Salesforce-asim-authentication parser

[rushriva]

Required items, please complete

Change(s):

• Added asim authentication parser for Salesforce

Reason for Change(s):

• Salesforce content enrichment

Version Updated:

• NA

Testing Completed:

• yes

Checked that the validations are passing and have addressed any issues that are present:

• NA

Guidance <- remove section before submitting

---

[oshezaf]

Hi @rushriva: to help me review -

• Where are the sample logs located?
• Did you run the ASIM testers? If so, can you share the restults?

[rushriva]

Hi @rushriva: to help me review -

• Where are the sample logs located?
• Did you run the ASIM testers? If so, can you share the restults?

@oshezaf - Please find response in-line

1. Sample logs - I will mail you workspace with sample logs in separate mail
2. ASIM tester output - attached in this comment.
   ASimtester-output-SalesforceSC.csv

[oshezaf]

First, while there are many comments... You did a very good job. Don't let the many comments here deter you.

As to the comments:

• You need to create the vim parser as well. Can be a second step after this one is finished.
• Did you add sample data based on the workspace to either the public repository or the private one (Prateek can help with the datails)?
• You probably did not run the data tester.
• I noticed that you added the project statement after testing, which is good. Notice a missing field (see later).
• I need to update testing. There are fields that need setting and are not flagged. Will do it ASAP. It might lead to additional notes.
• Additional mappings
  • api_version_s -> EventProductVersion
  • organization_id_s -> TargetUserScope (this is a very new additional to the schema, needed for UEBA)
  • cipher_suite_s -> TlsCipher (not yet defined, but seems useful, will be added)
  • tls_protocol_s -> TlsVersion (not yet defined, but seems useful, will be added)
  • Do you know what login_key_s is?

[rushriva]

First, while there are many comments... You did a very good job. Don't let the many comments here deter you.

As to the comments:

• You need to create the vim parser as well. Can be a second step after this one is finished.

• Did you add sample data based on the workspace to either the public repository or the private one (Prateek can help with the datails)?

• You probably did not run the data tester.

• I noticed that you added the project statement after testing, which is good. Notice a missing field (see later).

• I need to update testing. There are fields that need setting and are not flagged. Will do it ASAP. It might lead to additional notes.

• Additional mappings

  • api_version_s -> EventProductVersion
  • organization_id_s -> TargetUserScope (this is a very new additional to the schema, needed for UEBA)
  • cipher_suite_s -> TlsCipher (not yet defined, but seems useful, will be added)
  • tls_protocol_s -> TlsVersion (not yet defined, but seems useful, will be added)
  • Do you know what login_key_s is?

@oshezaf - I will create vim parser once asim parser is approved with changes.
I have executed data tester, following fields need to be added -
EventProduct - Salesforce Service Cloud
TargetUserIdType - SalesforceId

[v-prasadboke]

Hello @v-sabiraj please look into this

[v-prasadboke]

Hello @v-sabiraj any updates on the above

[v-prasadboke]

Hello @v-sabiraj waiting for your feedback

[v-prasadboke]

Hello @oshezaf please look into the changes

[github-actions]

ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files.
To find the new ARM templates, pull your branch.

[vakohl]

@microsoft-github-policy-service agree [company="Microsoft"]

[vakohl]

@rushriva please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree [company="Microsoft"]

[vakohl]

@rushriva please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree company="Microsoft"

[vakohl]

@rushriva please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree [company="Microsoft"]

@microsoft-github-policy-service agree

@microsoft-github-policy-service agree company="Microsoft"

[vakohl]

@anki-narravula can you please validate the comments?

[contentautomationbot]

KQL Best Practices Suggestions for: ASimAuthentication.yaml

1. Consider using the materialize() function for the 'ASimAuthenticationDisabled' variable if its assignment involves computation or calculation. This can improve performance.
2. Consider using more specific operators before materialize() to reduce the materialized data set while preserving query semantics.

Disclaimer: These suggestions are offered to enhance query efficiency and adherence to best practices. It is recommended to consider applying them for improved code quality, but their application is optional and context-dependent.

[contentautomationbot]

KQL Best Practices Suggestions for: ASimAuthenticationSalesforceSC.yaml

1. Use the 'in' operator instead of 'in~' for case-sensitive comparisons.
2. Don't use '*' for searching text. Look in a specific column.
3. Consider using the materialize() function for the 'disabled' variable if its assignment involves computation or calculation. This can improve performance.
4. Consider using the materialize() function for the 'EventResultLookup' variable if its assignment involves computation or calculation. This can improve performance.

Disclaimer: These suggestions are offered to enhance query efficiency and adherence to best practices. It is recommended to consider applying them for improved code quality, but their application is optional and context-dependent.

[contentautomationbot]

KQL Best Practices Suggestions for: imAuthentication.yaml

1. Don't use '*' for searching text. Look in a specific column.
2. Consider using the materialize() function for the 'starttime' variable if its assignment involves computation or calculation. This can improve performance.
3. Consider using the materialize() function for the 'endtime' variable if its assignment involves computation or calculation. This can improve performance.
4. Consider using the materialize() function for the 'targetusername_has' variable if its assignment involves computation or calculation. This can improve performance.
5. Consider using the materialize() function for the 'DisabledParsers' variable if its assignment involves computation or calculation. This can improve performance.
6. Consider using the materialize() function for the 'imAuthenticationDisabled' variable if its assignment involves computation or calculation. This can improve performance.
7. Consider using more specific operators before materialize() to reduce the materialized data set while preserving query semantics.

Disclaimer: These suggestions are offered to enhance query efficiency and adherence to best practices. It is recommended to consider applying them for improved code quality, but their application is optional and context-dependent.

[contentautomationbot]

KQL Best Practices Suggestions for: vimAuthenticationSalesforceSC.yaml

1. Use the 'in' operator instead of 'in~' for case-sensitive comparisons.
2. Don't use '*' for searching text. Look in a specific column.
3. Consider using the materialize() function for the 'starttime' variable if its assignment involves computation or calculation. This can improve performance.
4. Consider using the materialize() function for the 'endtime' variable if its assignment involves computation or calculation. This can improve performance.
5. Consider using the materialize() function for the 'targetusername_has' variable if its assignment involves computation or calculation. This can improve performance.
6. Consider using the materialize() function for the 'disabled' variable if its assignment involves computation or calculation. This can improve performance.
7. Consider using the materialize() function for the 'EventResultLookup' variable if its assignment involves computation or calculation. This can improve performance.

Disclaimer: These suggestions are offered to enhance query efficiency and adherence to best practices. It is recommended to consider applying them for improved code quality, but their application is optional and context-dependent.

[v-sudkharat]

Hi @vakohl, This branch has conflicts. Could you please check and resolve it. Thanks!

[v-sudkharat]

@microsoft-github-policy-service agree [company="Microsoft"]

all changes are incorporated