Updated imProcess.yaml file by following same structure as imDns and …

…updated parameter name in vimProcessSentinelOne as per unifying parser.
Azure · Aug 28, 2023 · e94a8d9 · e94a8d9
1 parent 28dd22a
commit e94a8d9
Show file tree

Hide file tree

Showing 3 changed files with 81 additions and 19 deletions.
diff --git a/Parsers/ASimProcessEvent/Parsers/imProcess.yaml b/Parsers/ASimProcessEvent/Parsers/imProcess.yaml
@@ -1,7 +1,7 @@
 Parser:
   Title: Process Event ASIM parser
   Version: '0.1.1'
-  LastUpdated: Feb 23, 2022
+  LastUpdated: Aug 28, 2023
 Product:
   Name: Source Agnostic
 Normalization:
@@ -15,18 +15,80 @@ References:
 Description: |
   This ASIM parser supports normalizing process event logs from all supported sources to the ASIM ProcessEvent normalized schema.
 ParserName: imProcess
-EquivalentBuiltInParser: _Im_Process
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: commandline_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: commandline_has_all
+    Type: dynamic
+    Default: dynamic([])
+  - Name: commandline_has_any_ip_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: actingprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: targetprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: parentprocess_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+  - Name: actorusername_has
+    Type: string
+    Default: '*'
+  - Name: dvcipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: dvchostname_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventtype
+    Type: string
+    Default: '*'
+  - Name: hashes_has_any
+    Type: dynamic
+    Default: dynamic([])
 ParserQuery: |
+  let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), commandline_has_any:dynamic=dynamic([]), commandline_has_all:dynamic=dynamic([]), commandline_has_any_ip_prefix:dynamic=dynamic([]), actingprocess_has_any:dynamic=dynamic([]), targetprocess_has_any:dynamic=dynamic([]), parentprocess_has_any:dynamic=dynamic([]), targetusername_has:string='*', actorusername_has:string='*', dvcipaddr_has_any_prefix:dynamic=dynamic([]), dvchostname_has_any:dynamic=dynamic([]), eventtype:string='*', hashes_has_any:dynamic=dynamic([])){
+  let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimProcess') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
+  let imProcessBuiltInDisabled=toscalar('ExcludeimProcessBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); 
   union isfuzzy=true
-    vimProcessEmpty,
-    vimProcessEventMicrosoft365D,
-    vimProcessCreateMicrosoftSysmon,
-    vimProcessTerminateMicrosoftSysmon,
-    vimProcessCreateMicrosoftSecurityEvents,
-    vimProcessTerminateMicrosoftSecurityEvents,
-    vimProcessCreateLinuxSysmon,
-    vimProcessTerminateLinuxSysmon,
-    vimProcessTerminateMicrosoftWindowsEvents,
-    vimProcessCreateMicrosoftWindowsEvents,
-    vimProcessEventMD4IoT,
-    vimProcessCreateSentinelOne
+      vimProcessEmpty
+    , vimProcessEventMicrosoft365D ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessEventMicrosoft365D'   in (DisabledParsers) )))
+    , vimProcessCreateMicrosoftSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSysmon'    in (DisabledParsers) )))
+    , vimProcessTerminateMicrosoftSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSysmon'    in (DisabledParsers) )))
+    , vimProcessCreateMicrosoftSecurityEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftSecurityEvents'          in (DisabledParsers) )))
+    , vimProcessTerminateMicrosoftSecurityEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftSecurityEvents'   in (DisabledParsers) )))
+    , vimProcessCreateLinuxSysmon ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon' in (DisabledParsers) )))
+    , vimProcessTerminateLinuxSysmon  ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateLinuxSysmon'   in (DisabledParsers) )))
+    , vimProcessTerminateMicrosoftWindowsEvents ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, actorusername_has=actorusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessTerminateMicrosoftWindowsEvents'  in (DisabledParsers) )))
+    , vimProcessCreateMicrosoftWindowsEvents     ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents'      in (DisabledParsers) )))
+    , vimProcessEventMD4IoT         ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvchostname_has_any, eventtype=eventtype, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessEventMD4IoT'          in (DisabledParsers) )))
+    , vimProcessCreateSentinelOne          ( starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvchostname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, disabled=(imProcessBuiltInDisabled or('ExcludevimProcessCreateSentinelOne'        in (DisabledParsers) )))
+    };
+  Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername_has, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any)
+
+EquivalentBuiltInParser: _Im_Process
+Parsers:
+  - _Im_Process_Empty
+  - _Im_ProcessEvent_Microsoft365D
+  - _Im_ProcessCreate_MicrosoftSysmon
+  - _Im_ProcessTerminate_MicrosoftSysmon
+  - _Im_ProcessCreate_MicrosoftSecurityEvents
+  - _Im_ProcessTerminate_MicrosoftSecurityEvents
+  - _Im_ProcessCreate_LinuxSysmon
+  - _Im_ProcessTerminate_LinuxSysmon
+  - _Im_ProcessTerminate_MicrosoftWindowsEvents
+  - _Im_ProcessCreate_MicrosoftWindowsEvents
+  - _Im_ProcessCreate_MD4IoT
+  - _Im_ProcessCreate_SentinelOne
diff --git a/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml b/Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml
@@ -67,7 +67,7 @@ ParserQuery: |
     vimProcessCreateLinuxSysmon            (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateLinuxSysmon'   in (DisabledParsers) ))),
     vimProcessCreateMicrosoftWindowsEvents (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateMicrosoftWindowsEvents'   in (DisabledParsers) ))),
     vimProcessCreateMD4IoT                  (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessEventMD4IoT'   in (DisabledParsers) ))),
-    vimProcessCreateSentinelOne            (starttime, endtime, commandline_has_any, commandline_has_all, commandline_has_any_ip_prefix, actingprocess_has_any, targetprocess_has_any, parentprocess_has_any, targetusername, dvcipaddr_has_any_prefix, dvcname_has_any, eventtype, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne'   in (DisabledParsers) )))
+    vimProcessCreateSentinelOne            (starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername_has=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvchostname_has_any=dvcname_has_any, eventtype=eventtype, hashes_has_any=hashes_has_any, (imBuiltInDisabled or('ExcludevimProcessCreateSentinelOne'   in (DisabledParsers) )))
   };
   Generic(starttime=starttime, endtime=endtime, commandline_has_any=commandline_has_any, commandline_has_all=commandline_has_all, commandline_has_any_ip_prefix=commandline_has_any_ip_prefix, actingprocess_has_any=actingprocess_has_any, targetprocess_has_any=targetprocess_has_any, parentprocess_has_any=parentprocess_has_any, targetusername=targetusername, dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, dvcname_has_any=dvcipaddr_has_any_prefix, hashes_has_any=hashes_has_any, eventtype=eventtype)
 

diff --git a/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml b/Parsers/ASimProcessEvent/Parsers/vimProcessCreateSentinelOne.yaml
@@ -49,7 +49,7 @@ ParserParams:
   - Name: dvcipaddr_has_any_prefix
     Type: dynamic
     Default: dynamic([])
-  - Name: dvcname_has_any
+  - Name: dvchostname_has_any
     Type: dynamic
     Default: dynamic([])
   - Name: hashes_has_any
@@ -73,7 +73,7 @@ ParserQuery: |
       parentprocess_has_any: dynamic=dynamic([]),
       targetusername_has: string='*',
       dvcipaddr_has_any_prefix: dynamic=dynamic([]),
-      dvcname_has_any: dynamic=dynamic([]),
+      dvchostname_has_any: dynamic=dynamic([]),
       eventtype: string='*',
       hashes_has_any: dynamic=dynamic([]),
       disabled: bool=false) {
@@ -92,7 +92,7 @@ ParserQuery: |
           and (array_length(actingprocess_has_any) == 0 or sourceProcessInfo_name_s has_any (actingprocess_has_any))
           and (array_length(targetprocess_has_any) == 0 or targetProcessInfo_tgtProcName_s has_any (targetprocess_has_any))
           and (array_length(parentprocess_has_any) == 0 or sourceParentProcessInfo_name_s has_any (parentprocess_has_any))
-          and (array_length(dvcname_has_any) == 0 or agentDetectionInfo_name_s  has_any (dvcname_has_any))
+          and (array_length(dvchostname_has_any) == 0 or agentDetectionInfo_name_s  has_any (dvchostname_has_any))
           and array_length(hashes_has_any) == 0 or targetProcessInfo_tgtFileHashSha1_s has_any (hashes_has_any) or targetProcessInfo_tgtFileHashSha256_s has_any (hashes_has_any)
       | project-rename
           DvcId = agentDetectionInfo_uuid_g,
@@ -182,7 +182,7 @@ ParserQuery: |
       parentprocess_has_any=parentprocess_has_any,
       targetusername_has=targetusername_has,
       dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix,
-      dvcname_has_any=dvcname_has_any,
+      dvchostname_has_any=dvchostname_has_any,
       eventtype=eventtype,
       hashes_has_any=hashes_has_any,
       disabled=disabled