGoogleWorkspace/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
# <product name> ASIM FileEvent Normalization Parser
# Google Workspace ASIM FileEvent Normalization Parser

ARM template for ASIM FileEvent schema parser for <product name>.
ARM template for ASIM FileEvent schema parser for Google Workspace.

This ASIM filtering parser supports normalizing the <product name> logs to the ASIM file activity normalized schema.
This ASIM parser supports normalizing the Google Workspace (Drive) logs ingested in GWorkspace_ReportsAPI_drive_CL table to the ASIM file activity normalized schema.


The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
Expand Down
6 changes: 3 additions & 3 deletions Parsers/ASimFileEvent/ARM/vimFileEventGoogleWorkspace/vimFileEventGoogleWorkspace.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,15 @@
{
"type": "savedSearches",
"apiVersion": "2020-08-01",
"name": "<parser function name>",
"name": "vimFileEventGoogleWorkspace",
"dependsOn": [
"[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
],
"properties": {
"etag": "*",
"displayName": "File events ASIM filtering parser for <product name>",
"displayName": "File events ASIM filtering parser for Google Workspace",
"category": "ASIM",
"FunctionAlias": "<parser function name>",
"FunctionAlias": "vimFileEventGoogleWorkspace",
"query": "let parser = (\n starttime: datetime = datetime(null)\n , endtime: datetime = datetime(null)\n , eventtype_in: dynamic = dynamic([])\n , srcipaddr_has_any_prefix: dynamic = dynamic([])\n , actorusername_has_any: dynamic = dynamic([])\n , targetfilepath_has_any: dynamic = dynamic([])\n , srcfilepath_has_any: dynamic = dynamic([])\n , hashes_has_any: dynamic = dynamic([])\n , dvchostname_has_any: dynamic = dynamic([])\n , disabled: bool = false\n ) {\n let GoogleWorkspaceSchema = datatable (\n event_name_s: string,\n event_type_s: string,\n id_uniqueQualifier_s: string,\n actor_email_s: string,\n actor_profileId_s: string,\n IPAddress: string,\n doc_type_s: string,\n doc_title_s: string,\n originating_app_id_s: string,\n id_applicationName_s: string,\n old_value_s: string,\n new_value_s: string,\n destination_folder_title_s: string,\n source_folder_title_s: string,\n copy_type_s: string,\n target_user_s: string,\n doc_id_s: string,\n primary_event_b: bool,\n billable_b: bool,\n owner_s: string,\n owner_is_shared_drive_b: bool,\n is_encrypted_b: bool,\n visibility_s: string,\n shared_drive_id_s: string,\n destination_folder_id_s: string,\n source_folder_id_s: string,\n TimeGenerated: datetime,\n _ResourceId: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n RawData: string,\n SourceSystem: string,\n TenantId: string,\n _ItemId: string\n)[];\n let EventFieldsLookup = datatable (\n EventOriginalSubType: string,\n EventType: string,\n EventSubType: string\n)\n [\n \"download\", \"FileAccessed\", \"Download\",\n \"edit\", \"FileModified\", \"Checkin\",\n \"upload\", \"FileCreated\", \"Upload\",\n \"create\", \"FileCreated\", \"Checkin\",\n \"rename\", \"FileRenamed\", \"\",\n \"view\", \"FileAccessed\", \"Preview\",\n \"preview\", \"FileAccessed\", \"Preview\",\n \"copy\", \"FileCopied\", \"\",\n \"source_copy\", \"FileCopied\", \"\",\n \"delete\", \"FileDeleted\", \"\",\n \"trash\", \"FileDeleted\", \"Recycled\",\n \"move\", \"FileMoved\", \"\",\n \"untrash\", \"FileCreatedOrModified\", \"Checkin\",\n \"deny_access_request\", \"FileAccessed\", \"Preview\",\n \"expire_access_request\", \"FileAccessed\", \"Preview\",\n \"request_access\", \"FileAccessed\", \"Preview\",\n \"add_to_folder\", \"FileCreated\", \"Checkin\",\n \"approval_canceled\", \"FileAccessed\", \"\",\n \"approval_comment_added\", \"FileAccessed\", \"\",\n \"approval_completed\", \"FileAccessed\", \"Preview\",\n \"approval_decisions_reset\", \"FileAccessed\", \"\",\n \"approval_due_time_change\", \"FileAccessed\", \"\",\n \"approval_requested\", \"FileAccessed\", \"Preview\",\n \"approval_reviewer_change\", \"FileAccessed\", \"\",\n \"approval_reviewer_responded\", \"FileAccessed\", \"\",\n \"create_comment\", \"FileModified\", \"Checkin\",\n \"delete_comment\", \"FileModified\", \"Checkin\",\n \"edit_comment\", \"FileModified\", \"Checkin\",\n \"reassign_comment\", \"FileModified\", \"Checkin\",\n \"reopen_comment\", \"FileModified\", \"Checkin\",\n \"resolve_comment\", \"FileModified\", \"Checkin\",\n \"add_lock\", \"FileModified\", \"\",\n \"print\", \"FileAccessed\", \"Print\",\n \"remove_from_folder\", \"FileDeleted\", \"\",\n \"remove_lock\", \"FileModified\", \"\",\n];\n let SupportedEventNames = EventFieldsLookup\n | project EventOriginalSubType;\n union isfuzzy=true GoogleWorkspaceSchema, GWorkspace_ReportsAPI_drive_CL\n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and ((array_length(actorusername_has_any) == 0) or (actor_email_s has_any (actorusername_has_any)))\n and ((array_length(targetfilepath_has_any) == 0) or (doc_title_s has_any (targetfilepath_has_any)))\n and (array_length(hashes_has_any) == 0)\n and (array_length(dvchostname_has_any) == 0)\n and event_name_s in (SupportedEventNames)\n | lookup EventFieldsLookup on $left.event_name_s == $right.EventOriginalSubType\n | where ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n | project-rename \n EventOriginalUid = id_uniqueQualifier_s,\n ActorUsername = actor_email_s,\n ActorUserId = actor_profileId_s,\n SrcIpAddr = IPAddress,\n TargetFileMimeType = doc_type_s,\n TargetFilePath = doc_title_s,\n ActingAppId = originating_app_id_s,\n EventOriginalType=event_type_s\n | extend\n TargetAppName = iif(id_applicationName_s == 'drive', \"Google Workspace - Drive\", \"\"),\n TargetAppType = iif(id_applicationName_s == 'drive', \"SaaS application\", \"\"),\n ActorUserIdType = iif(isnotempty(ActorUserId), \"Google Workspace Profile ID\", \"\"),\n SrcFilePath = iif(event_name_s has_any ('rename', 'copy', 'source_copy'), old_value_s, \"\"),\n TargetFilePath = iif(event_name_s has ('source_copy'), new_value_s, \"\"),\n TargetFileDirectory = iif(event_name_s has_any ('move'), destination_folder_title_s, \"\"),\n SrcFileDirectory = iif(event_name_s has_any ('move'), source_folder_title_s, \"\"),\n EventType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"FolderCreated\",\n TargetFileMimeType == \"folder\" and event_name_s == \"rename\",\n \"FolderModified\",\n TargetFileMimeType == \"folder\" and event_name_s == \"delete\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"FolderDeleted\",\n TargetFileMimeType == \"folder\" and event_name_s == \"move\",\n \"FolderMoved\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"FolderCreated\",\n EventType\n ),\n EventSubType = case(\n TargetFileMimeType == \"folder\" and event_name_s == \"create\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"trash\",\n \"\",\n TargetFileMimeType == \"folder\" and event_name_s == \"untrash\",\n \"\",\n EventSubType\n ),\n EventMessage = case(\n event_name_s == 'download',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'edit',\n strcat(ActorUsername, \" edited an item\"),\n event_name_s == 'upload',\n strcat(ActorUsername, \" uploaded an item\"),\n event_name_s == 'create',\n strcat(ActorUsername, \" created an item\"),\n event_name_s == 'rename',\n strcat(ActorUsername, \" renamed \", old_value_s, \" to \", TargetFilePath),\n event_name_s == 'view',\n strcat(ActorUsername, \" viewed an item\"),\n event_name_s == 'preview',\n strcat(ActorUsername, \" previewed an item\"),\n event_name_s == 'copy',\n strcat(ActorUsername, \" created a copy of original document \", old_value_s),\n event_name_s == 'delete',\n strcat(ActorUsername, \" deleted an item\"),\n event_name_s == 'trash',\n strcat(ActorUsername, \" trashed an item\"),\n event_name_s == 'move',\n strcat(ActorUsername, \" moved an item from \", source_folder_title_s, \" to \", destination_folder_title_s),\n event_name_s == 'untrash',\n strcat(ActorUsername, \" restored an item\"),\n event_name_s == 'source_copy',\n strcat(ActorUsername, \" copied this item, creating a new item \", copy_type_s, \" your organication \", new_value_s),\n event_name_s == 'deny_access_request',\n strcat(ActorUsername, \" denied an access request for \", target_user_s),\n event_name_s == 'expire_access_request',\n strcat(\"An access request for \", target_user_s, \" expired \"),\n event_name_s == 'request_access',\n strcat(ActorUsername, \" requested access to an item for \", target_user_s),\n event_name_s == 'add_to_folder',\n strcat(ActorUsername, \" added an item to \", destination_folder_title_s),\n event_name_s == 'approval_canceled',\n strcat(ActorUsername, \" canceled an approval on an item\"),\n event_name_s == 'approval_comment_added',\n strcat(ActorUsername, \" added a comment on an approval on an item\"),\n event_name_s == 'approval_completed',\n \"An approval was completed\",\n event_name_s == 'approval_decisions_reset',\n \"Approval decisions were reset\",\n event_name_s == 'approval_due_time_change',\n strcat(ActorUsername, \" requested a due time change on an approval\"),\n event_name_s == 'approval_requested',\n strcat(ActorUsername, \" requested approval on an item\"),\n event_name_s == 'approval_reviewer_change',\n strcat(ActorUsername, \" requested a reviewer change on an approval\"),\n event_name_s == 'approval_reviewer_responded',\n strcat(ActorUsername, \" reviewed an approval on an item\"),\n event_name_s == 'create_comment',\n strcat(ActorUsername, \" created a comment\"),\n event_name_s == 'delete_comment',\n strcat(ActorUsername, \" deleted a comment\"),\n event_name_s == 'edit_comment',\n strcat(ActorUsername, \" edited a comment\"),\n event_name_s == 'reassign_comment',\n strcat(ActorUsername, \" reassigned a comment\"),\n event_name_s == 'reopen_comment',\n strcat(ActorUsername, \" reopened a comment\"),\n event_name_s == 'resolve_comment',\n strcat(ActorUsername, \" resolved a comment\"),\n event_name_s == 'add_lock',\n strcat(ActorUsername, \" locked an item\"),\n event_name_s == 'print',\n strcat(ActorUsername, \" printed an item\"),\n event_name_s == 'remove_from_folder',\n strcat(ActorUsername, \" removed an item from from \", source_folder_title_s),\n event_name_s == 'remove_lock',\n strcat(ActorUsername, \" unlocked an item\"),\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"Doc_Id\",\n doc_id_s,\n \"Primary_Event\",\n primary_event_b,\n \"Billable\",\n billable_b,\n \"Owner\",\n owner_s,\n \"Owner_Is_Shared_Drive\",\n owner_is_shared_drive_b,\n \"Is_Encrypted\",\n is_encrypted_b,\n \"Visibility\",\n visibility_s,\n \"Copy_Type\",\n copy_type_s,\n \"Shared_Drive_Id\",\n shared_drive_id_s,\n \"Destination_Folder_Id\",\n destination_folder_id_s,\n \"Source_Folder_Id\",\n source_folder_id_s\n )\n | where ((array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any)))\n | extend\n EventOriginalSubType = event_name_s,\n Application = TargetAppName,\n ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n TargetFileName=TargetFilePath,\n FilePath = TargetFilePath,\n TargetFilePathType = iif(isnotempty(TargetFilePath), \"FilenameOnly\", \"\"),\n SrcFilePathType = iif(isnotempty(SrcFilePath), \"FilenameOnly\", \"\"),\n FileName = TargetFilePath,\n SrcFileName = SrcFilePath,\n User = ActorUsername,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventProduct = \"Workspace\",\n EventVendor = \"Google\",\n EventResult = \"Success\",\n EventSchemaVersion = \"0.2.1\",\n EventSchema = \"FileEvent\",\n EventUid = _ItemId,\n Dvc = \"Workspace\"\n | project-away \n *_s,\n *_b,\n *_g,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n targetfilepath_has_any = targetfilepath_has_any,\n srcfilepath_has_any = srcfilepath_has_any,\n hashes_has_any = hashes_has_any,\n dvchostname_has_any = dvchostname_has_any,\n disabled = disabled\n)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False"
Expand Down

0 comments on commit cb86be3

Please sign in to comment.