From 49a2a61cb4996cf1912ed8cfaae08dc3e8c9d9c3 Mon Sep 17 00:00:00 2001 From: rushriva Date: Fri, 16 Sep 2022 17:20:49 +0530 Subject: [PATCH 01/38] Salesforce-asim-authentication parser --- .../Parsers/ASimAuthentication.yaml | 6 +- .../ASimAuthenticationSalesforceSC.yaml | 74 +++++++++++++++++++ 2 files changed, 78 insertions(+), 2 deletions(-) create mode 100644 Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index aee5c679a39..7c992954392 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -33,7 +33,8 @@ ParserQuery: | , ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )) , ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )) , ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )) - , ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeAASimAuthenticationPostgreSQL' in (DisabledParsers) )) + , ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )) + , ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )) Parsers: - vimAuthenticationEmpty @@ -45,4 +46,5 @@ Parsers: - ASimAuthenticationOktaSSO - ASimAuthenticationM365Defender - ASimAuthenticationMicrosoftWindowsEvent - - ASimAuthenticationMD4IoT \ No newline at end of file + - ASimAuthenticationMD4IoT + - ASimAuthenticationSalesforceSC \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml new file mode 100644 index 00000000000..c8f436f311a --- /dev/null +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -0,0 +1,74 @@ +Parser: + Title: Authentication ASIM parser for Salesforce Service Cloud + Version: '0.1.0' + LastUpdated: August 26, 2022 +Product: + Name: Salesforce +Normalization: + Schema: Authentication + Version: '0.1.1' +References: +- Title: ASIM Authentication Schema + Link: https://aka.ms/ASimAuthenticationDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +Description: | + This ASIM parser supports normalizing Salesforce sign in logs, stored in the SalesforceServiceCloud_CL table, to the ASIM Authentication schema. +ParserName: ASimAuthenticationSalesforceSC +ParserParams: + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let SalesforceSignin=(disabled:bool=false){ + let SalesforceEventType = dynamic(['Login','Logout']); + let SalesforceSuccessfulOutcome = dynamic(['LOGIN_NO_ERROR']); + let SalesforceFailedOutcome = dynamic(['No such user or password', 'Incorrect password', 'Account expired','Password expired', 'User locked', 'User disabled', 'Logon violates policy','Session expired','Other'] ); + SalesforceServiceCloud_CL | where not(disabled) + | where event_type_s in (SalesforceEventType) + | project TimeGenerated,event_type_s,login_status_s, login_key_s, user_name_s, user_type_s, user_id_s, source_ip_s,client_ip_s,browser_type_s + | extend + EventProduct='Service Cloud' + , EventSchema = 'Authentication' + , EventVendor='Salesforce' + , EventCount=int(1) + , EventSchemaVersion='0.1.0' + , EventResult = case (login_status_s in (SalesforceSuccessfulOutcome), 'Success',login_status_s in (SalesforceFailedOutcome),'Failure', 'Partial') + , EventStartTime=TimeGenerated + , EventEndTime=TimeGenerated + , EventType = case(event_type_s == 'Login','Logon', + event_type_s == 'Logout','Logoff', "") + , TargetUserIdType='UID' + , TargetUsernameType='UPN' + | project-rename + EventOriginalResultDetails=login_status_s + , TargetSessionId=login_key_s + , TargetUserId= user_id_s + , TargetUsername=user_name_s + , OriginalUserType=user_type_s + , EventOriginalUid = request_id_s + , SrcIpAddr = source_ip_s + , TargetIpAddr = client_ip_s + , HttpUserAgent= browser_type_s + | project-reorder + EventProduct + , EventOriginalUid + , TimeGenerated + , EventResult + , EventOriginalResultDetails + , EventStartTime + , EventEndTime + , EventType + , TargetSessionId + , TargetUserId + , TargetUsername + , OriginalUserType + , HttpUserAgent + , SrcIpAddr + , TargetIpAddr + // ** Aliases + | extend + User=TargetUsername + , Dvc=EventVendor + }; + SalesforceSignin(disabled=disabled) \ No newline at end of file From 85bc87c847efdaa5b41142194eddd367e95bab8b Mon Sep 17 00:00:00 2001 From: rushriva Date: Tue, 20 Sep 2022 16:31:50 +0530 Subject: [PATCH 02/38] Update ASimAuthenticationSalesforceSC.yaml --- .../Parsers/ASimAuthenticationSalesforceSC.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index c8f436f311a..e99deff408e 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -36,11 +36,11 @@ ParserQuery: | , EventResult = case (login_status_s in (SalesforceSuccessfulOutcome), 'Success',login_status_s in (SalesforceFailedOutcome),'Failure', 'Partial') , EventStartTime=TimeGenerated , EventEndTime=TimeGenerated - , EventType = case(event_type_s == 'Login','Logon', - event_type_s == 'Logout','Logoff', "") + , EventType = case(event_type_s == 'Login','Logon', + event_type_s == 'Logout','Logoff', "") , TargetUserIdType='UID' - , TargetUsernameType='UPN' - | project-rename + , TargetUsernameType='UPN' + | project-rename EventOriginalResultDetails=login_status_s , TargetSessionId=login_key_s , TargetUserId= user_id_s From 25b1e7f9d4d73b870f075cf44e28cb9ec5a01dff Mon Sep 17 00:00:00 2001 From: rushriva Date: Tue, 20 Sep 2022 16:53:13 +0530 Subject: [PATCH 03/38] Update ASimAuthenticationSalesforceSC.yaml --- .../Parsers/ASimAuthenticationSalesforceSC.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index e99deff408e..f3a59958f77 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -71,4 +71,4 @@ ParserQuery: | User=TargetUsername , Dvc=EventVendor }; - SalesforceSignin(disabled=disabled) \ No newline at end of file + SalesforceSignin(disabled) \ No newline at end of file From b127b00774dd5c8d0653f6b500b3000cfcc4fe2f Mon Sep 17 00:00:00 2001 From: rushriva Date: Tue, 20 Sep 2022 17:04:24 +0530 Subject: [PATCH 04/38] Update ASimAuthenticationSalesforceSC.yaml --- .../Parsers/ASimAuthenticationSalesforceSC.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index f3a59958f77..19dfbd1cfd2 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -71,4 +71,4 @@ ParserQuery: | User=TargetUsername , Dvc=EventVendor }; - SalesforceSignin(disabled) \ No newline at end of file + SalesforceSignin(disabled) \ No newline at end of file From b342acc3f2d390ad9deb2f2d847d59e185defa1e Mon Sep 17 00:00:00 2001 From: rushriva Date: Fri, 30 Sep 2022 17:35:34 +0530 Subject: [PATCH 05/38] Update ASimAuthenticationSalesforceSC.yaml --- .../ASimAuthenticationSalesforceSC.yaml | 173 ++++++++++++++---- 1 file changed, 141 insertions(+), 32 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index 19dfbd1cfd2..4f3b2fa5c8b 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -1,7 +1,7 @@ Parser: Title: Authentication ASIM parser for Salesforce Service Cloud Version: '0.1.0' - LastUpdated: August 26, 2022 + LastUpdated: September 30, 2022 Product: Name: Salesforce Normalization: @@ -21,54 +21,163 @@ ParserParams: Default: false ParserQuery: | let SalesforceSignin=(disabled:bool=false){ + let EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[ + "LOGIN_CHALLENGE_ISSUED","Other","Failure", + "LOGIN_CHALLENGE_PENDING","Other","Failure", + "LOGIN_DATA_DOWNLOAD_ONLY","Other","Failure", + "LOGIN_END_SESSION_TXN_SECURITY_POLICY","Logon violates policy","Failure", + "LOGIN_ERROR_API_TOO_OLD","Other","Failure", + "LOGIN_ERROR_APPEXCHANGE_DOWN","Other","Failure", + "LOGIN_ERROR_ASYNC_USER_CREATE","Other","Failure", + "LOGIN_ERROR_AVANTGO_DISABLED","Other","Failure", + "LOGIN_ERROR_AVANTGO_TRIAL_EXP","Other","Failure", + "LOGIN_ERROR_CLIENT_NO_ACCESS","Other","Failure", + "LOGIN_ERROR_CLIENT_REQ_UPDATE","Other","Failure", + "LOGIN_ERROR_CSS_FROZEN","Other","Failure", + "LOGIN_ERROR_CSS_PW_LOCKOUT","Other","Failure", + "LOGIN_ERROR_DUPLICATE_USERNAME","Other","Failure", + "LOGIN_ERROR_EXPORT_RESTRICTED","Other","Failure", + "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN","Other","Failure", + "LOGIN_ERROR_HT_DOWN","Other","Failure", + "LOGIN_ERROR_HTP_METHD_INVALID","Other","Failure", + "LOGIN_ERROR_INSECURE_LOGIN","Other","Failure", + "LOGIN_ERROR_INVALID_GATEWAY","Other","Failure", + "LOGIN_ERROR_INVALID_ID_FIELD","Other","Failure", + "LOGIN_ERROR_INVALID_PASSWORD","Incorrect password","Failure", + "LOGIN_ERROR_LOGINS_EXCEEDED","Other","Failure", + "LOGIN_ERROR_MUST_USE_API_TOKEN","Other","Failure", + "LOGIN_ERROR_MUTUAL_AUTHENTICATION","Other","Failure", + "LOGIN_ERROR_NETWORK_INACTIVE","Other","Failure", + "LOGIN_ERROR_NO_HT_ACCESS","Other","Failure", + "LOGIN_ERROR_NO_NETWORK_ACCESS","Other","Failure", + "LOGIN_ERROR_NO_NETWORK_INFO","Other","Failure", + "LOGIN_ERROR_NO_PORTAL_ACCESS","Other","Failure", + "LOGIN_ERROR_NO_SET_COOKIES","Other","Failure", + "LOGIN_ERROR_OFFLINE_DISABLED","Other","Failure", + "LOGIN_ERROR_OFFLINE_TRIAL_EXP","Other","Failure", + "LOGIN_ERROR_ORG_CLOSED","Other","Failure", + "LOGIN_ERROR_ORG_DOMAIN_ONLY","Other","Failure", + "LOGIN_ERROR_ORG_IN_MAINTENANCE","Other","Failure", + "LOGIN_ERROR_ORG_INACTIVE","Other","Failure", + "LOGIN_ERROR_ORG_IS_DOT_ORG","Other","Failure", + "LOGIN_ERROR_ORG_LOCKOUT","Other","Failure", + "LOGIN_ERROR_ORG_SIGNING_UP","Other","Failure", + "LOGIN_ERROR_ORG_SUSPENDED","Other","Failure", + "LOGIN_ERROR_OUTLOOK_DISABLED","Other","Failure", + "LOGIN_ERROR_PAGE_REQUIRES_LOGIN","Other","Failure", + "LOGIN_ERROR_PASSWORD_EMPTY","Other","Failure", + "LOGIN_ERROR_PASSWORD_LOCKOUT","Other","Failure", + "LOGIN_ERROR_PORTAL_INACTIVE","Other","Failure", + "LOGIN_ERROR_RATE_EXCEEDED","Other","Failure", + "LOGIN_ERROR_RESTRICTED_DOMAIN","Other","Failure", + "LOGIN_ERROR_RESTRICTED_TIME","Other","Failure", + "LOGIN_ERROR_SESSION_TIMEOUT","Other","Failure", + "LOGIN_ERROR_SSO_PWD_INVALID","Other","Failure", + "LOGIN_ERROR_SSO_SVC_DOWN","Other","Failure", + "LOGIN_ERROR_SSO_URL_INVALID","Other","Failure", + "LOGIN_ERROR_STORE","Other","Failure", + "LOGIN_ERROR_STORE_DOWN","Other","Failure", + "LOGIN_ERROR_SWITCH_SFDC_INSTANCE","Other","Failure", + "LOGIN_ERROR_SWITCH_SFDC_LOGIN","Other","Failure", + "LOGIN_ERROR_SYNCOFFLINE_DISBLD","Other","Failure", + "LOGIN_ERROR_SYSTEM_DOWN","Other","Failure", + "LOGIN_ERROR_UNKNOWN_ERROR","Other","Failure", + "LOGIN_ERROR_USER_API_ONLY","Other","Failure", + "LOGIN_ERROR_USER_FROZEN","User locked","Failure", + "LOGIN_ERROR_USER_INACTIVE","User disabled","Failure", + "LOGIN_ERROR_USER_NON_MOBILE","Other","Failure", + "LOGIN_ERROR_USER_STORE_ACCESS","Other","Failure", + "LOGIN_ERROR_USERNAME_EMPTY","Other","Failure", + "LOGIN_ERROR_WIRELESS_DISABLED","Other","Failure", + "LOGIN_ERROR_WIRELESS_TRIAL_EXP","Other","Failure", + "LOGIN_LIGHTNING_LOGIN","Other","Failure", + "LOGIN_NO_ERROR","","Success", + "LOGIN_OAUTH_API_DISABLED","Other","Failure", + "LOGIN_OAUTH_CONSUMER_DELETED","Other","Failure", + "LOGIN_OAUTH_DS_NOT_EXPECTED","Other","Failure", + "LOGIN_OAUTH_EXCEED_GET_AT_LMT","Other","Failure", + "LOGIN_OAUTH_INVALID_CODE_CHALLENGE","Other","Failure", + "LOGIN_OAUTH_INVALID_CODE_VERIFIER","Other","Failure", + "LOGIN_OAUTH_INVALID_DEVICE","Other","Failure", + "LOGIN_OAUTH_INVALID_DS","Other","Failure", + "LOGIN_OAUTH_INVALID_DSIG","Other","Failure", + "LOGIN_OAUTH_INVALID_IP","Other","Failure", + "LOGIN_OAUTH_INVALID_NONCE","Other","Failure", + "LOGIN_OAUTH_INVALID_SIG_METHOD","Other","Failure", + "LOGIN_OAUTH_INVALID_TIMESTAMP","Other","Failure", + "LOGIN_OAUTH_INVALID_TOKEN","Other","Failure", + "LOGIN_OAUTH_INVALID_VERIFIER","Other","Failure", + "LOGIN_OAUTH_INVALID_VERSION","Other","Failure", + "LOGIN_OAUTH_MISSING_DS","Other","Failure", + "LOGIN_OAUTH_NO_CALLBACK_URL","Other","Failure", + "LOGIN_OAUTH_NO_CONSUMER","Other","Failure", + "LOGIN_OAUTH_NO_TOKEN","Other","Failure", + "LOGIN_OAUTH_NONCE_REPLAY","Other","Failure", + "LOGIN_OAUTH_PACKAGE_MISSING","Other","Failure", + "LOGIN_OAUTH_PACKAGE_OLD","Other","Failure", + "LOGIN_OAUTH_UNEXPECTED_PARAM","Other","Failure", + "LOGIN_ORG_TRIAL_EXP","Other","Failure", + "LOGIN_READONLY_CANNOT_VALIDATE","Other","Failure", + "LOGIN_SAML_INVALID_AUDIENCE","Other","Failure", + "LOGIN_SAML_INVALID_CONFIG","Other","Failure", + "LOGIN_SAML_INVALID_FORMAT","Other","Failure", + "LOGIN_SAML_INVALID_IN_RES_TO","Other","Failure", + "LOGIN_SAML_INVALID_ISSUER","Other","Failure", + "LOGIN_SAML_INVALID_ORG_ID","Other","Failure", + "LOGIN_SAML_INVALID_PORTAL_ID","Other","Failure", + "LOGIN_SAML_INVALID_RECIPIENT","Other","Failure", + "LOGIN_SAML_INVALID_SESSION_LEVEL","Other","Failure", + "LOGIN_SAML_INVALID_SIGNATURE","Other","Failure", + "LOGIN_SAML_INVALID_SITE_URL","Other","Failure", + "LOGIN_SAML_INVALID_STATUS","Other","Failure", + "LOGIN_SAML_INVALID_SUB_CONFIRM","Other","Failure", + "LOGIN_SAML_INVALID_TIMESTAMP","Other","Failure", + "LOGIN_SAML_INVALID_USERNAME","Other","Failure", + "LOGIN_SAML_INVALID_VERSION","Other","Failure", + "LOGIN_SAML_MISMATCH_CERT","Other","Failure", + "LOGIN_SAML_MISSING_ORG_ID","Other","Failure", + "LOGIN_SAML_MISSING_PORTAL_ID","Other","Failure", + "LOGIN_SAML_PROVISION_ERROR","Other","Failure", + "LOGIN_SAML_REPLAY_ATTEMPTED","Other","Failure", + "LOGIN_SAML_SITE_INACTIVE","Other","Failure", + "LOGIN_TWOFACTOR_REQ","Other","Failure"]; let SalesforceEventType = dynamic(['Login','Logout']); - let SalesforceSuccessfulOutcome = dynamic(['LOGIN_NO_ERROR']); - let SalesforceFailedOutcome = dynamic(['No such user or password', 'Incorrect password', 'Account expired','Password expired', 'User locked', 'User disabled', 'Logon violates policy','Session expired','Other'] ); SalesforceServiceCloud_CL | where not(disabled) | where event_type_s in (SalesforceEventType) - | project TimeGenerated,event_type_s,login_status_s, login_key_s, user_name_s, user_type_s, user_id_s, source_ip_s,client_ip_s,browser_type_s + | lookup EventResultMapping on login_status_s | extend - EventProduct='Service Cloud' + EventProduct='Salesforce Service Cloud' , EventSchema = 'Authentication' , EventVendor='Salesforce' , EventCount=int(1) , EventSchemaVersion='0.1.0' - , EventResult = case (login_status_s in (SalesforceSuccessfulOutcome), 'Success',login_status_s in (SalesforceFailedOutcome),'Failure', 'Partial') - , EventStartTime=TimeGenerated - , EventEndTime=TimeGenerated - , EventType = case(event_type_s == 'Login','Logon', - event_type_s == 'Logout','Logoff', "") - , TargetUserIdType='UID' - , TargetUsernameType='UPN' + , EventResult + , EventResultDetails + , EventStartTime=todatetime(timestamp_s) + , EventEndTime=todatetime(timestamp_s) + , EventType = iff(event_type_s == 'Login', 'Logon',iff(event_type_s == 'Logout','Logoff', "")) + , TargetUserIdType='SaleforceId' + , TargetUsernameType='UPN' | project-rename - EventOriginalResultDetails=login_status_s + EventProductVersion = api_version_s + ,EventOriginalResultDetails=login_status_s , TargetSessionId=login_key_s , TargetUserId= user_id_s , TargetUsername=user_name_s - , OriginalUserType=user_type_s + , TargetOriginalUserType=user_type_s , EventOriginalUid = request_id_s , SrcIpAddr = source_ip_s , TargetIpAddr = client_ip_s + , TargetUserScope = organization_id_s + , TlsCipher = cipher_suite_s + , TlsVersion = tls_protocol_s , HttpUserAgent= browser_type_s - | project-reorder - EventProduct - , EventOriginalUid - , TimeGenerated - , EventResult - , EventOriginalResultDetails - , EventStartTime - , EventEndTime - , EventType - , TargetSessionId - , TargetUserId - , TargetUsername - , OriginalUserType - , HttpUserAgent - , SrcIpAddr - , TargetIpAddr - // ** Aliases - | extend + | extend User=TargetUsername , Dvc=EventVendor + , Src=SrcIpAddr + , IpAddr = SrcIpAddr + , Dst= TargetIpAddr + | project-away *_s }; SalesforceSignin(disabled) \ No newline at end of file From 92395cf23ac56116554e335b32596d64f135e8d5 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Wed, 28 Jun 2023 19:11:00 +0000 Subject: [PATCH 06/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthentication.json | 2 +- .../ASimAuthenticationSalesforceSC.json | 46 +++++++++++++++++++ .../ASimAuthenticationSalesforceSC/README.md | 18 ++++++++ .../ARM/FullDeploymentAuthentication.json | 20 ++++++++ 4 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/README.md diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index b4928d051b4..492f075ed84 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty\n , ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) ))\n , ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) ))\n , ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) ))\n , ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) ))\n , ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) ))\n , ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) ))\n , ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) ))\n , ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) ))\n , ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) ))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty\n , ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) ))\n , ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) ))\n , ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) ))\n , ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) ))\n , ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) ))\n , ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) ))\n , ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) ))\n , ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) ))\n , ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) ))\n , ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) ))\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json new file mode 100644 index 00000000000..16bf9ade045 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationSalesforceSC", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Salesforce Service Cloud", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSalesforceSC", + "query": "let SalesforceSignin=(disabled:bool=false){\nlet EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[\n\"LOGIN_CHALLENGE_ISSUED\",\"Other\",\"Failure\",\n\"LOGIN_CHALLENGE_PENDING\",\"Other\",\"Failure\",\n\"LOGIN_DATA_DOWNLOAD_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_END_SESSION_TXN_SECURITY_POLICY\",\"Logon violates policy\",\"Failure\",\n\"LOGIN_ERROR_API_TOO_OLD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_APPEXCHANGE_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ASYNC_USER_CREATE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_AVANTGO_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_AVANTGO_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CLIENT_NO_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CLIENT_REQ_UPDATE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CSS_FROZEN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CSS_PW_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_DUPLICATE_USERNAME\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_EXPORT_RESTRICTED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_HT_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_HTP_METHD_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INSECURE_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_GATEWAY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_ID_FIELD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_PASSWORD\",\"Incorrect password\",\"Failure\",\n\"LOGIN_ERROR_LOGINS_EXCEEDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_MUST_USE_API_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_MUTUAL_AUTHENTICATION\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NETWORK_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_HT_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_NETWORK_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_NETWORK_INFO\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_PORTAL_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_SET_COOKIES\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OFFLINE_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OFFLINE_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_CLOSED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_DOMAIN_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_IN_MAINTENANCE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_IS_DOT_ORG\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_SIGNING_UP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_SUSPENDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OUTLOOK_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PASSWORD_EMPTY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PASSWORD_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PORTAL_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RATE_EXCEEDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RESTRICTED_DOMAIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RESTRICTED_TIME\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SESSION_TIMEOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_PWD_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_SVC_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_URL_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_STORE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_STORE_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SWITCH_SFDC_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SYNCOFFLINE_DISBLD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SYSTEM_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_UNKNOWN_ERROR\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_API_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_FROZEN\",\"User locked\",\"Failure\",\n\"LOGIN_ERROR_USER_INACTIVE\",\"User disabled\",\"Failure\",\n\"LOGIN_ERROR_USER_NON_MOBILE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_STORE_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USERNAME_EMPTY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_WIRELESS_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_WIRELESS_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_LIGHTNING_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_NO_ERROR\",\"\",\"Success\",\n\"LOGIN_OAUTH_API_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_CONSUMER_DELETED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_DS_NOT_EXPECTED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_EXCEED_GET_AT_LMT\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_CODE_VERIFIER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DEVICE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DS\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DSIG\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_IP\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_NONCE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_SIG_METHOD\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_VERIFIER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_VERSION\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_MISSING_DS\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_CALLBACK_URL\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_CONSUMER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NONCE_REPLAY\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_PACKAGE_MISSING\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_PACKAGE_OLD\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_UNEXPECTED_PARAM\",\"Other\",\"Failure\",\n\"LOGIN_ORG_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_READONLY_CANNOT_VALIDATE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_AUDIENCE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_CONFIG\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_FORMAT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_IN_RES_TO\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_ISSUER\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_ORG_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_PORTAL_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_RECIPIENT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SESSION_LEVEL\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SIGNATURE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SITE_URL\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_STATUS\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SUB_CONFIRM\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_USERNAME\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_VERSION\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISMATCH_CERT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISSING_ORG_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISSING_PORTAL_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_PROVISION_ERROR\",\"Other\",\"Failure\",\n\"LOGIN_SAML_REPLAY_ATTEMPTED\",\"Other\",\"Failure\",\n\"LOGIN_SAML_SITE_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_TWOFACTOR_REQ\",\"Other\",\"Failure\"];\nlet SalesforceEventType = dynamic(['Login','Logout']);\nSalesforceServiceCloud_CL | where not(disabled)\n| where event_type_s in (SalesforceEventType)\n| lookup EventResultMapping on login_status_s\n| extend \n EventProduct='Salesforce Service Cloud' \n , EventSchema = 'Authentication'\n , EventVendor='Salesforce'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult\n , EventResultDetails\n , EventStartTime=todatetime(timestamp_s)\n , EventEndTime=todatetime(timestamp_s)\n , EventType = iff(event_type_s == 'Login', 'Logon',iff(event_type_s == 'Logout','Logoff', \"\"))\n , TargetUserIdType='SaleforceId'\n , TargetUsernameType='UPN'\n| project-rename\n EventProductVersion = api_version_s\n ,EventOriginalResultDetails=login_status_s\n , TargetSessionId=login_key_s\n , TargetUserId= user_id_s\n , TargetUsername=user_name_s\n , TargetOriginalUserType=user_type_s\n , EventOriginalUid = request_id_s\n , SrcIpAddr = source_ip_s\n , TargetIpAddr = client_ip_s\n , TargetUserScope = organization_id_s\n , TlsCipher = cipher_suite_s\n , TlsVersion = tls_protocol_s\n , HttpUserAgent= browser_type_s\n| extend \n User=TargetUsername\n , Dvc=EventVendor\n , Src=SrcIpAddr\n , IpAddr = SrcIpAddr\n , Dst= TargetIpAddr\n| project-away *_s\n};\nSalesforceSignin(disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/README.md new file mode 100644 index 00000000000..225aa1165bf --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/README.md @@ -0,0 +1,18 @@ +# Salesforce ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Salesforce. + +This ASIM parser supports normalizing Salesforce sign in logs, stored in the SalesforceServiceCloud_CL table, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationSalesforceSC%2FASimAuthenticationSalesforceSC.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationSalesforceSC%2FASimAuthenticationSalesforceSC.json) diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json index 268412ea1b0..81cefaa2f33 100644 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -238,6 +238,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationSalesforceSC", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", From 71368f6ef54bfea0ad796191236d0201738d0caa Mon Sep 17 00:00:00 2001 From: Devika Mehra Date: Thu, 29 Jun 2023 00:46:39 +0530 Subject: [PATCH 07/38] Updated EventType --- .../Parsers/ASimAuthenticationSalesforceSC.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index 4f3b2fa5c8b..281b9945932 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -155,9 +155,9 @@ ParserQuery: | , EventResultDetails , EventStartTime=todatetime(timestamp_s) , EventEndTime=todatetime(timestamp_s) - , EventType = iff(event_type_s == 'Login', 'Logon',iff(event_type_s == 'Logout','Logoff', "")) - , TargetUserIdType='SaleforceId' - , TargetUsernameType='UPN' + , EventType = iff(event_type_s == 'Login', 'Logon', 'Logoff') + , TargetUserIdType = 'SaleforceId' + , TargetUsernameType = 'UPN' | project-rename EventProductVersion = api_version_s ,EventOriginalResultDetails=login_status_s @@ -168,7 +168,7 @@ ParserQuery: | , EventOriginalUid = request_id_s , SrcIpAddr = source_ip_s , TargetIpAddr = client_ip_s - , TargetUserScope = organization_id_s + , TargetUserScope = organization_id_s , TlsCipher = cipher_suite_s , TlsVersion = tls_protocol_s , HttpUserAgent= browser_type_s From ad303dca02b77f4cd60ee6f326646db8a08b20e7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Wed, 28 Jun 2023 19:20:23 +0000 Subject: [PATCH 08/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationSalesforceSC.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index 16bf9ade045..ae58260c75f 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let SalesforceSignin=(disabled:bool=false){\nlet EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[\n\"LOGIN_CHALLENGE_ISSUED\",\"Other\",\"Failure\",\n\"LOGIN_CHALLENGE_PENDING\",\"Other\",\"Failure\",\n\"LOGIN_DATA_DOWNLOAD_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_END_SESSION_TXN_SECURITY_POLICY\",\"Logon violates policy\",\"Failure\",\n\"LOGIN_ERROR_API_TOO_OLD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_APPEXCHANGE_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ASYNC_USER_CREATE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_AVANTGO_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_AVANTGO_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CLIENT_NO_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CLIENT_REQ_UPDATE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CSS_FROZEN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CSS_PW_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_DUPLICATE_USERNAME\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_EXPORT_RESTRICTED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_HT_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_HTP_METHD_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INSECURE_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_GATEWAY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_ID_FIELD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_PASSWORD\",\"Incorrect password\",\"Failure\",\n\"LOGIN_ERROR_LOGINS_EXCEEDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_MUST_USE_API_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_MUTUAL_AUTHENTICATION\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NETWORK_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_HT_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_NETWORK_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_NETWORK_INFO\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_PORTAL_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_SET_COOKIES\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OFFLINE_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OFFLINE_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_CLOSED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_DOMAIN_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_IN_MAINTENANCE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_IS_DOT_ORG\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_SIGNING_UP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_SUSPENDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OUTLOOK_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PASSWORD_EMPTY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PASSWORD_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PORTAL_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RATE_EXCEEDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RESTRICTED_DOMAIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RESTRICTED_TIME\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SESSION_TIMEOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_PWD_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_SVC_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_URL_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_STORE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_STORE_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SWITCH_SFDC_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SYNCOFFLINE_DISBLD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SYSTEM_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_UNKNOWN_ERROR\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_API_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_FROZEN\",\"User locked\",\"Failure\",\n\"LOGIN_ERROR_USER_INACTIVE\",\"User disabled\",\"Failure\",\n\"LOGIN_ERROR_USER_NON_MOBILE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_STORE_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USERNAME_EMPTY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_WIRELESS_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_WIRELESS_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_LIGHTNING_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_NO_ERROR\",\"\",\"Success\",\n\"LOGIN_OAUTH_API_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_CONSUMER_DELETED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_DS_NOT_EXPECTED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_EXCEED_GET_AT_LMT\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_CODE_VERIFIER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DEVICE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DS\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DSIG\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_IP\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_NONCE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_SIG_METHOD\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_VERIFIER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_VERSION\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_MISSING_DS\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_CALLBACK_URL\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_CONSUMER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NONCE_REPLAY\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_PACKAGE_MISSING\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_PACKAGE_OLD\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_UNEXPECTED_PARAM\",\"Other\",\"Failure\",\n\"LOGIN_ORG_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_READONLY_CANNOT_VALIDATE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_AUDIENCE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_CONFIG\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_FORMAT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_IN_RES_TO\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_ISSUER\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_ORG_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_PORTAL_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_RECIPIENT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SESSION_LEVEL\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SIGNATURE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SITE_URL\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_STATUS\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SUB_CONFIRM\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_USERNAME\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_VERSION\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISMATCH_CERT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISSING_ORG_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISSING_PORTAL_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_PROVISION_ERROR\",\"Other\",\"Failure\",\n\"LOGIN_SAML_REPLAY_ATTEMPTED\",\"Other\",\"Failure\",\n\"LOGIN_SAML_SITE_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_TWOFACTOR_REQ\",\"Other\",\"Failure\"];\nlet SalesforceEventType = dynamic(['Login','Logout']);\nSalesforceServiceCloud_CL | where not(disabled)\n| where event_type_s in (SalesforceEventType)\n| lookup EventResultMapping on login_status_s\n| extend \n EventProduct='Salesforce Service Cloud' \n , EventSchema = 'Authentication'\n , EventVendor='Salesforce'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult\n , EventResultDetails\n , EventStartTime=todatetime(timestamp_s)\n , EventEndTime=todatetime(timestamp_s)\n , EventType = iff(event_type_s == 'Login', 'Logon',iff(event_type_s == 'Logout','Logoff', \"\"))\n , TargetUserIdType='SaleforceId'\n , TargetUsernameType='UPN'\n| project-rename\n EventProductVersion = api_version_s\n ,EventOriginalResultDetails=login_status_s\n , TargetSessionId=login_key_s\n , TargetUserId= user_id_s\n , TargetUsername=user_name_s\n , TargetOriginalUserType=user_type_s\n , EventOriginalUid = request_id_s\n , SrcIpAddr = source_ip_s\n , TargetIpAddr = client_ip_s\n , TargetUserScope = organization_id_s\n , TlsCipher = cipher_suite_s\n , TlsVersion = tls_protocol_s\n , HttpUserAgent= browser_type_s\n| extend \n User=TargetUsername\n , Dvc=EventVendor\n , Src=SrcIpAddr\n , IpAddr = SrcIpAddr\n , Dst= TargetIpAddr\n| project-away *_s\n};\nSalesforceSignin(disabled)", + "query": "let SalesforceSignin=(disabled:bool=false){\nlet EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[\n\"LOGIN_CHALLENGE_ISSUED\",\"Other\",\"Failure\",\n\"LOGIN_CHALLENGE_PENDING\",\"Other\",\"Failure\",\n\"LOGIN_DATA_DOWNLOAD_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_END_SESSION_TXN_SECURITY_POLICY\",\"Logon violates policy\",\"Failure\",\n\"LOGIN_ERROR_API_TOO_OLD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_APPEXCHANGE_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ASYNC_USER_CREATE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_AVANTGO_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_AVANTGO_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CLIENT_NO_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CLIENT_REQ_UPDATE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CSS_FROZEN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CSS_PW_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_DUPLICATE_USERNAME\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_EXPORT_RESTRICTED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_HT_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_HTP_METHD_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INSECURE_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_GATEWAY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_ID_FIELD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_PASSWORD\",\"Incorrect password\",\"Failure\",\n\"LOGIN_ERROR_LOGINS_EXCEEDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_MUST_USE_API_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_MUTUAL_AUTHENTICATION\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NETWORK_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_HT_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_NETWORK_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_NETWORK_INFO\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_PORTAL_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_SET_COOKIES\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OFFLINE_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OFFLINE_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_CLOSED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_DOMAIN_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_IN_MAINTENANCE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_IS_DOT_ORG\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_SIGNING_UP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_SUSPENDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OUTLOOK_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PASSWORD_EMPTY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PASSWORD_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PORTAL_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RATE_EXCEEDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RESTRICTED_DOMAIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RESTRICTED_TIME\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SESSION_TIMEOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_PWD_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_SVC_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_URL_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_STORE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_STORE_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SWITCH_SFDC_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SYNCOFFLINE_DISBLD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SYSTEM_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_UNKNOWN_ERROR\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_API_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_FROZEN\",\"User locked\",\"Failure\",\n\"LOGIN_ERROR_USER_INACTIVE\",\"User disabled\",\"Failure\",\n\"LOGIN_ERROR_USER_NON_MOBILE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_STORE_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USERNAME_EMPTY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_WIRELESS_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_WIRELESS_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_LIGHTNING_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_NO_ERROR\",\"\",\"Success\",\n\"LOGIN_OAUTH_API_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_CONSUMER_DELETED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_DS_NOT_EXPECTED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_EXCEED_GET_AT_LMT\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_CODE_VERIFIER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DEVICE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DS\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DSIG\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_IP\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_NONCE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_SIG_METHOD\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_VERIFIER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_VERSION\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_MISSING_DS\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_CALLBACK_URL\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_CONSUMER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NONCE_REPLAY\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_PACKAGE_MISSING\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_PACKAGE_OLD\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_UNEXPECTED_PARAM\",\"Other\",\"Failure\",\n\"LOGIN_ORG_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_READONLY_CANNOT_VALIDATE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_AUDIENCE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_CONFIG\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_FORMAT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_IN_RES_TO\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_ISSUER\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_ORG_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_PORTAL_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_RECIPIENT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SESSION_LEVEL\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SIGNATURE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SITE_URL\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_STATUS\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SUB_CONFIRM\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_USERNAME\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_VERSION\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISMATCH_CERT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISSING_ORG_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISSING_PORTAL_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_PROVISION_ERROR\",\"Other\",\"Failure\",\n\"LOGIN_SAML_REPLAY_ATTEMPTED\",\"Other\",\"Failure\",\n\"LOGIN_SAML_SITE_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_TWOFACTOR_REQ\",\"Other\",\"Failure\"];\nlet SalesforceEventType = dynamic(['Login','Logout']);\nSalesforceServiceCloud_CL | where not(disabled)\n| where event_type_s in (SalesforceEventType)\n| lookup EventResultMapping on login_status_s\n| extend \n EventProduct='Salesforce Service Cloud' \n , EventSchema = 'Authentication'\n , EventVendor='Salesforce'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult\n , EventResultDetails\n , EventStartTime=todatetime(timestamp_s)\n , EventEndTime=todatetime(timestamp_s)\n , EventType = iff(event_type_s == 'Login', 'Logon', 'Logoff')\n , TargetUserIdType = 'SaleforceId'\n , TargetUsernameType = 'UPN'\n| project-rename\n EventProductVersion = api_version_s\n ,EventOriginalResultDetails=login_status_s\n , TargetSessionId=login_key_s\n , TargetUserId= user_id_s\n , TargetUsername=user_name_s\n , TargetOriginalUserType=user_type_s\n , EventOriginalUid = request_id_s\n , SrcIpAddr = source_ip_s\n , TargetIpAddr = client_ip_s\n , TargetUserScope = organization_id_s\n , TlsCipher = cipher_suite_s\n , TlsVersion = tls_protocol_s\n , HttpUserAgent= browser_type_s\n| extend \n User=TargetUsername\n , Dvc=EventVendor\n , Src=SrcIpAddr\n , IpAddr = SrcIpAddr\n , Dst= TargetIpAddr\n| project-away *_s\n};\nSalesforceSignin(disabled)", "version": 1, "functionParameters": "disabled:bool=False" } From 09187fc011a1d0a669e38275087fdfa4651c8252 Mon Sep 17 00:00:00 2001 From: Devika Mehra Date: Thu, 29 Jun 2023 09:43:03 +0530 Subject: [PATCH 09/38] Change time generated --- .../ASimAuthenticationSalesforceSC.yaml | 282 +++++++++--------- 1 file changed, 142 insertions(+), 140 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index 281b9945932..acc0213bd42 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -22,149 +22,148 @@ ParserParams: ParserQuery: | let SalesforceSignin=(disabled:bool=false){ let EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[ - "LOGIN_CHALLENGE_ISSUED","Other","Failure", - "LOGIN_CHALLENGE_PENDING","Other","Failure", - "LOGIN_DATA_DOWNLOAD_ONLY","Other","Failure", - "LOGIN_END_SESSION_TXN_SECURITY_POLICY","Logon violates policy","Failure", - "LOGIN_ERROR_API_TOO_OLD","Other","Failure", - "LOGIN_ERROR_APPEXCHANGE_DOWN","Other","Failure", - "LOGIN_ERROR_ASYNC_USER_CREATE","Other","Failure", - "LOGIN_ERROR_AVANTGO_DISABLED","Other","Failure", - "LOGIN_ERROR_AVANTGO_TRIAL_EXP","Other","Failure", - "LOGIN_ERROR_CLIENT_NO_ACCESS","Other","Failure", - "LOGIN_ERROR_CLIENT_REQ_UPDATE","Other","Failure", - "LOGIN_ERROR_CSS_FROZEN","Other","Failure", - "LOGIN_ERROR_CSS_PW_LOCKOUT","Other","Failure", - "LOGIN_ERROR_DUPLICATE_USERNAME","Other","Failure", - "LOGIN_ERROR_EXPORT_RESTRICTED","Other","Failure", - "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN","Other","Failure", - "LOGIN_ERROR_HT_DOWN","Other","Failure", - "LOGIN_ERROR_HTP_METHD_INVALID","Other","Failure", - "LOGIN_ERROR_INSECURE_LOGIN","Other","Failure", - "LOGIN_ERROR_INVALID_GATEWAY","Other","Failure", - "LOGIN_ERROR_INVALID_ID_FIELD","Other","Failure", - "LOGIN_ERROR_INVALID_PASSWORD","Incorrect password","Failure", - "LOGIN_ERROR_LOGINS_EXCEEDED","Other","Failure", - "LOGIN_ERROR_MUST_USE_API_TOKEN","Other","Failure", - "LOGIN_ERROR_MUTUAL_AUTHENTICATION","Other","Failure", - "LOGIN_ERROR_NETWORK_INACTIVE","Other","Failure", - "LOGIN_ERROR_NO_HT_ACCESS","Other","Failure", - "LOGIN_ERROR_NO_NETWORK_ACCESS","Other","Failure", - "LOGIN_ERROR_NO_NETWORK_INFO","Other","Failure", - "LOGIN_ERROR_NO_PORTAL_ACCESS","Other","Failure", - "LOGIN_ERROR_NO_SET_COOKIES","Other","Failure", - "LOGIN_ERROR_OFFLINE_DISABLED","Other","Failure", - "LOGIN_ERROR_OFFLINE_TRIAL_EXP","Other","Failure", - "LOGIN_ERROR_ORG_CLOSED","Other","Failure", - "LOGIN_ERROR_ORG_DOMAIN_ONLY","Other","Failure", - "LOGIN_ERROR_ORG_IN_MAINTENANCE","Other","Failure", - "LOGIN_ERROR_ORG_INACTIVE","Other","Failure", - "LOGIN_ERROR_ORG_IS_DOT_ORG","Other","Failure", - "LOGIN_ERROR_ORG_LOCKOUT","Other","Failure", - "LOGIN_ERROR_ORG_SIGNING_UP","Other","Failure", - "LOGIN_ERROR_ORG_SUSPENDED","Other","Failure", - "LOGIN_ERROR_OUTLOOK_DISABLED","Other","Failure", - "LOGIN_ERROR_PAGE_REQUIRES_LOGIN","Other","Failure", - "LOGIN_ERROR_PASSWORD_EMPTY","Other","Failure", - "LOGIN_ERROR_PASSWORD_LOCKOUT","Other","Failure", - "LOGIN_ERROR_PORTAL_INACTIVE","Other","Failure", - "LOGIN_ERROR_RATE_EXCEEDED","Other","Failure", - "LOGIN_ERROR_RESTRICTED_DOMAIN","Other","Failure", - "LOGIN_ERROR_RESTRICTED_TIME","Other","Failure", - "LOGIN_ERROR_SESSION_TIMEOUT","Other","Failure", - "LOGIN_ERROR_SSO_PWD_INVALID","Other","Failure", - "LOGIN_ERROR_SSO_SVC_DOWN","Other","Failure", - "LOGIN_ERROR_SSO_URL_INVALID","Other","Failure", - "LOGIN_ERROR_STORE","Other","Failure", - "LOGIN_ERROR_STORE_DOWN","Other","Failure", - "LOGIN_ERROR_SWITCH_SFDC_INSTANCE","Other","Failure", - "LOGIN_ERROR_SWITCH_SFDC_LOGIN","Other","Failure", - "LOGIN_ERROR_SYNCOFFLINE_DISBLD","Other","Failure", - "LOGIN_ERROR_SYSTEM_DOWN","Other","Failure", - "LOGIN_ERROR_UNKNOWN_ERROR","Other","Failure", - "LOGIN_ERROR_USER_API_ONLY","Other","Failure", - "LOGIN_ERROR_USER_FROZEN","User locked","Failure", - "LOGIN_ERROR_USER_INACTIVE","User disabled","Failure", - "LOGIN_ERROR_USER_NON_MOBILE","Other","Failure", - "LOGIN_ERROR_USER_STORE_ACCESS","Other","Failure", - "LOGIN_ERROR_USERNAME_EMPTY","Other","Failure", - "LOGIN_ERROR_WIRELESS_DISABLED","Other","Failure", - "LOGIN_ERROR_WIRELESS_TRIAL_EXP","Other","Failure", - "LOGIN_LIGHTNING_LOGIN","Other","Failure", - "LOGIN_NO_ERROR","","Success", - "LOGIN_OAUTH_API_DISABLED","Other","Failure", - "LOGIN_OAUTH_CONSUMER_DELETED","Other","Failure", - "LOGIN_OAUTH_DS_NOT_EXPECTED","Other","Failure", - "LOGIN_OAUTH_EXCEED_GET_AT_LMT","Other","Failure", - "LOGIN_OAUTH_INVALID_CODE_CHALLENGE","Other","Failure", - "LOGIN_OAUTH_INVALID_CODE_VERIFIER","Other","Failure", - "LOGIN_OAUTH_INVALID_DEVICE","Other","Failure", - "LOGIN_OAUTH_INVALID_DS","Other","Failure", - "LOGIN_OAUTH_INVALID_DSIG","Other","Failure", - "LOGIN_OAUTH_INVALID_IP","Other","Failure", - "LOGIN_OAUTH_INVALID_NONCE","Other","Failure", - "LOGIN_OAUTH_INVALID_SIG_METHOD","Other","Failure", - "LOGIN_OAUTH_INVALID_TIMESTAMP","Other","Failure", - "LOGIN_OAUTH_INVALID_TOKEN","Other","Failure", - "LOGIN_OAUTH_INVALID_VERIFIER","Other","Failure", - "LOGIN_OAUTH_INVALID_VERSION","Other","Failure", - "LOGIN_OAUTH_MISSING_DS","Other","Failure", - "LOGIN_OAUTH_NO_CALLBACK_URL","Other","Failure", - "LOGIN_OAUTH_NO_CONSUMER","Other","Failure", - "LOGIN_OAUTH_NO_TOKEN","Other","Failure", - "LOGIN_OAUTH_NONCE_REPLAY","Other","Failure", - "LOGIN_OAUTH_PACKAGE_MISSING","Other","Failure", - "LOGIN_OAUTH_PACKAGE_OLD","Other","Failure", - "LOGIN_OAUTH_UNEXPECTED_PARAM","Other","Failure", - "LOGIN_ORG_TRIAL_EXP","Other","Failure", - "LOGIN_READONLY_CANNOT_VALIDATE","Other","Failure", - "LOGIN_SAML_INVALID_AUDIENCE","Other","Failure", - "LOGIN_SAML_INVALID_CONFIG","Other","Failure", - "LOGIN_SAML_INVALID_FORMAT","Other","Failure", - "LOGIN_SAML_INVALID_IN_RES_TO","Other","Failure", - "LOGIN_SAML_INVALID_ISSUER","Other","Failure", - "LOGIN_SAML_INVALID_ORG_ID","Other","Failure", - "LOGIN_SAML_INVALID_PORTAL_ID","Other","Failure", - "LOGIN_SAML_INVALID_RECIPIENT","Other","Failure", - "LOGIN_SAML_INVALID_SESSION_LEVEL","Other","Failure", - "LOGIN_SAML_INVALID_SIGNATURE","Other","Failure", - "LOGIN_SAML_INVALID_SITE_URL","Other","Failure", - "LOGIN_SAML_INVALID_STATUS","Other","Failure", - "LOGIN_SAML_INVALID_SUB_CONFIRM","Other","Failure", - "LOGIN_SAML_INVALID_TIMESTAMP","Other","Failure", - "LOGIN_SAML_INVALID_USERNAME","Other","Failure", - "LOGIN_SAML_INVALID_VERSION","Other","Failure", - "LOGIN_SAML_MISMATCH_CERT","Other","Failure", - "LOGIN_SAML_MISSING_ORG_ID","Other","Failure", - "LOGIN_SAML_MISSING_PORTAL_ID","Other","Failure", - "LOGIN_SAML_PROVISION_ERROR","Other","Failure", - "LOGIN_SAML_REPLAY_ATTEMPTED","Other","Failure", - "LOGIN_SAML_SITE_INACTIVE","Other","Failure", - "LOGIN_TWOFACTOR_REQ","Other","Failure"]; + "LOGIN_CHALLENGE_ISSUED","Other","Failure", + "LOGIN_CHALLENGE_PENDING","Other","Failure", + "LOGIN_DATA_DOWNLOAD_ONLY","Other","Failure", + "LOGIN_END_SESSION_TXN_SECURITY_POLICY","Logon violates policy","Failure", + "LOGIN_ERROR_API_TOO_OLD","Other","Failure", + "LOGIN_ERROR_APPEXCHANGE_DOWN","Other","Failure", + "LOGIN_ERROR_ASYNC_USER_CREATE","Other","Failure", + "LOGIN_ERROR_AVANTGO_DISABLED","Other","Failure", + "LOGIN_ERROR_AVANTGO_TRIAL_EXP","Other","Failure", + "LOGIN_ERROR_CLIENT_NO_ACCESS","Other","Failure", + "LOGIN_ERROR_CLIENT_REQ_UPDATE","Other","Failure", + "LOGIN_ERROR_CSS_FROZEN","Other","Failure", + "LOGIN_ERROR_CSS_PW_LOCKOUT","Other","Failure", + "LOGIN_ERROR_DUPLICATE_USERNAME","Other","Failure", + "LOGIN_ERROR_EXPORT_RESTRICTED","Other","Failure", + "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN","Other","Failure", + "LOGIN_ERROR_HT_DOWN","Other","Failure", + "LOGIN_ERROR_HTP_METHD_INVALID","Other","Failure", + "LOGIN_ERROR_INSECURE_LOGIN","Other","Failure", + "LOGIN_ERROR_INVALID_GATEWAY","Other","Failure", + "LOGIN_ERROR_INVALID_ID_FIELD","Other","Failure", + "LOGIN_ERROR_INVALID_PASSWORD","Incorrect password","Failure", + "LOGIN_ERROR_LOGINS_EXCEEDED","Other","Failure", + "LOGIN_ERROR_MUST_USE_API_TOKEN","Other","Failure", + "LOGIN_ERROR_MUTUAL_AUTHENTICATION","Other","Failure", + "LOGIN_ERROR_NETWORK_INACTIVE","Other","Failure", + "LOGIN_ERROR_NO_HT_ACCESS","Other","Failure", + "LOGIN_ERROR_NO_NETWORK_ACCESS","Other","Failure", + "LOGIN_ERROR_NO_NETWORK_INFO","Other","Failure", + "LOGIN_ERROR_NO_PORTAL_ACCESS","Other","Failure", + "LOGIN_ERROR_NO_SET_COOKIES","Other","Failure", + "LOGIN_ERROR_OFFLINE_DISABLED","Other","Failure", + "LOGIN_ERROR_OFFLINE_TRIAL_EXP","Other","Failure", + "LOGIN_ERROR_ORG_CLOSED","Other","Failure", + "LOGIN_ERROR_ORG_DOMAIN_ONLY","Other","Failure", + "LOGIN_ERROR_ORG_IN_MAINTENANCE","Other","Failure", + "LOGIN_ERROR_ORG_INACTIVE","Other","Failure", + "LOGIN_ERROR_ORG_IS_DOT_ORG","Other","Failure", + "LOGIN_ERROR_ORG_LOCKOUT","Other","Failure", + "LOGIN_ERROR_ORG_SIGNING_UP","Other","Failure", + "LOGIN_ERROR_ORG_SUSPENDED","Other","Failure", + "LOGIN_ERROR_OUTLOOK_DISABLED","Other","Failure", + "LOGIN_ERROR_PAGE_REQUIRES_LOGIN","Other","Failure", + "LOGIN_ERROR_PASSWORD_EMPTY","Other","Failure", + "LOGIN_ERROR_PASSWORD_LOCKOUT","Other","Failure", + "LOGIN_ERROR_PORTAL_INACTIVE","Other","Failure", + "LOGIN_ERROR_RATE_EXCEEDED","Other","Failure", + "LOGIN_ERROR_RESTRICTED_DOMAIN","Other","Failure", + "LOGIN_ERROR_RESTRICTED_TIME","Other","Failure", + "LOGIN_ERROR_SESSION_TIMEOUT","Other","Failure", + "LOGIN_ERROR_SSO_PWD_INVALID","Other","Failure", + "LOGIN_ERROR_SSO_SVC_DOWN","Other","Failure", + "LOGIN_ERROR_SSO_URL_INVALID","Other","Failure", + "LOGIN_ERROR_STORE","Other","Failure", + "LOGIN_ERROR_STORE_DOWN","Other","Failure", + "LOGIN_ERROR_SWITCH_SFDC_INSTANCE","Other","Failure", + "LOGIN_ERROR_SWITCH_SFDC_LOGIN","Other","Failure", + "LOGIN_ERROR_SYNCOFFLINE_DISBLD","Other","Failure", + "LOGIN_ERROR_SYSTEM_DOWN","Other","Failure", + "LOGIN_ERROR_UNKNOWN_ERROR","Other","Failure", + "LOGIN_ERROR_USER_API_ONLY","Other","Failure", + "LOGIN_ERROR_USER_FROZEN","User locked","Failure", + "LOGIN_ERROR_USER_INACTIVE","User disabled","Failure", + "LOGIN_ERROR_USER_NON_MOBILE","Other","Failure", + "LOGIN_ERROR_USER_STORE_ACCESS","Other","Failure", + "LOGIN_ERROR_USERNAME_EMPTY","Other","Failure", + "LOGIN_ERROR_WIRELESS_DISABLED","Other","Failure", + "LOGIN_ERROR_WIRELESS_TRIAL_EXP","Other","Failure", + "LOGIN_LIGHTNING_LOGIN","Other","Failure", + "LOGIN_NO_ERROR","","Success", + "LOGIN_OAUTH_API_DISABLED","Other","Failure", + "LOGIN_OAUTH_CONSUMER_DELETED","Other","Failure", + "LOGIN_OAUTH_DS_NOT_EXPECTED","Other","Failure", + "LOGIN_OAUTH_EXCEED_GET_AT_LMT","Other","Failure", + "LOGIN_OAUTH_INVALID_CODE_CHALLENGE","Other","Failure", + "LOGIN_OAUTH_INVALID_CODE_VERIFIER","Other","Failure", + "LOGIN_OAUTH_INVALID_DEVICE","Other","Failure", + "LOGIN_OAUTH_INVALID_DS","Other","Failure", + "LOGIN_OAUTH_INVALID_DSIG","Other","Failure", + "LOGIN_OAUTH_INVALID_IP","Other","Failure", + "LOGIN_OAUTH_INVALID_NONCE","Other","Failure", + "LOGIN_OAUTH_INVALID_SIG_METHOD","Other","Failure", + "LOGIN_OAUTH_INVALID_TIMESTAMP","Other","Failure", + "LOGIN_OAUTH_INVALID_TOKEN","Other","Failure", + "LOGIN_OAUTH_INVALID_VERIFIER","Other","Failure", + "LOGIN_OAUTH_INVALID_VERSION","Other","Failure", + "LOGIN_OAUTH_MISSING_DS","Other","Failure", + "LOGIN_OAUTH_NO_CALLBACK_URL","Other","Failure", + "LOGIN_OAUTH_NO_CONSUMER","Other","Failure", + "LOGIN_OAUTH_NO_TOKEN","Other","Failure", + "LOGIN_OAUTH_NONCE_REPLAY","Other","Failure", + "LOGIN_OAUTH_PACKAGE_MISSING","Other","Failure", + "LOGIN_OAUTH_PACKAGE_OLD","Other","Failure", + "LOGIN_OAUTH_UNEXPECTED_PARAM","Other","Failure", + "LOGIN_ORG_TRIAL_EXP","Other","Failure", + "LOGIN_READONLY_CANNOT_VALIDATE","Other","Failure", + "LOGIN_SAML_INVALID_AUDIENCE","Other","Failure", + "LOGIN_SAML_INVALID_CONFIG","Other","Failure", + "LOGIN_SAML_INVALID_FORMAT","Other","Failure", + "LOGIN_SAML_INVALID_IN_RES_TO","Other","Failure", + "LOGIN_SAML_INVALID_ISSUER","Other","Failure", + "LOGIN_SAML_INVALID_ORG_ID","Other","Failure", + "LOGIN_SAML_INVALID_PORTAL_ID","Other","Failure", + "LOGIN_SAML_INVALID_RECIPIENT","Other","Failure", + "LOGIN_SAML_INVALID_SESSION_LEVEL","Other","Failure", + "LOGIN_SAML_INVALID_SIGNATURE","Other","Failure", + "LOGIN_SAML_INVALID_SITE_URL","Other","Failure", + "LOGIN_SAML_INVALID_STATUS","Other","Failure", + "LOGIN_SAML_INVALID_SUB_CONFIRM","Other","Failure", + "LOGIN_SAML_INVALID_TIMESTAMP","Other","Failure", + "LOGIN_SAML_INVALID_USERNAME","Other","Failure", + "LOGIN_SAML_INVALID_VERSION","Other","Failure", + "LOGIN_SAML_MISMATCH_CERT","Other","Failure", + "LOGIN_SAML_MISSING_ORG_ID","Other","Failure", + "LOGIN_SAML_MISSING_PORTAL_ID","Other","Failure", + "LOGIN_SAML_PROVISION_ERROR","Other","Failure", + "LOGIN_SAML_REPLAY_ATTEMPTED","Other","Failure", + "LOGIN_SAML_SITE_INACTIVE","Other","Failure", + "LOGIN_TWOFACTOR_REQ","Other","Failure" + ]; let SalesforceEventType = dynamic(['Login','Logout']); - SalesforceServiceCloud_CL | where not(disabled) - | where event_type_s in (SalesforceEventType) + SalesforceServiceCloud_CL + | where not(disabled) + | extend TimeGenerated = todatetime(tostring(split(timestamp_s,'.',0)[0])) + | where event_type_s in (SalesforceEventType) | lookup EventResultMapping on login_status_s | extend EventProduct='Salesforce Service Cloud' , EventSchema = 'Authentication' - , EventVendor='Salesforce' - , EventCount=int(1) - , EventSchemaVersion='0.1.0' - , EventResult - , EventResultDetails - , EventStartTime=todatetime(timestamp_s) - , EventEndTime=todatetime(timestamp_s) + , EventVendor = 'Salesforce' + , EventCount = int(1) + , EventSchemaVersion = '0.1.0' + , EventStartTime = TimeGenerated + , EventEndTime = TimeGenerated , EventType = iff(event_type_s == 'Login', 'Logon', 'Logoff') - , TargetUserIdType = 'SaleforceId' - , TargetUsernameType = 'UPN' | project-rename - EventProductVersion = api_version_s - ,EventOriginalResultDetails=login_status_s - , TargetSessionId=login_key_s - , TargetUserId= user_id_s - , TargetUsername=user_name_s - , TargetOriginalUserType=user_type_s + EventProductVersion = api_version_s + , EventOriginalResultDetails = login_status_s + , TargetSessionId =login_key_s + , TargetUserId = user_id_s + , TargetUsername = user_name_s + , TargetOriginalUserType = user_type_s , EventOriginalUid = request_id_s , SrcIpAddr = source_ip_s , TargetIpAddr = client_ip_s @@ -172,10 +171,13 @@ ParserQuery: | , TlsCipher = cipher_suite_s , TlsVersion = tls_protocol_s , HttpUserAgent= browser_type_s - | extend - User=TargetUsername - , Dvc=EventVendor - , Src=SrcIpAddr + | extend + TargetUserType = iff(isnotempty(TargetOriginalUserType),"Other","") + , TargetUserIdType = iff(isnotempty(TargetUserId),"SaleforceId","") + , TargetUsernameType = iff(isnotempty(TargetUsername),"UPN","") + , User = TargetUsername + , Dvc = EventVendor + , Src = SrcIpAddr , IpAddr = SrcIpAddr , Dst= TargetIpAddr | project-away *_s From dd809d04882240b1de4c632c79ae805471cfc5ea Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Thu, 29 Jun 2023 04:16:37 +0000 Subject: [PATCH 10/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationSalesforceSC.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index ae58260c75f..7ec94ae905d 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let SalesforceSignin=(disabled:bool=false){\nlet EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[\n\"LOGIN_CHALLENGE_ISSUED\",\"Other\",\"Failure\",\n\"LOGIN_CHALLENGE_PENDING\",\"Other\",\"Failure\",\n\"LOGIN_DATA_DOWNLOAD_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_END_SESSION_TXN_SECURITY_POLICY\",\"Logon violates policy\",\"Failure\",\n\"LOGIN_ERROR_API_TOO_OLD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_APPEXCHANGE_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ASYNC_USER_CREATE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_AVANTGO_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_AVANTGO_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CLIENT_NO_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CLIENT_REQ_UPDATE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CSS_FROZEN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_CSS_PW_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_DUPLICATE_USERNAME\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_EXPORT_RESTRICTED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_HT_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_HTP_METHD_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INSECURE_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_GATEWAY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_ID_FIELD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_INVALID_PASSWORD\",\"Incorrect password\",\"Failure\",\n\"LOGIN_ERROR_LOGINS_EXCEEDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_MUST_USE_API_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_MUTUAL_AUTHENTICATION\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NETWORK_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_HT_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_NETWORK_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_NETWORK_INFO\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_PORTAL_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_NO_SET_COOKIES\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OFFLINE_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OFFLINE_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_CLOSED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_DOMAIN_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_IN_MAINTENANCE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_IS_DOT_ORG\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_SIGNING_UP\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_ORG_SUSPENDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_OUTLOOK_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PASSWORD_EMPTY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PASSWORD_LOCKOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_PORTAL_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RATE_EXCEEDED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RESTRICTED_DOMAIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_RESTRICTED_TIME\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SESSION_TIMEOUT\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_PWD_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_SVC_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SSO_URL_INVALID\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_STORE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_STORE_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SWITCH_SFDC_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SYNCOFFLINE_DISBLD\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_SYSTEM_DOWN\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_UNKNOWN_ERROR\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_API_ONLY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_FROZEN\",\"User locked\",\"Failure\",\n\"LOGIN_ERROR_USER_INACTIVE\",\"User disabled\",\"Failure\",\n\"LOGIN_ERROR_USER_NON_MOBILE\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USER_STORE_ACCESS\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_USERNAME_EMPTY\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_WIRELESS_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_ERROR_WIRELESS_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_LIGHTNING_LOGIN\",\"Other\",\"Failure\",\n\"LOGIN_NO_ERROR\",\"\",\"Success\",\n\"LOGIN_OAUTH_API_DISABLED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_CONSUMER_DELETED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_DS_NOT_EXPECTED\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_EXCEED_GET_AT_LMT\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_CODE_VERIFIER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DEVICE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DS\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_DSIG\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_IP\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_NONCE\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_SIG_METHOD\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_VERIFIER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_INVALID_VERSION\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_MISSING_DS\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_CALLBACK_URL\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_CONSUMER\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NO_TOKEN\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_NONCE_REPLAY\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_PACKAGE_MISSING\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_PACKAGE_OLD\",\"Other\",\"Failure\",\n\"LOGIN_OAUTH_UNEXPECTED_PARAM\",\"Other\",\"Failure\",\n\"LOGIN_ORG_TRIAL_EXP\",\"Other\",\"Failure\",\n\"LOGIN_READONLY_CANNOT_VALIDATE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_AUDIENCE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_CONFIG\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_FORMAT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_IN_RES_TO\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_ISSUER\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_ORG_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_PORTAL_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_RECIPIENT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SESSION_LEVEL\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SIGNATURE\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SITE_URL\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_STATUS\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_SUB_CONFIRM\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_USERNAME\",\"Other\",\"Failure\",\n\"LOGIN_SAML_INVALID_VERSION\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISMATCH_CERT\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISSING_ORG_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_MISSING_PORTAL_ID\",\"Other\",\"Failure\",\n\"LOGIN_SAML_PROVISION_ERROR\",\"Other\",\"Failure\",\n\"LOGIN_SAML_REPLAY_ATTEMPTED\",\"Other\",\"Failure\",\n\"LOGIN_SAML_SITE_INACTIVE\",\"Other\",\"Failure\",\n\"LOGIN_TWOFACTOR_REQ\",\"Other\",\"Failure\"];\nlet SalesforceEventType = dynamic(['Login','Logout']);\nSalesforceServiceCloud_CL | where not(disabled)\n| where event_type_s in (SalesforceEventType)\n| lookup EventResultMapping on login_status_s\n| extend \n EventProduct='Salesforce Service Cloud' \n , EventSchema = 'Authentication'\n , EventVendor='Salesforce'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult\n , EventResultDetails\n , EventStartTime=todatetime(timestamp_s)\n , EventEndTime=todatetime(timestamp_s)\n , EventType = iff(event_type_s == 'Login', 'Logon', 'Logoff')\n , TargetUserIdType = 'SaleforceId'\n , TargetUsernameType = 'UPN'\n| project-rename\n EventProductVersion = api_version_s\n ,EventOriginalResultDetails=login_status_s\n , TargetSessionId=login_key_s\n , TargetUserId= user_id_s\n , TargetUsername=user_name_s\n , TargetOriginalUserType=user_type_s\n , EventOriginalUid = request_id_s\n , SrcIpAddr = source_ip_s\n , TargetIpAddr = client_ip_s\n , TargetUserScope = organization_id_s\n , TlsCipher = cipher_suite_s\n , TlsVersion = tls_protocol_s\n , HttpUserAgent= browser_type_s\n| extend \n User=TargetUsername\n , Dvc=EventVendor\n , Src=SrcIpAddr\n , IpAddr = SrcIpAddr\n , Dst= TargetIpAddr\n| project-away *_s\n};\nSalesforceSignin(disabled)", + "query": "let SalesforceSignin=(disabled:bool=false){\nlet EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[\n \"LOGIN_CHALLENGE_ISSUED\",\"Other\",\"Failure\",\n \"LOGIN_CHALLENGE_PENDING\",\"Other\",\"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\",\"Logon violates policy\",\"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HT_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\",\"Incorrect password\",\"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\",\"User locked\",\"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\",\"User disabled\",\"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_NO_ERROR\",\"\",\"Success\",\n \"LOGIN_OAUTH_API_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\",\"Other\",\"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\",\"Other\",\"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_TWOFACTOR_REQ\",\"Other\",\"Failure\"\n];\nlet SalesforceEventType = dynamic(['Login','Logout']);\nSalesforceServiceCloud_CL \n| where not(disabled)\n| extend TimeGenerated = todatetime(tostring(split(timestamp_s,'.',0)[0]))\n| where event_type_s in (SalesforceEventType)\n| lookup EventResultMapping on login_status_s\n| extend \n EventProduct='Salesforce Service Cloud' \n , EventSchema = 'Authentication'\n , EventVendor = 'Salesforce'\n , EventCount = int(1)\n , EventSchemaVersion = '0.1.0'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = iff(event_type_s == 'Login', 'Logon', 'Logoff')\n| project-rename\n EventProductVersion = api_version_s\n , EventOriginalResultDetails = login_status_s\n , TargetSessionId =login_key_s\n , TargetUserId = user_id_s\n , TargetUsername = user_name_s\n , TargetOriginalUserType = user_type_s\n , EventOriginalUid = request_id_s\n , SrcIpAddr = source_ip_s\n , TargetIpAddr = client_ip_s\n , TargetUserScope = organization_id_s\n , TlsCipher = cipher_suite_s\n , TlsVersion = tls_protocol_s\n , HttpUserAgent= browser_type_s\n| extend\n TargetUserType = iff(isnotempty(TargetOriginalUserType),\"Other\",\"\") \n , TargetUserIdType = iff(isnotempty(TargetUserId),\"SaleforceId\",\"\") \n , TargetUsernameType = iff(isnotempty(TargetUsername),\"UPN\",\"\")\n , User = TargetUsername\n , Dvc = EventVendor\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , Dst= TargetIpAddr\n| project-away *_s\n};\nSalesforceSignin(disabled)", "version": 1, "functionParameters": "disabled:bool=False" } From 1a15ebd55d85feba6f08899856902888afef732a Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Fri, 14 Jul 2023 11:43:37 +0530 Subject: [PATCH 11/38] adding vim parser --- .../ASimAuthenticationSalesforceSC.yaml | 8 +- .../vimAuthenticationSalesforceSC.yaml | 214 ++++++++++++++++++ 2 files changed, 218 insertions(+), 4 deletions(-) create mode 100644 Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index acc0213bd42..5d121fc64d9 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -1,12 +1,12 @@ Parser: Title: Authentication ASIM parser for Salesforce Service Cloud - Version: '0.1.0' + Version: '0.1' LastUpdated: September 30, 2022 Product: - Name: Salesforce + Name: Salesforce Service Cloud Normalization: Schema: Authentication - Version: '0.1.1' + Version: '0.1.3' References: - Title: ASIM Authentication Schema Link: https://aka.ms/ASimAuthenticationDoc @@ -176,7 +176,7 @@ ParserQuery: | , TargetUserIdType = iff(isnotempty(TargetUserId),"SaleforceId","") , TargetUsernameType = iff(isnotempty(TargetUsername),"UPN","") , User = TargetUsername - , Dvc = EventVendor + , Dvc = EventProduct , Src = SrcIpAddr , IpAddr = SrcIpAddr , Dst= TargetIpAddr diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml new file mode 100644 index 00000000000..1bc73d99980 --- /dev/null +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml @@ -0,0 +1,214 @@ +Parser: + Title: ASIM Authentication filtering parser for Salesforce Service Cloud + Version: '0.1' + LastUpdated: July 8th, 2023 +Product: + Name: Salesforce Service Cloud +Normalization: + Schema: Authentication + Version: '0.1.3' +References: +- Title: Using functions + Link: https://docs.microsoft.com/azure/azure-monitor/log-query/function +- Title: ASIM Authentication Schema + Link: https://aka.ms/ASimAuthenticationDoc +- Title: ASIM + Link: https:/aka.ms/AboutASIM +Description: | + This ASIM parser supports filtering and normalizing the Salesforce Service Cloud logs stored in 'SalesforceServiceCloud_CL' table to the ASIM authentication normalized schema. +ParserName: vimAuthenticationSalesforceSC +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: targetusername_has + Type: string + Default: '*' + - Name: disabled + Type: bool + Default: false +ParserQuery: | + let EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[ + "LOGIN_CHALLENGE_ISSUED","Other","Failure", + "LOGIN_CHALLENGE_PENDING","Other","Failure", + "LOGIN_DATA_DOWNLOAD_ONLY","Other","Failure", + "LOGIN_END_SESSION_TXN_SECURITY_POLICY","Logon violates policy","Failure", + "LOGIN_ERROR_API_TOO_OLD","Other","Failure", + "LOGIN_ERROR_APPEXCHANGE_DOWN","Other","Failure", + "LOGIN_ERROR_ASYNC_USER_CREATE","Other","Failure", + "LOGIN_ERROR_AVANTGO_DISABLED","Other","Failure", + "LOGIN_ERROR_AVANTGO_TRIAL_EXP","Other","Failure", + "LOGIN_ERROR_CLIENT_NO_ACCESS","Other","Failure", + "LOGIN_ERROR_CLIENT_REQ_UPDATE","Other","Failure", + "LOGIN_ERROR_CSS_FROZEN","Other","Failure", + "LOGIN_ERROR_CSS_PW_LOCKOUT","Other","Failure", + "LOGIN_ERROR_DUPLICATE_USERNAME","Other","Failure", + "LOGIN_ERROR_EXPORT_RESTRICTED","Other","Failure", + "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN","Other","Failure", + "LOGIN_ERROR_HT_DOWN","Other","Failure", + "LOGIN_ERROR_HTP_METHD_INVALID","Other","Failure", + "LOGIN_ERROR_INSECURE_LOGIN","Other","Failure", + "LOGIN_ERROR_INVALID_GATEWAY","Other","Failure", + "LOGIN_ERROR_INVALID_ID_FIELD","Other","Failure", + "LOGIN_ERROR_INVALID_PASSWORD","Incorrect password","Failure", + "LOGIN_ERROR_LOGINS_EXCEEDED","Other","Failure", + "LOGIN_ERROR_MUST_USE_API_TOKEN","Other","Failure", + "LOGIN_ERROR_MUTUAL_AUTHENTICATION","Other","Failure", + "LOGIN_ERROR_NETWORK_INACTIVE","Other","Failure", + "LOGIN_ERROR_NO_HT_ACCESS","Other","Failure", + "LOGIN_ERROR_NO_NETWORK_ACCESS","Other","Failure", + "LOGIN_ERROR_NO_NETWORK_INFO","Other","Failure", + "LOGIN_ERROR_NO_PORTAL_ACCESS","Other","Failure", + "LOGIN_ERROR_NO_SET_COOKIES","Other","Failure", + "LOGIN_ERROR_OFFLINE_DISABLED","Other","Failure", + "LOGIN_ERROR_OFFLINE_TRIAL_EXP","Other","Failure", + "LOGIN_ERROR_ORG_CLOSED","Other","Failure", + "LOGIN_ERROR_ORG_DOMAIN_ONLY","Other","Failure", + "LOGIN_ERROR_ORG_IN_MAINTENANCE","Other","Failure", + "LOGIN_ERROR_ORG_INACTIVE","Other","Failure", + "LOGIN_ERROR_ORG_IS_DOT_ORG","Other","Failure", + "LOGIN_ERROR_ORG_LOCKOUT","Other","Failure", + "LOGIN_ERROR_ORG_SIGNING_UP","Other","Failure", + "LOGIN_ERROR_ORG_SUSPENDED","Other","Failure", + "LOGIN_ERROR_OUTLOOK_DISABLED","Other","Failure", + "LOGIN_ERROR_PAGE_REQUIRES_LOGIN","Other","Failure", + "LOGIN_ERROR_PASSWORD_EMPTY","Other","Failure", + "LOGIN_ERROR_PASSWORD_LOCKOUT","Other","Failure", + "LOGIN_ERROR_PORTAL_INACTIVE","Other","Failure", + "LOGIN_ERROR_RATE_EXCEEDED","Other","Failure", + "LOGIN_ERROR_RESTRICTED_DOMAIN","Other","Failure", + "LOGIN_ERROR_RESTRICTED_TIME","Other","Failure", + "LOGIN_ERROR_SESSION_TIMEOUT","Other","Failure", + "LOGIN_ERROR_SSO_PWD_INVALID","Other","Failure", + "LOGIN_ERROR_SSO_SVC_DOWN","Other","Failure", + "LOGIN_ERROR_SSO_URL_INVALID","Other","Failure", + "LOGIN_ERROR_STORE","Other","Failure", + "LOGIN_ERROR_STORE_DOWN","Other","Failure", + "LOGIN_ERROR_SWITCH_SFDC_INSTANCE","Other","Failure", + "LOGIN_ERROR_SWITCH_SFDC_LOGIN","Other","Failure", + "LOGIN_ERROR_SYNCOFFLINE_DISBLD","Other","Failure", + "LOGIN_ERROR_SYSTEM_DOWN","Other","Failure", + "LOGIN_ERROR_UNKNOWN_ERROR","Other","Failure", + "LOGIN_ERROR_USER_API_ONLY","Other","Failure", + "LOGIN_ERROR_USER_FROZEN","User locked","Failure", + "LOGIN_ERROR_USER_INACTIVE","User disabled","Failure", + "LOGIN_ERROR_USER_NON_MOBILE","Other","Failure", + "LOGIN_ERROR_USER_STORE_ACCESS","Other","Failure", + "LOGIN_ERROR_USERNAME_EMPTY","Other","Failure", + "LOGIN_ERROR_WIRELESS_DISABLED","Other","Failure", + "LOGIN_ERROR_WIRELESS_TRIAL_EXP","Other","Failure", + "LOGIN_LIGHTNING_LOGIN","Other","Failure", + "LOGIN_NO_ERROR","","Success", + "LOGIN_OAUTH_API_DISABLED","Other","Failure", + "LOGIN_OAUTH_CONSUMER_DELETED","Other","Failure", + "LOGIN_OAUTH_DS_NOT_EXPECTED","Other","Failure", + "LOGIN_OAUTH_EXCEED_GET_AT_LMT","Other","Failure", + "LOGIN_OAUTH_INVALID_CODE_CHALLENGE","Other","Failure", + "LOGIN_OAUTH_INVALID_CODE_VERIFIER","Other","Failure", + "LOGIN_OAUTH_INVALID_DEVICE","Other","Failure", + "LOGIN_OAUTH_INVALID_DS","Other","Failure", + "LOGIN_OAUTH_INVALID_DSIG","Other","Failure", + "LOGIN_OAUTH_INVALID_IP","Other","Failure", + "LOGIN_OAUTH_INVALID_NONCE","Other","Failure", + "LOGIN_OAUTH_INVALID_SIG_METHOD","Other","Failure", + "LOGIN_OAUTH_INVALID_TIMESTAMP","Other","Failure", + "LOGIN_OAUTH_INVALID_TOKEN","Other","Failure", + "LOGIN_OAUTH_INVALID_VERIFIER","Other","Failure", + "LOGIN_OAUTH_INVALID_VERSION","Other","Failure", + "LOGIN_OAUTH_MISSING_DS","Other","Failure", + "LOGIN_OAUTH_NO_CALLBACK_URL","Other","Failure", + "LOGIN_OAUTH_NO_CONSUMER","Other","Failure", + "LOGIN_OAUTH_NO_TOKEN","Other","Failure", + "LOGIN_OAUTH_NONCE_REPLAY","Other","Failure", + "LOGIN_OAUTH_PACKAGE_MISSING","Other","Failure", + "LOGIN_OAUTH_PACKAGE_OLD","Other","Failure", + "LOGIN_OAUTH_UNEXPECTED_PARAM","Other","Failure", + "LOGIN_ORG_TRIAL_EXP","Other","Failure", + "LOGIN_READONLY_CANNOT_VALIDATE","Other","Failure", + "LOGIN_SAML_INVALID_AUDIENCE","Other","Failure", + "LOGIN_SAML_INVALID_CONFIG","Other","Failure", + "LOGIN_SAML_INVALID_FORMAT","Other","Failure", + "LOGIN_SAML_INVALID_IN_RES_TO","Other","Failure", + "LOGIN_SAML_INVALID_ISSUER","Other","Failure", + "LOGIN_SAML_INVALID_ORG_ID","Other","Failure", + "LOGIN_SAML_INVALID_PORTAL_ID","Other","Failure", + "LOGIN_SAML_INVALID_RECIPIENT","Other","Failure", + "LOGIN_SAML_INVALID_SESSION_LEVEL","Other","Failure", + "LOGIN_SAML_INVALID_SIGNATURE","Other","Failure", + "LOGIN_SAML_INVALID_SITE_URL","Other","Failure", + "LOGIN_SAML_INVALID_STATUS","Other","Failure", + "LOGIN_SAML_INVALID_SUB_CONFIRM","Other","Failure", + "LOGIN_SAML_INVALID_TIMESTAMP","Other","Failure", + "LOGIN_SAML_INVALID_USERNAME","Other","Failure", + "LOGIN_SAML_INVALID_VERSION","Other","Failure", + "LOGIN_SAML_MISMATCH_CERT","Other","Failure", + "LOGIN_SAML_MISSING_ORG_ID","Other","Failure", + "LOGIN_SAML_MISSING_PORTAL_ID","Other","Failure", + "LOGIN_SAML_PROVISION_ERROR","Other","Failure", + "LOGIN_SAML_REPLAY_ATTEMPTED","Other","Failure", + "LOGIN_SAML_SITE_INACTIVE","Other","Failure", + "LOGIN_TWOFACTOR_REQ","Other","Failure" + ]; + let SalesforceEventType = dynamic(['Login','LoginAs','Logout']); + let EventTypeLookup = datatable(event_type_s:string, EventType:string)[ + "Login","Logon", + "LoginAs","Logon", + "Logout","Logoff" + ]; + let parser = ( + starttime:datetime=datetime(null), + endtime:datetime=datetime(null), + targetusername_has:string="*", + disabled:bool=false + ) + { + SalesforceServiceCloud_CL + | where not(disabled) + // -- Pre filtering + | where + (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and (targetusername_has=='*' or (user_name_s has targetusername_has )) + and event_type_s in~ (SalesforceEventType) + // -- end pre-filtering + | extend TimeGenerated = todatetime(tostring(split(timestamp_s,'.',0)[0])) + | lookup EventResultMapping on login_status_s + | project-rename + EventProductVersion = api_version_s + , EventOriginalResultDetails = login_status_s + , ActorSessionId = coalesce(session_key_s,login_key_s) + , TargetUserId = user_id_s + , TargetUsername = user_name_s + , TargetOriginalUserType = user_type_s + , EventOriginalUid = request_id_s + , SrcIpAddr = source_ip_s + , TargetIpAddr = client_ip_s + , TargetUserScope = organization_id_s + , TlsCipher = cipher_suite_s + , TlsVersion = tls_protocol_s + , HttpUserAgent= browser_type_s + , TargetUrl = uri_s + | extend + TargetUserType = iff(isnotempty(TargetOriginalUserType),"Other","") + , TargetUserIdType = iff(isnotempty(TargetUserId),"SaleforceId","") + , TargetUsernameType = iff(isnotempty(TargetUsername),"UPN","") + , User = TargetUsername + , Dvc = EventProduct + , Src = SrcIpAddr + , IpAddr = SrcIpAddr + , Dst= TargetIpAddr + | extend + EventVendor = 'Salesforce' + , EventProduct='Salesforce Service Cloud' + , EventCount = int(1) + , EventSchema = 'Authentication' + , EventSchemaVersion = '0.1.3' + , EventStartTime = TimeGenerated + , EventEndTime = TimeGenerated + , EventTypeLookup on event_type_s + | project-away *_s + }; + parser (starttime, endtime, targetusername_has, disabled) \ No newline at end of file From 5bf8abcaeca35325ab7b5cf1c43cdda3d216f295 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Fri, 14 Jul 2023 06:16:48 +0000 Subject: [PATCH 12/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationSalesforceSC.json | 2 +- .../ASimAuthenticationSalesforceSC/README.md | 4 +- .../ARM/FullDeploymentAuthentication.json | 20 ++++++++ .../vimAuthenticationSalesforceSC/README.md | 18 ++++++++ .../vimAuthenticationSalesforceSC.json | 46 +++++++++++++++++++ 5 files changed, 87 insertions(+), 3 deletions(-) create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index 7ec94ae905d..7204d9facb0 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let SalesforceSignin=(disabled:bool=false){\nlet EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[\n \"LOGIN_CHALLENGE_ISSUED\",\"Other\",\"Failure\",\n \"LOGIN_CHALLENGE_PENDING\",\"Other\",\"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\",\"Logon violates policy\",\"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HT_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\",\"Incorrect password\",\"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\",\"User locked\",\"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\",\"User disabled\",\"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_NO_ERROR\",\"\",\"Success\",\n \"LOGIN_OAUTH_API_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\",\"Other\",\"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\",\"Other\",\"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_TWOFACTOR_REQ\",\"Other\",\"Failure\"\n];\nlet SalesforceEventType = dynamic(['Login','Logout']);\nSalesforceServiceCloud_CL \n| where not(disabled)\n| extend TimeGenerated = todatetime(tostring(split(timestamp_s,'.',0)[0]))\n| where event_type_s in (SalesforceEventType)\n| lookup EventResultMapping on login_status_s\n| extend \n EventProduct='Salesforce Service Cloud' \n , EventSchema = 'Authentication'\n , EventVendor = 'Salesforce'\n , EventCount = int(1)\n , EventSchemaVersion = '0.1.0'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = iff(event_type_s == 'Login', 'Logon', 'Logoff')\n| project-rename\n EventProductVersion = api_version_s\n , EventOriginalResultDetails = login_status_s\n , TargetSessionId =login_key_s\n , TargetUserId = user_id_s\n , TargetUsername = user_name_s\n , TargetOriginalUserType = user_type_s\n , EventOriginalUid = request_id_s\n , SrcIpAddr = source_ip_s\n , TargetIpAddr = client_ip_s\n , TargetUserScope = organization_id_s\n , TlsCipher = cipher_suite_s\n , TlsVersion = tls_protocol_s\n , HttpUserAgent= browser_type_s\n| extend\n TargetUserType = iff(isnotempty(TargetOriginalUserType),\"Other\",\"\") \n , TargetUserIdType = iff(isnotempty(TargetUserId),\"SaleforceId\",\"\") \n , TargetUsernameType = iff(isnotempty(TargetUsername),\"UPN\",\"\")\n , User = TargetUsername\n , Dvc = EventVendor\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , Dst= TargetIpAddr\n| project-away *_s\n};\nSalesforceSignin(disabled)", + "query": "let SalesforceSignin=(disabled:bool=false){\nlet EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[\n \"LOGIN_CHALLENGE_ISSUED\",\"Other\",\"Failure\",\n \"LOGIN_CHALLENGE_PENDING\",\"Other\",\"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\",\"Logon violates policy\",\"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HT_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\",\"Incorrect password\",\"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\",\"User locked\",\"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\",\"User disabled\",\"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_NO_ERROR\",\"\",\"Success\",\n \"LOGIN_OAUTH_API_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\",\"Other\",\"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\",\"Other\",\"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_TWOFACTOR_REQ\",\"Other\",\"Failure\"\n];\nlet SalesforceEventType = dynamic(['Login','Logout']);\nSalesforceServiceCloud_CL \n| where not(disabled)\n| extend TimeGenerated = todatetime(tostring(split(timestamp_s,'.',0)[0]))\n| where event_type_s in (SalesforceEventType)\n| lookup EventResultMapping on login_status_s\n| extend \n EventProduct='Salesforce Service Cloud' \n , EventSchema = 'Authentication'\n , EventVendor = 'Salesforce'\n , EventCount = int(1)\n , EventSchemaVersion = '0.1.0'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = iff(event_type_s == 'Login', 'Logon', 'Logoff')\n| project-rename\n EventProductVersion = api_version_s\n , EventOriginalResultDetails = login_status_s\n , TargetSessionId =login_key_s\n , TargetUserId = user_id_s\n , TargetUsername = user_name_s\n , TargetOriginalUserType = user_type_s\n , EventOriginalUid = request_id_s\n , SrcIpAddr = source_ip_s\n , TargetIpAddr = client_ip_s\n , TargetUserScope = organization_id_s\n , TlsCipher = cipher_suite_s\n , TlsVersion = tls_protocol_s\n , HttpUserAgent= browser_type_s\n| extend\n TargetUserType = iff(isnotempty(TargetOriginalUserType),\"Other\",\"\") \n , TargetUserIdType = iff(isnotempty(TargetUserId),\"SaleforceId\",\"\") \n , TargetUsernameType = iff(isnotempty(TargetUsername),\"UPN\",\"\")\n , User = TargetUsername\n , Dvc = EventProduct\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , Dst= TargetIpAddr\n| project-away *_s\n};\nSalesforceSignin(disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/README.md index 225aa1165bf..c030ba64982 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/README.md +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/README.md @@ -1,6 +1,6 @@ -# Salesforce ASIM Authentication Normalization Parser +# Salesforce Service Cloud ASIM Authentication Normalization Parser -ARM template for ASIM Authentication schema parser for Salesforce. +ARM template for ASIM Authentication schema parser for Salesforce Service Cloud. This ASIM parser supports normalizing Salesforce sign in logs, stored in the SalesforceServiceCloud_CL table, to the ASIM Authentication schema. diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json index 81cefaa2f33..68301cc5322 100644 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -558,6 +558,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationSalesforceSC", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md new file mode 100644 index 00000000000..d8f007d0480 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md @@ -0,0 +1,18 @@ +# Salesforce Service Cloud ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Salesforce Service Cloud. + +This ASIM parser supports filtering and normalizing the Salesforce Service Cloud logs stored in 'SalesforceServiceCloud_CL' table to the ASIM authentication normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSalesforceSC%2FvimAuthenticationSalesforceSC.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSalesforceSC%2FvimAuthenticationSalesforceSC.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json new file mode 100644 index 00000000000..2be3bf0b180 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationSalesforceSC", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSalesforceSC", + "query": "let EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[\n \"LOGIN_CHALLENGE_ISSUED\",\"Other\",\"Failure\",\n \"LOGIN_CHALLENGE_PENDING\",\"Other\",\"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\",\"Logon violates policy\",\"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HT_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\",\"Incorrect password\",\"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\",\"User locked\",\"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\",\"User disabled\",\"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_NO_ERROR\",\"\",\"Success\",\n \"LOGIN_OAUTH_API_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\",\"Other\",\"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\",\"Other\",\"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_TWOFACTOR_REQ\",\"Other\",\"Failure\"\n ];\nlet SalesforceEventType = dynamic(['Login','LoginAs','Logout']);\nlet EventTypeLookup = datatable(event_type_s:string, EventType:string)[\n \"Login\",\"Logon\",\n \"LoginAs\",\"Logon\",\n \"Logout\",\"Logoff\"\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n targetusername_has:string=\"*\",\n disabled:bool=false\n)\n{\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (user_name_s has targetusername_has ))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s,'.',0)[0]))\n | lookup EventResultMapping on login_status_s\n | project-rename\n EventProductVersion = api_version_s\n , EventOriginalResultDetails = login_status_s\n , ActorSessionId = coalesce(session_key_s,login_key_s)\n , TargetUserId = user_id_s\n , TargetUsername = user_name_s\n , TargetOriginalUserType = user_type_s\n , EventOriginalUid = request_id_s\n , SrcIpAddr = source_ip_s\n , TargetIpAddr = client_ip_s\n , TargetUserScope = organization_id_s\n , TlsCipher = cipher_suite_s\n , TlsVersion = tls_protocol_s\n , HttpUserAgent= browser_type_s\n , TargetUrl = uri_s\n | extend\n TargetUserType = iff(isnotempty(TargetOriginalUserType),\"Other\",\"\") \n , TargetUserIdType = iff(isnotempty(TargetUserId),\"SaleforceId\",\"\") \n , TargetUsernameType = iff(isnotempty(TargetUsername),\"UPN\",\"\")\n , User = TargetUsername\n , Dvc = EventProduct\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , Dst= TargetIpAddr\n | extend\n EventVendor = 'Salesforce'\n , EventProduct='Salesforce Service Cloud'\n , EventCount = int(1) \n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.3'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventTypeLookup on event_type_s\n | project-away *_s\n};\nparser (starttime, endtime, targetusername_has, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file From 723f356b3f68b4978ffe2bf89236c3bdf13e0fb0 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Mon, 17 Jul 2023 18:18:07 +0530 Subject: [PATCH 13/38] updated VIMParser --- .../vimAuthenticationSalesforceSC.yaml | 442 +++++++++++------- 1 file changed, 264 insertions(+), 178 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml index 1bc73d99980..9643f402bd4 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml @@ -31,184 +31,270 @@ ParserParams: Type: bool Default: false ParserQuery: | - let EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[ - "LOGIN_CHALLENGE_ISSUED","Other","Failure", - "LOGIN_CHALLENGE_PENDING","Other","Failure", - "LOGIN_DATA_DOWNLOAD_ONLY","Other","Failure", - "LOGIN_END_SESSION_TXN_SECURITY_POLICY","Logon violates policy","Failure", - "LOGIN_ERROR_API_TOO_OLD","Other","Failure", - "LOGIN_ERROR_APPEXCHANGE_DOWN","Other","Failure", - "LOGIN_ERROR_ASYNC_USER_CREATE","Other","Failure", - "LOGIN_ERROR_AVANTGO_DISABLED","Other","Failure", - "LOGIN_ERROR_AVANTGO_TRIAL_EXP","Other","Failure", - "LOGIN_ERROR_CLIENT_NO_ACCESS","Other","Failure", - "LOGIN_ERROR_CLIENT_REQ_UPDATE","Other","Failure", - "LOGIN_ERROR_CSS_FROZEN","Other","Failure", - "LOGIN_ERROR_CSS_PW_LOCKOUT","Other","Failure", - "LOGIN_ERROR_DUPLICATE_USERNAME","Other","Failure", - "LOGIN_ERROR_EXPORT_RESTRICTED","Other","Failure", - "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN","Other","Failure", - "LOGIN_ERROR_HT_DOWN","Other","Failure", - "LOGIN_ERROR_HTP_METHD_INVALID","Other","Failure", - "LOGIN_ERROR_INSECURE_LOGIN","Other","Failure", - "LOGIN_ERROR_INVALID_GATEWAY","Other","Failure", - "LOGIN_ERROR_INVALID_ID_FIELD","Other","Failure", - "LOGIN_ERROR_INVALID_PASSWORD","Incorrect password","Failure", - "LOGIN_ERROR_LOGINS_EXCEEDED","Other","Failure", - "LOGIN_ERROR_MUST_USE_API_TOKEN","Other","Failure", - "LOGIN_ERROR_MUTUAL_AUTHENTICATION","Other","Failure", - "LOGIN_ERROR_NETWORK_INACTIVE","Other","Failure", - "LOGIN_ERROR_NO_HT_ACCESS","Other","Failure", - "LOGIN_ERROR_NO_NETWORK_ACCESS","Other","Failure", - "LOGIN_ERROR_NO_NETWORK_INFO","Other","Failure", - "LOGIN_ERROR_NO_PORTAL_ACCESS","Other","Failure", - "LOGIN_ERROR_NO_SET_COOKIES","Other","Failure", - "LOGIN_ERROR_OFFLINE_DISABLED","Other","Failure", - "LOGIN_ERROR_OFFLINE_TRIAL_EXP","Other","Failure", - "LOGIN_ERROR_ORG_CLOSED","Other","Failure", - "LOGIN_ERROR_ORG_DOMAIN_ONLY","Other","Failure", - "LOGIN_ERROR_ORG_IN_MAINTENANCE","Other","Failure", - "LOGIN_ERROR_ORG_INACTIVE","Other","Failure", - "LOGIN_ERROR_ORG_IS_DOT_ORG","Other","Failure", - "LOGIN_ERROR_ORG_LOCKOUT","Other","Failure", - "LOGIN_ERROR_ORG_SIGNING_UP","Other","Failure", - "LOGIN_ERROR_ORG_SUSPENDED","Other","Failure", - "LOGIN_ERROR_OUTLOOK_DISABLED","Other","Failure", - "LOGIN_ERROR_PAGE_REQUIRES_LOGIN","Other","Failure", - "LOGIN_ERROR_PASSWORD_EMPTY","Other","Failure", - "LOGIN_ERROR_PASSWORD_LOCKOUT","Other","Failure", - "LOGIN_ERROR_PORTAL_INACTIVE","Other","Failure", - "LOGIN_ERROR_RATE_EXCEEDED","Other","Failure", - "LOGIN_ERROR_RESTRICTED_DOMAIN","Other","Failure", - "LOGIN_ERROR_RESTRICTED_TIME","Other","Failure", - "LOGIN_ERROR_SESSION_TIMEOUT","Other","Failure", - "LOGIN_ERROR_SSO_PWD_INVALID","Other","Failure", - "LOGIN_ERROR_SSO_SVC_DOWN","Other","Failure", - "LOGIN_ERROR_SSO_URL_INVALID","Other","Failure", - "LOGIN_ERROR_STORE","Other","Failure", - "LOGIN_ERROR_STORE_DOWN","Other","Failure", - "LOGIN_ERROR_SWITCH_SFDC_INSTANCE","Other","Failure", - "LOGIN_ERROR_SWITCH_SFDC_LOGIN","Other","Failure", - "LOGIN_ERROR_SYNCOFFLINE_DISBLD","Other","Failure", - "LOGIN_ERROR_SYSTEM_DOWN","Other","Failure", - "LOGIN_ERROR_UNKNOWN_ERROR","Other","Failure", - "LOGIN_ERROR_USER_API_ONLY","Other","Failure", - "LOGIN_ERROR_USER_FROZEN","User locked","Failure", - "LOGIN_ERROR_USER_INACTIVE","User disabled","Failure", - "LOGIN_ERROR_USER_NON_MOBILE","Other","Failure", - "LOGIN_ERROR_USER_STORE_ACCESS","Other","Failure", - "LOGIN_ERROR_USERNAME_EMPTY","Other","Failure", - "LOGIN_ERROR_WIRELESS_DISABLED","Other","Failure", - "LOGIN_ERROR_WIRELESS_TRIAL_EXP","Other","Failure", - "LOGIN_LIGHTNING_LOGIN","Other","Failure", - "LOGIN_NO_ERROR","","Success", - "LOGIN_OAUTH_API_DISABLED","Other","Failure", - "LOGIN_OAUTH_CONSUMER_DELETED","Other","Failure", - "LOGIN_OAUTH_DS_NOT_EXPECTED","Other","Failure", - "LOGIN_OAUTH_EXCEED_GET_AT_LMT","Other","Failure", - "LOGIN_OAUTH_INVALID_CODE_CHALLENGE","Other","Failure", - "LOGIN_OAUTH_INVALID_CODE_VERIFIER","Other","Failure", - "LOGIN_OAUTH_INVALID_DEVICE","Other","Failure", - "LOGIN_OAUTH_INVALID_DS","Other","Failure", - "LOGIN_OAUTH_INVALID_DSIG","Other","Failure", - "LOGIN_OAUTH_INVALID_IP","Other","Failure", - "LOGIN_OAUTH_INVALID_NONCE","Other","Failure", - "LOGIN_OAUTH_INVALID_SIG_METHOD","Other","Failure", - "LOGIN_OAUTH_INVALID_TIMESTAMP","Other","Failure", - "LOGIN_OAUTH_INVALID_TOKEN","Other","Failure", - "LOGIN_OAUTH_INVALID_VERIFIER","Other","Failure", - "LOGIN_OAUTH_INVALID_VERSION","Other","Failure", - "LOGIN_OAUTH_MISSING_DS","Other","Failure", - "LOGIN_OAUTH_NO_CALLBACK_URL","Other","Failure", - "LOGIN_OAUTH_NO_CONSUMER","Other","Failure", - "LOGIN_OAUTH_NO_TOKEN","Other","Failure", - "LOGIN_OAUTH_NONCE_REPLAY","Other","Failure", - "LOGIN_OAUTH_PACKAGE_MISSING","Other","Failure", - "LOGIN_OAUTH_PACKAGE_OLD","Other","Failure", - "LOGIN_OAUTH_UNEXPECTED_PARAM","Other","Failure", - "LOGIN_ORG_TRIAL_EXP","Other","Failure", - "LOGIN_READONLY_CANNOT_VALIDATE","Other","Failure", - "LOGIN_SAML_INVALID_AUDIENCE","Other","Failure", - "LOGIN_SAML_INVALID_CONFIG","Other","Failure", - "LOGIN_SAML_INVALID_FORMAT","Other","Failure", - "LOGIN_SAML_INVALID_IN_RES_TO","Other","Failure", - "LOGIN_SAML_INVALID_ISSUER","Other","Failure", - "LOGIN_SAML_INVALID_ORG_ID","Other","Failure", - "LOGIN_SAML_INVALID_PORTAL_ID","Other","Failure", - "LOGIN_SAML_INVALID_RECIPIENT","Other","Failure", - "LOGIN_SAML_INVALID_SESSION_LEVEL","Other","Failure", - "LOGIN_SAML_INVALID_SIGNATURE","Other","Failure", - "LOGIN_SAML_INVALID_SITE_URL","Other","Failure", - "LOGIN_SAML_INVALID_STATUS","Other","Failure", - "LOGIN_SAML_INVALID_SUB_CONFIRM","Other","Failure", - "LOGIN_SAML_INVALID_TIMESTAMP","Other","Failure", - "LOGIN_SAML_INVALID_USERNAME","Other","Failure", - "LOGIN_SAML_INVALID_VERSION","Other","Failure", - "LOGIN_SAML_MISMATCH_CERT","Other","Failure", - "LOGIN_SAML_MISSING_ORG_ID","Other","Failure", - "LOGIN_SAML_MISSING_PORTAL_ID","Other","Failure", - "LOGIN_SAML_PROVISION_ERROR","Other","Failure", - "LOGIN_SAML_REPLAY_ATTEMPTED","Other","Failure", - "LOGIN_SAML_SITE_INACTIVE","Other","Failure", - "LOGIN_TWOFACTOR_REQ","Other","Failure" - ]; - let SalesforceEventType = dynamic(['Login','LoginAs','Logout']); - let EventTypeLookup = datatable(event_type_s:string, EventType:string)[ - "Login","Logon", - "LoginAs","Logon", - "Logout","Logoff" + let EventResultLookup = datatable ( + login_status_s: string, + EventResultDetails: string, + EventResult: string + )[ + "LOGIN_CHALLENGE_ISSUED", "Other", "Failure", + "LOGIN_CHALLENGE_PENDING", "Other", "Failure", + "LOGIN_DATA_DOWNLOAD_ONLY", "Other", "Failure", + "LOGIN_END_SESSION_TXN_SECURITY_POLICY", "Logon violates policy", "Failure", + "LOGIN_ERROR_API_TOO_OLD", "Other", "Failure", + "LOGIN_ERROR_APPEXCHANGE_DOWN", "Other", "Failure", + "LOGIN_ERROR_ASYNC_USER_CREATE", "Other", "Failure", + "LOGIN_ERROR_AVANTGO_DISABLED", "Other", "Failure", + "LOGIN_ERROR_AVANTGO_TRIAL_EXP", "Other", "Failure", + "LOGIN_ERROR_CLIENT_NO_ACCESS", "Other", "Failure", + "LOGIN_ERROR_CLIENT_REQ_UPDATE", "Other", "Failure", + "LOGIN_ERROR_CSS_FROZEN", "Other", "Failure", + "LOGIN_ERROR_CSS_PW_LOCKOUT", "User locked", "Failure", + "LOGIN_ERROR_DUPLICATE_USERNAME", "Other", "Failure", + "LOGIN_ERROR_EXPORT_RESTRICTED", "Other", "Failure", + "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN", "Other", "Failure", + "LOGIN_ERROR_HT_DOWN", "Other", "Failure", + "LOGIN_ERROR_HTP_METHD_INVALID", "Other", "Failure", + "LOGIN_ERROR_INSECURE_LOGIN", "Other", "Failure", + "LOGIN_ERROR_INVALID_GATEWAY", "Other", "Failure", + "LOGIN_ERROR_INVALID_ID_FIELD", "Other", "Failure", + "LOGIN_ERROR_INVALID_PASSWORD", "Incorrect password", "Failure", + "LOGIN_ERROR_LOGINS_EXCEEDED", "Other", "Failure", + "LOGIN_ERROR_MUST_USE_API_TOKEN", "Other", "Failure", + "LOGIN_ERROR_MUTUAL_AUTHENTICATION", "Other", "Failure", + "LOGIN_ERROR_NETWORK_INACTIVE", "Other", "Failure", + "LOGIN_ERROR_NO_HT_ACCESS", "Other", "Failure", + "LOGIN_ERROR_NO_NETWORK_ACCESS", "Other", "Failure", + "LOGIN_ERROR_NO_NETWORK_INFO", "Other", "Failure", + "LOGIN_ERROR_NO_PORTAL_ACCESS", "Other", "Failure", + "LOGIN_ERROR_NO_SET_COOKIES", "Other", "Failure", + "LOGIN_ERROR_OFFLINE_DISABLED", "Other", "Failure", + "LOGIN_ERROR_OFFLINE_TRIAL_EXP", "Other", "Failure", + "LOGIN_ERROR_ORG_CLOSED", "Other", "Failure", + "LOGIN_ERROR_ORG_DOMAIN_ONLY", "Other", "Failure", + "LOGIN_ERROR_ORG_IN_MAINTENANCE", "Other", "Failure", + "LOGIN_ERROR_ORG_INACTIVE", "Other", "Failure", + "LOGIN_ERROR_ORG_IS_DOT_ORG", "Other", "Failure", + "LOGIN_ERROR_ORG_LOCKOUT", "Other", "Failure", + "LOGIN_ERROR_ORG_SIGNING_UP", "Other", "Failure", + "LOGIN_ERROR_ORG_SUSPENDED", "Other", "Failure", + "LOGIN_ERROR_OUTLOOK_DISABLED", "Other", "Failure", + "LOGIN_ERROR_PAGE_REQUIRES_LOGIN", "Session expired", "Failure", + "LOGIN_ERROR_PASSWORD_EMPTY", "Other", "Failure", + "LOGIN_ERROR_PASSWORD_LOCKOUT", "User locked", "Failure", + "LOGIN_ERROR_PORTAL_INACTIVE", "Other", "Failure", + "LOGIN_ERROR_RATE_EXCEEDED", "Other", "Failure", + "LOGIN_ERROR_RESTRICTED_DOMAIN", "Other", "Failure", + "LOGIN_ERROR_RESTRICTED_TIME", "Other", "Failure", + "LOGIN_ERROR_SESSION_TIMEOUT", "Session expired", "Failure", + "LOGIN_ERROR_SSO_PWD_INVALID", "Incorrect password", "Failure", + "LOGIN_ERROR_SSO_SVC_DOWN", "Other", "Failure", + "LOGIN_ERROR_SSO_URL_INVALID", "Other", "Failure", + "LOGIN_ERROR_STORE", "Other", "Failure", + "LOGIN_ERROR_STORE_DOWN", "Other", "Failure", + "LOGIN_ERROR_SWITCH_SFDC_INSTANCE", "Other", "Failure", + "LOGIN_ERROR_SWITCH_SFDC_LOGIN", "Other", "Failure", + "LOGIN_ERROR_SYNCOFFLINE_DISBLD", "Other", "Failure", + "LOGIN_ERROR_SYSTEM_DOWN", "Other", "Failure", + "LOGIN_ERROR_UNKNOWN_ERROR", "Other", "Failure", + "LOGIN_ERROR_USER_API_ONLY", "Other", "Failure", + "LOGIN_ERROR_USER_FROZEN", "User locked", "Failure", + "LOGIN_ERROR_USER_INACTIVE", "User disabled", "Failure", + "LOGIN_ERROR_USER_NON_MOBILE", "Other", "Failure", + "LOGIN_ERROR_USER_STORE_ACCESS", "Other", "Failure", + "LOGIN_ERROR_USERNAME_EMPTY", "Other", "Failure", + "LOGIN_ERROR_WIRELESS_DISABLED", "Other", "Failure", + "LOGIN_ERROR_WIRELESS_TRIAL_EXP", "Other", "Failure", + "LOGIN_LIGHTNING_LOGIN", "Other", "Failure", + "LOGIN_NO_ERROR", "", "Success", + "LOGIN_OAUTH_API_DISABLED", "Other", "Failure", + "LOGIN_OAUTH_CONSUMER_DELETED", "Other", "Failure", + "LOGIN_OAUTH_DS_NOT_EXPECTED", "Other", "Failure", + "LOGIN_OAUTH_EXCEED_GET_AT_LMT", "Other", "Failure", + "LOGIN_OAUTH_INVALID_CODE_CHALLENGE", "Other", "Failure", + "LOGIN_OAUTH_INVALID_CODE_VERIFIER", "Other", "Failure", + "LOGIN_OAUTH_INVALID_DEVICE", "Other", "Failure", + "LOGIN_OAUTH_INVALID_DS", "Other", "Failure", + "LOGIN_OAUTH_INVALID_DSIG", "Other", "Failure", + "LOGIN_OAUTH_INVALID_IP", "Other", "Failure", + "LOGIN_OAUTH_INVALID_NONCE", "Other", "Failure", + "LOGIN_OAUTH_INVALID_SIG_METHOD", "Other", "Failure", + "LOGIN_OAUTH_INVALID_TIMESTAMP", "Other", "Failure", + "LOGIN_OAUTH_INVALID_TOKEN", "Other", "Failure", + "LOGIN_OAUTH_INVALID_VERIFIER", "Other", "Failure", + "LOGIN_OAUTH_INVALID_VERSION", "Other", "Failure", + "LOGIN_OAUTH_MISSING_DS", "Other", "Failure", + "LOGIN_OAUTH_NO_CALLBACK_URL", "Other", "Failure", + "LOGIN_OAUTH_NO_CONSUMER", "Other", "Failure", + "LOGIN_OAUTH_NO_TOKEN", "Other", "Failure", + "LOGIN_OAUTH_NONCE_REPLAY", "Other", "Failure", + "LOGIN_OAUTH_PACKAGE_MISSING", "Other", "Failure", + "LOGIN_OAUTH_PACKAGE_OLD", "Other", "Failure", + "LOGIN_OAUTH_UNEXPECTED_PARAM", "Other", "Failure", + "LOGIN_ORG_TRIAL_EXP", "Other", "Failure", + "LOGIN_READONLY_CANNOT_VALIDATE", "Other", "Failure", + "LOGIN_SAML_INVALID_AUDIENCE", "Other", "Failure", + "LOGIN_SAML_INVALID_CONFIG", "Other", "Failure", + "LOGIN_SAML_INVALID_FORMAT", "Other", "Failure", + "LOGIN_SAML_INVALID_IN_RES_TO", "Other", "Failure", + "LOGIN_SAML_INVALID_ISSUER", "Other", "Failure", + "LOGIN_SAML_INVALID_ORG_ID", "Other", "Failure", + "LOGIN_SAML_INVALID_PORTAL_ID", "Other", "Failure", + "LOGIN_SAML_INVALID_RECIPIENT", "Other", "Failure", + "LOGIN_SAML_INVALID_SESSION_LEVEL", "Other", "Failure", + "LOGIN_SAML_INVALID_SIGNATURE", "Other", "Failure", + "LOGIN_SAML_INVALID_SITE_URL", "Other", "Failure", + "LOGIN_SAML_INVALID_STATUS", "Other", "Failure", + "LOGIN_SAML_INVALID_SUB_CONFIRM", "Other", "Failure", + "LOGIN_SAML_INVALID_TIMESTAMP", "Other", "Failure", + "LOGIN_SAML_INVALID_USERNAME", "No such user", "Failure", + "LOGIN_SAML_INVALID_VERSION", "Other", "Failure", + "LOGIN_SAML_MISMATCH_CERT", "Other", "Failure", + "LOGIN_SAML_MISSING_ORG_ID", "Other", "Failure", + "LOGIN_SAML_MISSING_PORTAL_ID", "Other", "Failure", + "LOGIN_SAML_PROVISION_ERROR", "Other", "Failure", + "LOGIN_SAML_REPLAY_ATTEMPTED", "Other", "Failure", + "LOGIN_SAML_SITE_INACTIVE", "Other", "Failure", + "LOGIN_TWOFACTOR_REQ", "Logon violates policy", "Failure" + ]; + let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']); + let EventTypeLookup = datatable(event_type_s: string, EventType: string)[ + "Login", "Logon", + "LoginAs", "Logon", + "Logout", "Logoff" + ]; + let DvcOSLookup = datatable( + platform_type_s: string, + DvcOS: string, + DvcOsVersion: string + )[ + "1000", "Windows", "", + "1008", "Windows", "2003", + "1013", "Windows", "8.1", + "1015", "Windows", "10", + "2003", "Macintosh/Apple", "OSX", + "4000", "Linux", "", + "5005", "Android", "", + "5006", "iPhone", "", + "5007", "iPad", "", + "5200", "Android", "10.0" + ]; + let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[ + "7", "AppExchange", + "A", "Application", + "s", "Certificate-based login", + "k", "Chatter Communities External User", + "n", "Chatter Communities External User Third Party SSO", + "r", "Employee Login to Community", + "z", "Lightning Login", + "l", "Networks Portal API Only", + "6", "Remote Access Client", + "i", "Remote Access 2.0", + "I", "Other Apex API", + "R", "Partner Product", + "w", "Passwordless Login", + "3", "Customer Service Portal", + "q", "Partner Portal Third-Party SSO", + "9", "Partner Portal", + "5", "SAML Idp Initiated SSO", + "m", "SAML Chatter Communities External User SSO", + "b", "SAML Customer Service Portal SSO", + "c", "SAML Partner Portal SSO", + "h", "SAML Site SSO", + "8", "SAML Sfdc Initiated SSO", + "E", "SelfService", + "j", "Third Party SSO" + ]; + let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[ + "S", "Success", + "F", "Failure", + "A", "Failure", + "R", "Success", + "N", "Failure", + "U", "NA" + ]; + let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[ + "CsnOnly", "Other", + "CspLitePortal", "Other", + "CustomerSuccess", "Other", + "Guest", "Anonymous", + "PowerCustomerSuccess", "Other", + "PowerPartner", "Other", + "SelfService", "Other", + "Standard", "Regular", + "A", "Application", + "b", "Other", + "C", "Other", + "D", "Other", + "F", "Other", + "G", "Anonymous", + "L", "Other", + "N", "Service", + "n", "Other", + "O", "Other", + "o", "Other", + "P", "Other", + "p", "Other", + "S", "Regular", + "X", "Admin" ]; let parser = ( - starttime:datetime=datetime(null), - endtime:datetime=datetime(null), - targetusername_has:string="*", - disabled:bool=false - ) - { - SalesforceServiceCloud_CL - | where not(disabled) - // -- Pre filtering - | where - (isnull(starttime) or TimeGenerated >= starttime) - and (isnull(endtime) or TimeGenerated <= endtime) - and (targetusername_has=='*' or (user_name_s has targetusername_has )) - and event_type_s in~ (SalesforceEventType) - // -- end pre-filtering - | extend TimeGenerated = todatetime(tostring(split(timestamp_s,'.',0)[0])) - | lookup EventResultMapping on login_status_s - | project-rename - EventProductVersion = api_version_s - , EventOriginalResultDetails = login_status_s - , ActorSessionId = coalesce(session_key_s,login_key_s) - , TargetUserId = user_id_s - , TargetUsername = user_name_s - , TargetOriginalUserType = user_type_s - , EventOriginalUid = request_id_s - , SrcIpAddr = source_ip_s - , TargetIpAddr = client_ip_s - , TargetUserScope = organization_id_s - , TlsCipher = cipher_suite_s - , TlsVersion = tls_protocol_s - , HttpUserAgent= browser_type_s - , TargetUrl = uri_s - | extend - TargetUserType = iff(isnotempty(TargetOriginalUserType),"Other","") - , TargetUserIdType = iff(isnotempty(TargetUserId),"SaleforceId","") - , TargetUsernameType = iff(isnotempty(TargetUsername),"UPN","") - , User = TargetUsername - , Dvc = EventProduct - , Src = SrcIpAddr - , IpAddr = SrcIpAddr - , Dst= TargetIpAddr - | extend - EventVendor = 'Salesforce' - , EventProduct='Salesforce Service Cloud' - , EventCount = int(1) - , EventSchema = 'Authentication' - , EventSchemaVersion = '0.1.3' - , EventStartTime = TimeGenerated - , EventEndTime = TimeGenerated - , EventTypeLookup on event_type_s - | project-away *_s + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + targetusername_has: string="*", + disabled: bool=false + ) { + SalesforceServiceCloud_CL + | where not(disabled) + // -- Pre filtering + | where + (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and (targetusername_has == '*' or (user_name_s has targetusername_has)) + and event_type_s in~ (SalesforceEventType) + // -- end pre-filtering + | lookup EventResultLookup on login_status_s + | lookup EventTypeLookup on event_type_s + //| lookup LogonMethodLookup on login_type_s + | lookup TempEventResultLookup on request_status_s + | lookup DvcOSLookup on platform_type_s + | lookup UserTypeLookup on user_type_s + | project-rename + EventProductVersion = api_version_s, + EventOriginalResultDetails = login_status_s, + TargetUserId = user_id_s, + SrcIpAddr = source_ip_s, + EventOriginalUid = request_id_s, + TlsCipher = cipher_suite_s, + TlsVersion = tls_protocol_s, + HttpUserAgent= browser_type_s, + TargetScopeId = organization_id_s, + TargetUrl = uri_s, + TargetOriginalUserType = user_type_s, + ActorUsername = delegated_user_name_s, + ActorUserId = delegated_user_id_s, + TargetUsername = user_name_s + | extend + TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])), + EventVendor = 'Salesforce', + EventProduct='Salesforce Service Cloud', + EventCount = int(1), + EventSchema = 'Authentication', + EventSchemaVersion = '0.1.3', + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated + | extend + TargetSessionId = coalesce(session_key_s, login_key_s), + SrcIpAddr = coalesce(SrcIpAddr, client_ip_s), + TargetUserScope = "Salesforce Organization", + TargetUserIdType = iff(isnotempty(TargetUserId), "SaleforceId", ""), + TargetUsernameType = iff(isnotempty(TargetUsername), "UPN", ""), + TargetAppName = "Salesforce Dot Com(SFDC)", + User = coalesce(TargetUsername, TargetUserId), + Src = SrcIpAddr, + IpAddr = SrcIpAddr, + UserAgent = HttpUserAgent, + Dvc = EventProduct, + EventResult = coalesce(EventResult, TempEventResult) + | project-away *_s, *_t, TenantId, SourceSystem }; - parser (starttime, endtime, targetusername_has, disabled) \ No newline at end of file + parser (starttime=datetime(null), endtime=datetime(null), targetusername_has="*", disabled=false) \ No newline at end of file From 6e04ab506544f7f3c7cba20c01aca7301f65fae8 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Mon, 17 Jul 2023 12:53:31 +0000 Subject: [PATCH 14/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../vimAuthenticationSalesforceSC.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json index 2be3bf0b180..f7e5c29cad8 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "vimAuthenticationSalesforceSC", - "query": "let EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[\n \"LOGIN_CHALLENGE_ISSUED\",\"Other\",\"Failure\",\n \"LOGIN_CHALLENGE_PENDING\",\"Other\",\"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\",\"Logon violates policy\",\"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HT_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\",\"Incorrect password\",\"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\",\"User locked\",\"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\",\"User disabled\",\"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_NO_ERROR\",\"\",\"Success\",\n \"LOGIN_OAUTH_API_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\",\"Other\",\"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\",\"Other\",\"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_TWOFACTOR_REQ\",\"Other\",\"Failure\"\n ];\nlet SalesforceEventType = dynamic(['Login','LoginAs','Logout']);\nlet EventTypeLookup = datatable(event_type_s:string, EventType:string)[\n \"Login\",\"Logon\",\n \"LoginAs\",\"Logon\",\n \"Logout\",\"Logoff\"\n];\nlet parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null), \n targetusername_has:string=\"*\",\n disabled:bool=false\n)\n{\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (user_name_s has targetusername_has ))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s,'.',0)[0]))\n | lookup EventResultMapping on login_status_s\n | project-rename\n EventProductVersion = api_version_s\n , EventOriginalResultDetails = login_status_s\n , ActorSessionId = coalesce(session_key_s,login_key_s)\n , TargetUserId = user_id_s\n , TargetUsername = user_name_s\n , TargetOriginalUserType = user_type_s\n , EventOriginalUid = request_id_s\n , SrcIpAddr = source_ip_s\n , TargetIpAddr = client_ip_s\n , TargetUserScope = organization_id_s\n , TlsCipher = cipher_suite_s\n , TlsVersion = tls_protocol_s\n , HttpUserAgent= browser_type_s\n , TargetUrl = uri_s\n | extend\n TargetUserType = iff(isnotempty(TargetOriginalUserType),\"Other\",\"\") \n , TargetUserIdType = iff(isnotempty(TargetUserId),\"SaleforceId\",\"\") \n , TargetUsernameType = iff(isnotempty(TargetUsername),\"UPN\",\"\")\n , User = TargetUsername\n , Dvc = EventProduct\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , Dst= TargetIpAddr\n | extend\n EventVendor = 'Salesforce'\n , EventProduct='Salesforce Service Cloud'\n , EventCount = int(1) \n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.3'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventTypeLookup on event_type_s\n | project-away *_s\n};\nparser (starttime, endtime, targetusername_has, disabled)", + "query": "let EventResultLookup = datatable (\n login_status_s: string,\n EventResultDetails: string,\n EventResult: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Other\", \"Failure\",\n \"LOGIN_CHALLENGE_PENDING\", \"Other\", \"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Logon violates policy\", \"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HT_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"User disabled\", \"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_NO_ERROR\", \"\", \"Success\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Other\", \"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"No such user\", \"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Other\", \"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_TWOFACTOR_REQ\", \"Logon violates policy\", \"Failure\"\n];\nlet SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\nlet EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\nlet DvcOSLookup = datatable(\n platform_type_s: string,\n DvcOS: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\nlet LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[\n \"7\", \"AppExchange\",\n \"A\", \"Application\",\n \"s\", \"Certificate-based login\",\n \"k\", \"Chatter Communities External User\",\n \"n\", \"Chatter Communities External User Third Party SSO\",\n \"r\", \"Employee Login to Community\",\n \"z\", \"Lightning Login\",\n \"l\", \"Networks Portal API Only\",\n \"6\", \"Remote Access Client\",\n \"i\", \"Remote Access 2.0\",\n \"I\", \"Other Apex API\",\n \"R\", \"Partner Product\",\n \"w\", \"Passwordless Login\",\n \"3\", \"Customer Service Portal\",\n \"q\", \"Partner Portal Third-Party SSO\",\n \"9\", \"Partner Portal\",\n \"5\", \"SAML Idp Initiated SSO\",\n \"m\", \"SAML Chatter Communities External User SSO\",\n \"b\", \"SAML Customer Service Portal SSO\",\n \"c\", \"SAML Partner Portal SSO\",\n \"h\", \"SAML Site SSO\",\n \"8\", \"SAML Sfdc Initiated SSO\",\n \"E\", \"SelfService\",\n \"j\", \"Third Party SSO\"\n];\nlet TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\nlet UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n //| lookup LogonMethodLookup on login_type_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOSLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult)\n | project-away *_s, *_t, TenantId, SourceSystem\n};\nparser (starttime=datetime(null), endtime=datetime(null), targetusername_has=\"*\", disabled=false)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" } From b053980a8f3761fc74983bf6efad0c69565cce1e Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Mon, 17 Jul 2023 18:41:08 +0530 Subject: [PATCH 15/38] parser updates --- .../ASimAuthenticationSalesforceSC.yaml | 411 +++++++++++------- .../vimAuthenticationSalesforceSC.yaml | 15 +- 2 files changed, 260 insertions(+), 166 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index 5d121fc64d9..4eae11eabb9 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -15,171 +15,264 @@ References: Description: | This ASIM parser supports normalizing Salesforce sign in logs, stored in the SalesforceServiceCloud_CL table, to the ASIM Authentication schema. ParserName: ASimAuthenticationSalesforceSC +EquivalentBuiltInParser: _ASim_Authentication_SalesforceSC ParserParams: - Name: disabled Type: bool Default: false ParserQuery: | - let SalesforceSignin=(disabled:bool=false){ - let EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[ - "LOGIN_CHALLENGE_ISSUED","Other","Failure", - "LOGIN_CHALLENGE_PENDING","Other","Failure", - "LOGIN_DATA_DOWNLOAD_ONLY","Other","Failure", - "LOGIN_END_SESSION_TXN_SECURITY_POLICY","Logon violates policy","Failure", - "LOGIN_ERROR_API_TOO_OLD","Other","Failure", - "LOGIN_ERROR_APPEXCHANGE_DOWN","Other","Failure", - "LOGIN_ERROR_ASYNC_USER_CREATE","Other","Failure", - "LOGIN_ERROR_AVANTGO_DISABLED","Other","Failure", - "LOGIN_ERROR_AVANTGO_TRIAL_EXP","Other","Failure", - "LOGIN_ERROR_CLIENT_NO_ACCESS","Other","Failure", - "LOGIN_ERROR_CLIENT_REQ_UPDATE","Other","Failure", - "LOGIN_ERROR_CSS_FROZEN","Other","Failure", - "LOGIN_ERROR_CSS_PW_LOCKOUT","Other","Failure", - "LOGIN_ERROR_DUPLICATE_USERNAME","Other","Failure", - "LOGIN_ERROR_EXPORT_RESTRICTED","Other","Failure", - "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN","Other","Failure", - "LOGIN_ERROR_HT_DOWN","Other","Failure", - "LOGIN_ERROR_HTP_METHD_INVALID","Other","Failure", - "LOGIN_ERROR_INSECURE_LOGIN","Other","Failure", - "LOGIN_ERROR_INVALID_GATEWAY","Other","Failure", - "LOGIN_ERROR_INVALID_ID_FIELD","Other","Failure", - "LOGIN_ERROR_INVALID_PASSWORD","Incorrect password","Failure", - "LOGIN_ERROR_LOGINS_EXCEEDED","Other","Failure", - "LOGIN_ERROR_MUST_USE_API_TOKEN","Other","Failure", - "LOGIN_ERROR_MUTUAL_AUTHENTICATION","Other","Failure", - "LOGIN_ERROR_NETWORK_INACTIVE","Other","Failure", - "LOGIN_ERROR_NO_HT_ACCESS","Other","Failure", - "LOGIN_ERROR_NO_NETWORK_ACCESS","Other","Failure", - "LOGIN_ERROR_NO_NETWORK_INFO","Other","Failure", - "LOGIN_ERROR_NO_PORTAL_ACCESS","Other","Failure", - "LOGIN_ERROR_NO_SET_COOKIES","Other","Failure", - "LOGIN_ERROR_OFFLINE_DISABLED","Other","Failure", - "LOGIN_ERROR_OFFLINE_TRIAL_EXP","Other","Failure", - "LOGIN_ERROR_ORG_CLOSED","Other","Failure", - "LOGIN_ERROR_ORG_DOMAIN_ONLY","Other","Failure", - "LOGIN_ERROR_ORG_IN_MAINTENANCE","Other","Failure", - "LOGIN_ERROR_ORG_INACTIVE","Other","Failure", - "LOGIN_ERROR_ORG_IS_DOT_ORG","Other","Failure", - "LOGIN_ERROR_ORG_LOCKOUT","Other","Failure", - "LOGIN_ERROR_ORG_SIGNING_UP","Other","Failure", - "LOGIN_ERROR_ORG_SUSPENDED","Other","Failure", - "LOGIN_ERROR_OUTLOOK_DISABLED","Other","Failure", - "LOGIN_ERROR_PAGE_REQUIRES_LOGIN","Other","Failure", - "LOGIN_ERROR_PASSWORD_EMPTY","Other","Failure", - "LOGIN_ERROR_PASSWORD_LOCKOUT","Other","Failure", - "LOGIN_ERROR_PORTAL_INACTIVE","Other","Failure", - "LOGIN_ERROR_RATE_EXCEEDED","Other","Failure", - "LOGIN_ERROR_RESTRICTED_DOMAIN","Other","Failure", - "LOGIN_ERROR_RESTRICTED_TIME","Other","Failure", - "LOGIN_ERROR_SESSION_TIMEOUT","Other","Failure", - "LOGIN_ERROR_SSO_PWD_INVALID","Other","Failure", - "LOGIN_ERROR_SSO_SVC_DOWN","Other","Failure", - "LOGIN_ERROR_SSO_URL_INVALID","Other","Failure", - "LOGIN_ERROR_STORE","Other","Failure", - "LOGIN_ERROR_STORE_DOWN","Other","Failure", - "LOGIN_ERROR_SWITCH_SFDC_INSTANCE","Other","Failure", - "LOGIN_ERROR_SWITCH_SFDC_LOGIN","Other","Failure", - "LOGIN_ERROR_SYNCOFFLINE_DISBLD","Other","Failure", - "LOGIN_ERROR_SYSTEM_DOWN","Other","Failure", - "LOGIN_ERROR_UNKNOWN_ERROR","Other","Failure", - "LOGIN_ERROR_USER_API_ONLY","Other","Failure", - "LOGIN_ERROR_USER_FROZEN","User locked","Failure", - "LOGIN_ERROR_USER_INACTIVE","User disabled","Failure", - "LOGIN_ERROR_USER_NON_MOBILE","Other","Failure", - "LOGIN_ERROR_USER_STORE_ACCESS","Other","Failure", - "LOGIN_ERROR_USERNAME_EMPTY","Other","Failure", - "LOGIN_ERROR_WIRELESS_DISABLED","Other","Failure", - "LOGIN_ERROR_WIRELESS_TRIAL_EXP","Other","Failure", - "LOGIN_LIGHTNING_LOGIN","Other","Failure", - "LOGIN_NO_ERROR","","Success", - "LOGIN_OAUTH_API_DISABLED","Other","Failure", - "LOGIN_OAUTH_CONSUMER_DELETED","Other","Failure", - "LOGIN_OAUTH_DS_NOT_EXPECTED","Other","Failure", - "LOGIN_OAUTH_EXCEED_GET_AT_LMT","Other","Failure", - "LOGIN_OAUTH_INVALID_CODE_CHALLENGE","Other","Failure", - "LOGIN_OAUTH_INVALID_CODE_VERIFIER","Other","Failure", - "LOGIN_OAUTH_INVALID_DEVICE","Other","Failure", - "LOGIN_OAUTH_INVALID_DS","Other","Failure", - "LOGIN_OAUTH_INVALID_DSIG","Other","Failure", - "LOGIN_OAUTH_INVALID_IP","Other","Failure", - "LOGIN_OAUTH_INVALID_NONCE","Other","Failure", - "LOGIN_OAUTH_INVALID_SIG_METHOD","Other","Failure", - "LOGIN_OAUTH_INVALID_TIMESTAMP","Other","Failure", - "LOGIN_OAUTH_INVALID_TOKEN","Other","Failure", - "LOGIN_OAUTH_INVALID_VERIFIER","Other","Failure", - "LOGIN_OAUTH_INVALID_VERSION","Other","Failure", - "LOGIN_OAUTH_MISSING_DS","Other","Failure", - "LOGIN_OAUTH_NO_CALLBACK_URL","Other","Failure", - "LOGIN_OAUTH_NO_CONSUMER","Other","Failure", - "LOGIN_OAUTH_NO_TOKEN","Other","Failure", - "LOGIN_OAUTH_NONCE_REPLAY","Other","Failure", - "LOGIN_OAUTH_PACKAGE_MISSING","Other","Failure", - "LOGIN_OAUTH_PACKAGE_OLD","Other","Failure", - "LOGIN_OAUTH_UNEXPECTED_PARAM","Other","Failure", - "LOGIN_ORG_TRIAL_EXP","Other","Failure", - "LOGIN_READONLY_CANNOT_VALIDATE","Other","Failure", - "LOGIN_SAML_INVALID_AUDIENCE","Other","Failure", - "LOGIN_SAML_INVALID_CONFIG","Other","Failure", - "LOGIN_SAML_INVALID_FORMAT","Other","Failure", - "LOGIN_SAML_INVALID_IN_RES_TO","Other","Failure", - "LOGIN_SAML_INVALID_ISSUER","Other","Failure", - "LOGIN_SAML_INVALID_ORG_ID","Other","Failure", - "LOGIN_SAML_INVALID_PORTAL_ID","Other","Failure", - "LOGIN_SAML_INVALID_RECIPIENT","Other","Failure", - "LOGIN_SAML_INVALID_SESSION_LEVEL","Other","Failure", - "LOGIN_SAML_INVALID_SIGNATURE","Other","Failure", - "LOGIN_SAML_INVALID_SITE_URL","Other","Failure", - "LOGIN_SAML_INVALID_STATUS","Other","Failure", - "LOGIN_SAML_INVALID_SUB_CONFIRM","Other","Failure", - "LOGIN_SAML_INVALID_TIMESTAMP","Other","Failure", - "LOGIN_SAML_INVALID_USERNAME","Other","Failure", - "LOGIN_SAML_INVALID_VERSION","Other","Failure", - "LOGIN_SAML_MISMATCH_CERT","Other","Failure", - "LOGIN_SAML_MISSING_ORG_ID","Other","Failure", - "LOGIN_SAML_MISSING_PORTAL_ID","Other","Failure", - "LOGIN_SAML_PROVISION_ERROR","Other","Failure", - "LOGIN_SAML_REPLAY_ATTEMPTED","Other","Failure", - "LOGIN_SAML_SITE_INACTIVE","Other","Failure", - "LOGIN_TWOFACTOR_REQ","Other","Failure" + let parser=(disabled:bool=false){ + let EventResultLookup = datatable ( + login_status_s: string, + EventResultDetails: string, + EventResult: string + )[ + "LOGIN_CHALLENGE_ISSUED", "Other", "Failure", + "LOGIN_CHALLENGE_PENDING", "Other", "Failure", + "LOGIN_DATA_DOWNLOAD_ONLY", "Other", "Failure", + "LOGIN_END_SESSION_TXN_SECURITY_POLICY", "Logon violates policy", "Failure", + "LOGIN_ERROR_API_TOO_OLD", "Other", "Failure", + "LOGIN_ERROR_APPEXCHANGE_DOWN", "Other", "Failure", + "LOGIN_ERROR_ASYNC_USER_CREATE", "Other", "Failure", + "LOGIN_ERROR_AVANTGO_DISABLED", "Other", "Failure", + "LOGIN_ERROR_AVANTGO_TRIAL_EXP", "Other", "Failure", + "LOGIN_ERROR_CLIENT_NO_ACCESS", "Other", "Failure", + "LOGIN_ERROR_CLIENT_REQ_UPDATE", "Other", "Failure", + "LOGIN_ERROR_CSS_FROZEN", "Other", "Failure", + "LOGIN_ERROR_CSS_PW_LOCKOUT", "User locked", "Failure", + "LOGIN_ERROR_DUPLICATE_USERNAME", "Other", "Failure", + "LOGIN_ERROR_EXPORT_RESTRICTED", "Other", "Failure", + "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN", "Other", "Failure", + "LOGIN_ERROR_HT_DOWN", "Other", "Failure", + "LOGIN_ERROR_HTP_METHD_INVALID", "Other", "Failure", + "LOGIN_ERROR_INSECURE_LOGIN", "Other", "Failure", + "LOGIN_ERROR_INVALID_GATEWAY", "Other", "Failure", + "LOGIN_ERROR_INVALID_ID_FIELD", "Other", "Failure", + "LOGIN_ERROR_INVALID_PASSWORD", "Incorrect password", "Failure", + "LOGIN_ERROR_LOGINS_EXCEEDED", "Other", "Failure", + "LOGIN_ERROR_MUST_USE_API_TOKEN", "Other", "Failure", + "LOGIN_ERROR_MUTUAL_AUTHENTICATION", "Other", "Failure", + "LOGIN_ERROR_NETWORK_INACTIVE", "Other", "Failure", + "LOGIN_ERROR_NO_HT_ACCESS", "Other", "Failure", + "LOGIN_ERROR_NO_NETWORK_ACCESS", "Other", "Failure", + "LOGIN_ERROR_NO_NETWORK_INFO", "Other", "Failure", + "LOGIN_ERROR_NO_PORTAL_ACCESS", "Other", "Failure", + "LOGIN_ERROR_NO_SET_COOKIES", "Other", "Failure", + "LOGIN_ERROR_OFFLINE_DISABLED", "Other", "Failure", + "LOGIN_ERROR_OFFLINE_TRIAL_EXP", "Other", "Failure", + "LOGIN_ERROR_ORG_CLOSED", "Other", "Failure", + "LOGIN_ERROR_ORG_DOMAIN_ONLY", "Other", "Failure", + "LOGIN_ERROR_ORG_IN_MAINTENANCE", "Other", "Failure", + "LOGIN_ERROR_ORG_INACTIVE", "Other", "Failure", + "LOGIN_ERROR_ORG_IS_DOT_ORG", "Other", "Failure", + "LOGIN_ERROR_ORG_LOCKOUT", "Other", "Failure", + "LOGIN_ERROR_ORG_SIGNING_UP", "Other", "Failure", + "LOGIN_ERROR_ORG_SUSPENDED", "Other", "Failure", + "LOGIN_ERROR_OUTLOOK_DISABLED", "Other", "Failure", + "LOGIN_ERROR_PAGE_REQUIRES_LOGIN", "Session expired", "Failure", + "LOGIN_ERROR_PASSWORD_EMPTY", "Other", "Failure", + "LOGIN_ERROR_PASSWORD_LOCKOUT", "User locked", "Failure", + "LOGIN_ERROR_PORTAL_INACTIVE", "Other", "Failure", + "LOGIN_ERROR_RATE_EXCEEDED", "Other", "Failure", + "LOGIN_ERROR_RESTRICTED_DOMAIN", "Other", "Failure", + "LOGIN_ERROR_RESTRICTED_TIME", "Other", "Failure", + "LOGIN_ERROR_SESSION_TIMEOUT", "Session expired", "Failure", + "LOGIN_ERROR_SSO_PWD_INVALID", "Incorrect password", "Failure", + "LOGIN_ERROR_SSO_SVC_DOWN", "Other", "Failure", + "LOGIN_ERROR_SSO_URL_INVALID", "Other", "Failure", + "LOGIN_ERROR_STORE", "Other", "Failure", + "LOGIN_ERROR_STORE_DOWN", "Other", "Failure", + "LOGIN_ERROR_SWITCH_SFDC_INSTANCE", "Other", "Failure", + "LOGIN_ERROR_SWITCH_SFDC_LOGIN", "Other", "Failure", + "LOGIN_ERROR_SYNCOFFLINE_DISBLD", "Other", "Failure", + "LOGIN_ERROR_SYSTEM_DOWN", "Other", "Failure", + "LOGIN_ERROR_UNKNOWN_ERROR", "Other", "Failure", + "LOGIN_ERROR_USER_API_ONLY", "Other", "Failure", + "LOGIN_ERROR_USER_FROZEN", "User locked", "Failure", + "LOGIN_ERROR_USER_INACTIVE", "User disabled", "Failure", + "LOGIN_ERROR_USER_NON_MOBILE", "Other", "Failure", + "LOGIN_ERROR_USER_STORE_ACCESS", "Other", "Failure", + "LOGIN_ERROR_USERNAME_EMPTY", "Other", "Failure", + "LOGIN_ERROR_WIRELESS_DISABLED", "Other", "Failure", + "LOGIN_ERROR_WIRELESS_TRIAL_EXP", "Other", "Failure", + "LOGIN_LIGHTNING_LOGIN", "Other", "Failure", + "LOGIN_NO_ERROR", "", "Success", + "LOGIN_OAUTH_API_DISABLED", "Other", "Failure", + "LOGIN_OAUTH_CONSUMER_DELETED", "Other", "Failure", + "LOGIN_OAUTH_DS_NOT_EXPECTED", "Other", "Failure", + "LOGIN_OAUTH_EXCEED_GET_AT_LMT", "Other", "Failure", + "LOGIN_OAUTH_INVALID_CODE_CHALLENGE", "Other", "Failure", + "LOGIN_OAUTH_INVALID_CODE_VERIFIER", "Other", "Failure", + "LOGIN_OAUTH_INVALID_DEVICE", "Other", "Failure", + "LOGIN_OAUTH_INVALID_DS", "Other", "Failure", + "LOGIN_OAUTH_INVALID_DSIG", "Other", "Failure", + "LOGIN_OAUTH_INVALID_IP", "Other", "Failure", + "LOGIN_OAUTH_INVALID_NONCE", "Other", "Failure", + "LOGIN_OAUTH_INVALID_SIG_METHOD", "Other", "Failure", + "LOGIN_OAUTH_INVALID_TIMESTAMP", "Other", "Failure", + "LOGIN_OAUTH_INVALID_TOKEN", "Other", "Failure", + "LOGIN_OAUTH_INVALID_VERIFIER", "Other", "Failure", + "LOGIN_OAUTH_INVALID_VERSION", "Other", "Failure", + "LOGIN_OAUTH_MISSING_DS", "Other", "Failure", + "LOGIN_OAUTH_NO_CALLBACK_URL", "Other", "Failure", + "LOGIN_OAUTH_NO_CONSUMER", "Other", "Failure", + "LOGIN_OAUTH_NO_TOKEN", "Other", "Failure", + "LOGIN_OAUTH_NONCE_REPLAY", "Other", "Failure", + "LOGIN_OAUTH_PACKAGE_MISSING", "Other", "Failure", + "LOGIN_OAUTH_PACKAGE_OLD", "Other", "Failure", + "LOGIN_OAUTH_UNEXPECTED_PARAM", "Other", "Failure", + "LOGIN_ORG_TRIAL_EXP", "Other", "Failure", + "LOGIN_READONLY_CANNOT_VALIDATE", "Other", "Failure", + "LOGIN_SAML_INVALID_AUDIENCE", "Other", "Failure", + "LOGIN_SAML_INVALID_CONFIG", "Other", "Failure", + "LOGIN_SAML_INVALID_FORMAT", "Other", "Failure", + "LOGIN_SAML_INVALID_IN_RES_TO", "Other", "Failure", + "LOGIN_SAML_INVALID_ISSUER", "Other", "Failure", + "LOGIN_SAML_INVALID_ORG_ID", "Other", "Failure", + "LOGIN_SAML_INVALID_PORTAL_ID", "Other", "Failure", + "LOGIN_SAML_INVALID_RECIPIENT", "Other", "Failure", + "LOGIN_SAML_INVALID_SESSION_LEVEL", "Other", "Failure", + "LOGIN_SAML_INVALID_SIGNATURE", "Other", "Failure", + "LOGIN_SAML_INVALID_SITE_URL", "Other", "Failure", + "LOGIN_SAML_INVALID_STATUS", "Other", "Failure", + "LOGIN_SAML_INVALID_SUB_CONFIRM", "Other", "Failure", + "LOGIN_SAML_INVALID_TIMESTAMP", "Other", "Failure", + "LOGIN_SAML_INVALID_USERNAME", "No such user", "Failure", + "LOGIN_SAML_INVALID_VERSION", "Other", "Failure", + "LOGIN_SAML_MISMATCH_CERT", "Other", "Failure", + "LOGIN_SAML_MISSING_ORG_ID", "Other", "Failure", + "LOGIN_SAML_MISSING_PORTAL_ID", "Other", "Failure", + "LOGIN_SAML_PROVISION_ERROR", "Other", "Failure", + "LOGIN_SAML_REPLAY_ATTEMPTED", "Other", "Failure", + "LOGIN_SAML_SITE_INACTIVE", "Other", "Failure", + "LOGIN_TWOFACTOR_REQ", "Logon violates policy", "Failure" + ]; + let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']); + let EventTypeLookup = datatable(event_type_s: string, EventType: string)[ + "Login", "Logon", + "LoginAs", "Logon", + "Logout", "Logoff" + ]; + let DvcOSLookup = datatable( + platform_type_s: string, + DvcOS: string, + DvcOsVersion: string + )[ + "1000", "Windows", "", + "1008", "Windows", "2003", + "1013", "Windows", "8.1", + "1015", "Windows", "10", + "2003", "Macintosh/Apple", "OSX", + "4000", "Linux", "", + "5005", "Android", "", + "5006", "iPhone", "", + "5007", "iPad", "", + "5200", "Android", "10.0" + ]; + let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[ + "7", "AppExchange", + "A", "Application", + "s", "Certificate-based login", + "k", "Chatter Communities External User", + "n", "Chatter Communities External User Third Party SSO", + "r", "Employee Login to Community", + "z", "Lightning Login", + "l", "Networks Portal API Only", + "6", "Remote Access Client", + "i", "Remote Access 2.0", + "I", "Other Apex API", + "R", "Partner Product", + "w", "Passwordless Login", + "3", "Customer Service Portal", + "q", "Partner Portal Third-Party SSO", + "9", "Partner Portal", + "5", "SAML Idp Initiated SSO", + "m", "SAML Chatter Communities External User SSO", + "b", "SAML Customer Service Portal SSO", + "c", "SAML Partner Portal SSO", + "h", "SAML Site SSO", + "8", "SAML Sfdc Initiated SSO", + "E", "SelfService", + "j", "Third Party SSO" + ]; + let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[ + "S", "Success", + "F", "Failure", + "A", "Failure", + "R", "Success", + "N", "Failure", + "U", "NA" + ]; + let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[ + "CsnOnly", "Other", + "CspLitePortal", "Other", + "CustomerSuccess", "Other", + "Guest", "Anonymous", + "PowerCustomerSuccess", "Other", + "PowerPartner", "Other", + "SelfService", "Other", + "Standard", "Regular", + "A", "Application", + "b", "Other", + "C", "Other", + "D", "Other", + "F", "Other", + "G", "Anonymous", + "L", "Other", + "N", "Service", + "n", "Other", + "O", "Other", + "o", "Other", + "P", "Other", + "p", "Other", + "S", "Regular", + "X", "Admin" ]; - let SalesforceEventType = dynamic(['Login','Logout']); SalesforceServiceCloud_CL - | where not(disabled) - | extend TimeGenerated = todatetime(tostring(split(timestamp_s,'.',0)[0])) - | where event_type_s in (SalesforceEventType) - | lookup EventResultMapping on login_status_s - | extend - EventProduct='Salesforce Service Cloud' - , EventSchema = 'Authentication' - , EventVendor = 'Salesforce' - , EventCount = int(1) - , EventSchemaVersion = '0.1.0' - , EventStartTime = TimeGenerated - , EventEndTime = TimeGenerated - , EventType = iff(event_type_s == 'Login', 'Logon', 'Logoff') - | project-rename - EventProductVersion = api_version_s - , EventOriginalResultDetails = login_status_s - , TargetSessionId =login_key_s - , TargetUserId = user_id_s - , TargetUsername = user_name_s - , TargetOriginalUserType = user_type_s - , EventOriginalUid = request_id_s - , SrcIpAddr = source_ip_s - , TargetIpAddr = client_ip_s - , TargetUserScope = organization_id_s - , TlsCipher = cipher_suite_s - , TlsVersion = tls_protocol_s - , HttpUserAgent= browser_type_s - | extend - TargetUserType = iff(isnotempty(TargetOriginalUserType),"Other","") - , TargetUserIdType = iff(isnotempty(TargetUserId),"SaleforceId","") - , TargetUsernameType = iff(isnotempty(TargetUsername),"UPN","") - , User = TargetUsername - , Dvc = EventProduct - , Src = SrcIpAddr - , IpAddr = SrcIpAddr - , Dst= TargetIpAddr - | project-away *_s + | where not(disabled) + | lookup EventResultLookup on login_status_s + | lookup EventTypeLookup on event_type_s + //| lookup LogonMethodLookup on login_type_s + | lookup TempEventResultLookup on request_status_s + | lookup DvcOSLookup on platform_type_s + | lookup UserTypeLookup on user_type_s + | project-rename + EventProductVersion = api_version_s, + EventOriginalResultDetails = login_status_s, + TargetUserId = user_id_s, + SrcIpAddr = source_ip_s, + EventOriginalUid = request_id_s, + TlsCipher = cipher_suite_s, + TlsVersion = tls_protocol_s, + HttpUserAgent= browser_type_s, + TargetScopeId = organization_id_s, + TargetUrl = uri_s, + TargetOriginalUserType = user_type_s, + ActorUsername = delegated_user_name_s, + ActorUserId = delegated_user_id_s, + TargetUsername = user_name_s + | extend + TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])), + EventVendor = 'Salesforce', + EventProduct='Salesforce Service Cloud', + EventCount = int(1), + EventSchema = 'Authentication', + EventSchemaVersion = '0.1.3', + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated + | extend + TargetSessionId = coalesce(session_key_s, login_key_s), + SrcIpAddr = coalesce(SrcIpAddr, client_ip_s), + TargetUserScope = "Salesforce Organization", + TargetUserIdType = iff(isnotempty(TargetUserId), "SaleforceId", ""), + TargetUsernameType = iff(isnotempty(TargetUsername), "UPN", ""), + TargetAppName = "Salesforce Dot Com(SFDC)", + User = coalesce(TargetUsername, TargetUserId), + Src = SrcIpAddr, + IpAddr = SrcIpAddr, + UserAgent = HttpUserAgent, + Dvc = EventProduct, + EventResult = coalesce(EventResult, TempEventResult) + | project-away *_s, *_t, TenantId, SourceSystem }; SalesforceSignin(disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml index 9643f402bd4..fd15e2f7b90 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml @@ -17,6 +17,7 @@ References: Description: | This ASIM parser supports filtering and normalizing the Salesforce Service Cloud logs stored in 'SalesforceServiceCloud_CL' table to the ASIM authentication normalized schema. ParserName: vimAuthenticationSalesforceSC +EquivalentBuiltInParser: _Im_Authentication_SalesforceSC ParserParams: - Name: starttime Type: datetime @@ -31,6 +32,12 @@ ParserParams: Type: bool Default: false ParserQuery: | + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + targetusername_has: string="*", + disabled: bool=false + ) { let EventResultLookup = datatable ( login_status_s: string, EventResultDetails: string, @@ -237,12 +244,6 @@ ParserQuery: | "S", "Regular", "X", "Admin" ]; - let parser = ( - starttime: datetime=datetime(null), - endtime: datetime=datetime(null), - targetusername_has: string="*", - disabled: bool=false - ) { SalesforceServiceCloud_CL | where not(disabled) // -- Pre filtering @@ -297,4 +298,4 @@ ParserQuery: | EventResult = coalesce(EventResult, TempEventResult) | project-away *_s, *_t, TenantId, SourceSystem }; - parser (starttime=datetime(null), endtime=datetime(null), targetusername_has="*", disabled=false) \ No newline at end of file + parser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled) \ No newline at end of file From 1da5559e2cf6c9c97c5d6a279f01f4f371fe6413 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Mon, 17 Jul 2023 13:14:10 +0000 Subject: [PATCH 16/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationSalesforceSC.json | 2 +- .../vimAuthenticationSalesforceSC.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index 7204d9facb0..638a273125f 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let SalesforceSignin=(disabled:bool=false){\nlet EventResultMapping = datatable (login_status_s:string,EventResultDetails:string,EventResult:string)[\n \"LOGIN_CHALLENGE_ISSUED\",\"Other\",\"Failure\",\n \"LOGIN_CHALLENGE_PENDING\",\"Other\",\"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\",\"Logon violates policy\",\"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HT_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\",\"Incorrect password\",\"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\",\"User locked\",\"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\",\"User disabled\",\"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\",\"Other\",\"Failure\",\n \"LOGIN_NO_ERROR\",\"\",\"Success\",\n \"LOGIN_OAUTH_API_DISABLED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\",\"Other\",\"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\",\"Other\",\"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\",\"Other\",\"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\",\"Other\",\"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\",\"Other\",\"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\",\"Other\",\"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\",\"Other\",\"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\",\"Other\",\"Failure\",\n \"LOGIN_TWOFACTOR_REQ\",\"Other\",\"Failure\"\n];\nlet SalesforceEventType = dynamic(['Login','Logout']);\nSalesforceServiceCloud_CL \n| where not(disabled)\n| extend TimeGenerated = todatetime(tostring(split(timestamp_s,'.',0)[0]))\n| where event_type_s in (SalesforceEventType)\n| lookup EventResultMapping on login_status_s\n| extend \n EventProduct='Salesforce Service Cloud' \n , EventSchema = 'Authentication'\n , EventVendor = 'Salesforce'\n , EventCount = int(1)\n , EventSchemaVersion = '0.1.0'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = iff(event_type_s == 'Login', 'Logon', 'Logoff')\n| project-rename\n EventProductVersion = api_version_s\n , EventOriginalResultDetails = login_status_s\n , TargetSessionId =login_key_s\n , TargetUserId = user_id_s\n , TargetUsername = user_name_s\n , TargetOriginalUserType = user_type_s\n , EventOriginalUid = request_id_s\n , SrcIpAddr = source_ip_s\n , TargetIpAddr = client_ip_s\n , TargetUserScope = organization_id_s\n , TlsCipher = cipher_suite_s\n , TlsVersion = tls_protocol_s\n , HttpUserAgent= browser_type_s\n| extend\n TargetUserType = iff(isnotempty(TargetOriginalUserType),\"Other\",\"\") \n , TargetUserIdType = iff(isnotempty(TargetUserId),\"SaleforceId\",\"\") \n , TargetUsernameType = iff(isnotempty(TargetUsername),\"UPN\",\"\")\n , User = TargetUsername\n , Dvc = EventProduct\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , Dst= TargetIpAddr\n| project-away *_s\n};\nSalesforceSignin(disabled)", + "query": "let parser=(disabled:bool=false){\n let EventResultLookup = datatable (\n login_status_s: string,\n EventResultDetails: string,\n EventResult: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Other\", \"Failure\",\n \"LOGIN_CHALLENGE_PENDING\", \"Other\", \"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Logon violates policy\", \"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HT_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"User disabled\", \"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_NO_ERROR\", \"\", \"Success\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Other\", \"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"No such user\", \"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Other\", \"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_TWOFACTOR_REQ\", \"Logon violates policy\", \"Failure\"\n];\nlet SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\nlet EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\nlet DvcOSLookup = datatable(\n platform_type_s: string,\n DvcOS: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\nlet LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[\n \"7\", \"AppExchange\",\n \"A\", \"Application\",\n \"s\", \"Certificate-based login\",\n \"k\", \"Chatter Communities External User\",\n \"n\", \"Chatter Communities External User Third Party SSO\",\n \"r\", \"Employee Login to Community\",\n \"z\", \"Lightning Login\",\n \"l\", \"Networks Portal API Only\",\n \"6\", \"Remote Access Client\",\n \"i\", \"Remote Access 2.0\",\n \"I\", \"Other Apex API\",\n \"R\", \"Partner Product\",\n \"w\", \"Passwordless Login\",\n \"3\", \"Customer Service Portal\",\n \"q\", \"Partner Portal Third-Party SSO\",\n \"9\", \"Partner Portal\",\n \"5\", \"SAML Idp Initiated SSO\",\n \"m\", \"SAML Chatter Communities External User SSO\",\n \"b\", \"SAML Customer Service Portal SSO\",\n \"c\", \"SAML Partner Portal SSO\",\n \"h\", \"SAML Site SSO\",\n \"8\", \"SAML Sfdc Initiated SSO\",\n \"E\", \"SelfService\",\n \"j\", \"Third Party SSO\"\n];\nlet TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\nlet UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\nSalesforceServiceCloud_CL \n | where not(disabled)\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n //| lookup LogonMethodLookup on login_type_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOSLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult)\n | project-away *_s, *_t, TenantId, SourceSystem\n};\nSalesforceSignin(disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json index f7e5c29cad8..149c74d89e4 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "vimAuthenticationSalesforceSC", - "query": "let EventResultLookup = datatable (\n login_status_s: string,\n EventResultDetails: string,\n EventResult: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Other\", \"Failure\",\n \"LOGIN_CHALLENGE_PENDING\", \"Other\", \"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Logon violates policy\", \"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HT_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"User disabled\", \"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_NO_ERROR\", \"\", \"Success\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Other\", \"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"No such user\", \"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Other\", \"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_TWOFACTOR_REQ\", \"Logon violates policy\", \"Failure\"\n];\nlet SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\nlet EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\nlet DvcOSLookup = datatable(\n platform_type_s: string,\n DvcOS: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\nlet LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[\n \"7\", \"AppExchange\",\n \"A\", \"Application\",\n \"s\", \"Certificate-based login\",\n \"k\", \"Chatter Communities External User\",\n \"n\", \"Chatter Communities External User Third Party SSO\",\n \"r\", \"Employee Login to Community\",\n \"z\", \"Lightning Login\",\n \"l\", \"Networks Portal API Only\",\n \"6\", \"Remote Access Client\",\n \"i\", \"Remote Access 2.0\",\n \"I\", \"Other Apex API\",\n \"R\", \"Partner Product\",\n \"w\", \"Passwordless Login\",\n \"3\", \"Customer Service Portal\",\n \"q\", \"Partner Portal Third-Party SSO\",\n \"9\", \"Partner Portal\",\n \"5\", \"SAML Idp Initiated SSO\",\n \"m\", \"SAML Chatter Communities External User SSO\",\n \"b\", \"SAML Customer Service Portal SSO\",\n \"c\", \"SAML Partner Portal SSO\",\n \"h\", \"SAML Site SSO\",\n \"8\", \"SAML Sfdc Initiated SSO\",\n \"E\", \"SelfService\",\n \"j\", \"Third Party SSO\"\n];\nlet TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\nlet UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n //| lookup LogonMethodLookup on login_type_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOSLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult)\n | project-away *_s, *_t, TenantId, SourceSystem\n};\nparser (starttime=datetime(null), endtime=datetime(null), targetusername_has=\"*\", disabled=false)", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\nlet EventResultLookup = datatable (\n login_status_s: string,\n EventResultDetails: string,\n EventResult: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Other\", \"Failure\",\n \"LOGIN_CHALLENGE_PENDING\", \"Other\", \"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Logon violates policy\", \"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HT_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"User disabled\", \"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_NO_ERROR\", \"\", \"Success\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Other\", \"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"No such user\", \"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Other\", \"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_TWOFACTOR_REQ\", \"Logon violates policy\", \"Failure\"\n];\nlet SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\nlet EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\nlet DvcOSLookup = datatable(\n platform_type_s: string,\n DvcOS: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\nlet LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[\n \"7\", \"AppExchange\",\n \"A\", \"Application\",\n \"s\", \"Certificate-based login\",\n \"k\", \"Chatter Communities External User\",\n \"n\", \"Chatter Communities External User Third Party SSO\",\n \"r\", \"Employee Login to Community\",\n \"z\", \"Lightning Login\",\n \"l\", \"Networks Portal API Only\",\n \"6\", \"Remote Access Client\",\n \"i\", \"Remote Access 2.0\",\n \"I\", \"Other Apex API\",\n \"R\", \"Partner Product\",\n \"w\", \"Passwordless Login\",\n \"3\", \"Customer Service Portal\",\n \"q\", \"Partner Portal Third-Party SSO\",\n \"9\", \"Partner Portal\",\n \"5\", \"SAML Idp Initiated SSO\",\n \"m\", \"SAML Chatter Communities External User SSO\",\n \"b\", \"SAML Customer Service Portal SSO\",\n \"c\", \"SAML Partner Portal SSO\",\n \"h\", \"SAML Site SSO\",\n \"8\", \"SAML Sfdc Initiated SSO\",\n \"E\", \"SelfService\",\n \"j\", \"Third Party SSO\"\n];\nlet TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\nlet UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n //| lookup LogonMethodLookup on login_type_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOSLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult)\n | project-away *_s, *_t, TenantId, SourceSystem\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" } From 20db09a0b70915bc68002acbeaacf3398934ed83 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Mon, 17 Jul 2023 20:42:43 +0530 Subject: [PATCH 17/38] parser updates --- .../ASimAuthenticationSalesforceSC.yaml | 299 ++++++++++-------- .../vimAuthenticationSalesforceSC.yaml | 286 +++++++++-------- .../Salesforce_Authentication_DataTest.csv | 22 ++ .../Salesforce_Authentication_SchemaTest.csv | 88 ++++++ 4 files changed, 422 insertions(+), 273 deletions(-) create mode 100644 Parsers/ASimAuthentication/Tests/Salesforce_Authentication_DataTest.csv create mode 100644 Parsers/ASimAuthentication/Tests/Salesforce_Authentication_SchemaTest.csv diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index 4eae11eabb9..3cf2ab8e894 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -24,138 +24,137 @@ ParserQuery: | let parser=(disabled:bool=false){ let EventResultLookup = datatable ( login_status_s: string, + DvcAction: string, EventResultDetails: string, - EventResult: string + EventResult: string, + EventSeverity: string )[ - "LOGIN_CHALLENGE_ISSUED", "Other", "Failure", - "LOGIN_CHALLENGE_PENDING", "Other", "Failure", - "LOGIN_DATA_DOWNLOAD_ONLY", "Other", "Failure", - "LOGIN_END_SESSION_TXN_SECURITY_POLICY", "Logon violates policy", "Failure", - "LOGIN_ERROR_API_TOO_OLD", "Other", "Failure", - "LOGIN_ERROR_APPEXCHANGE_DOWN", "Other", "Failure", - "LOGIN_ERROR_ASYNC_USER_CREATE", "Other", "Failure", - "LOGIN_ERROR_AVANTGO_DISABLED", "Other", "Failure", - "LOGIN_ERROR_AVANTGO_TRIAL_EXP", "Other", "Failure", - "LOGIN_ERROR_CLIENT_NO_ACCESS", "Other", "Failure", - "LOGIN_ERROR_CLIENT_REQ_UPDATE", "Other", "Failure", - "LOGIN_ERROR_CSS_FROZEN", "Other", "Failure", - "LOGIN_ERROR_CSS_PW_LOCKOUT", "User locked", "Failure", - "LOGIN_ERROR_DUPLICATE_USERNAME", "Other", "Failure", - "LOGIN_ERROR_EXPORT_RESTRICTED", "Other", "Failure", - "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN", "Other", "Failure", - "LOGIN_ERROR_HT_DOWN", "Other", "Failure", - "LOGIN_ERROR_HTP_METHD_INVALID", "Other", "Failure", - "LOGIN_ERROR_INSECURE_LOGIN", "Other", "Failure", - "LOGIN_ERROR_INVALID_GATEWAY", "Other", "Failure", - "LOGIN_ERROR_INVALID_ID_FIELD", "Other", "Failure", - "LOGIN_ERROR_INVALID_PASSWORD", "Incorrect password", "Failure", - "LOGIN_ERROR_LOGINS_EXCEEDED", "Other", "Failure", - "LOGIN_ERROR_MUST_USE_API_TOKEN", "Other", "Failure", - "LOGIN_ERROR_MUTUAL_AUTHENTICATION", "Other", "Failure", - "LOGIN_ERROR_NETWORK_INACTIVE", "Other", "Failure", - "LOGIN_ERROR_NO_HT_ACCESS", "Other", "Failure", - "LOGIN_ERROR_NO_NETWORK_ACCESS", "Other", "Failure", - "LOGIN_ERROR_NO_NETWORK_INFO", "Other", "Failure", - "LOGIN_ERROR_NO_PORTAL_ACCESS", "Other", "Failure", - "LOGIN_ERROR_NO_SET_COOKIES", "Other", "Failure", - "LOGIN_ERROR_OFFLINE_DISABLED", "Other", "Failure", - "LOGIN_ERROR_OFFLINE_TRIAL_EXP", "Other", "Failure", - "LOGIN_ERROR_ORG_CLOSED", "Other", "Failure", - "LOGIN_ERROR_ORG_DOMAIN_ONLY", "Other", "Failure", - "LOGIN_ERROR_ORG_IN_MAINTENANCE", "Other", "Failure", - "LOGIN_ERROR_ORG_INACTIVE", "Other", "Failure", - "LOGIN_ERROR_ORG_IS_DOT_ORG", "Other", "Failure", - "LOGIN_ERROR_ORG_LOCKOUT", "Other", "Failure", - "LOGIN_ERROR_ORG_SIGNING_UP", "Other", "Failure", - "LOGIN_ERROR_ORG_SUSPENDED", "Other", "Failure", - "LOGIN_ERROR_OUTLOOK_DISABLED", "Other", "Failure", - "LOGIN_ERROR_PAGE_REQUIRES_LOGIN", "Session expired", "Failure", - "LOGIN_ERROR_PASSWORD_EMPTY", "Other", "Failure", - "LOGIN_ERROR_PASSWORD_LOCKOUT", "User locked", "Failure", - "LOGIN_ERROR_PORTAL_INACTIVE", "Other", "Failure", - "LOGIN_ERROR_RATE_EXCEEDED", "Other", "Failure", - "LOGIN_ERROR_RESTRICTED_DOMAIN", "Other", "Failure", - "LOGIN_ERROR_RESTRICTED_TIME", "Other", "Failure", - "LOGIN_ERROR_SESSION_TIMEOUT", "Session expired", "Failure", - "LOGIN_ERROR_SSO_PWD_INVALID", "Incorrect password", "Failure", - "LOGIN_ERROR_SSO_SVC_DOWN", "Other", "Failure", - "LOGIN_ERROR_SSO_URL_INVALID", "Other", "Failure", - "LOGIN_ERROR_STORE", "Other", "Failure", - "LOGIN_ERROR_STORE_DOWN", "Other", "Failure", - "LOGIN_ERROR_SWITCH_SFDC_INSTANCE", "Other", "Failure", - "LOGIN_ERROR_SWITCH_SFDC_LOGIN", "Other", "Failure", - "LOGIN_ERROR_SYNCOFFLINE_DISBLD", "Other", "Failure", - "LOGIN_ERROR_SYSTEM_DOWN", "Other", "Failure", - "LOGIN_ERROR_UNKNOWN_ERROR", "Other", "Failure", - "LOGIN_ERROR_USER_API_ONLY", "Other", "Failure", - "LOGIN_ERROR_USER_FROZEN", "User locked", "Failure", - "LOGIN_ERROR_USER_INACTIVE", "User disabled", "Failure", - "LOGIN_ERROR_USER_NON_MOBILE", "Other", "Failure", - "LOGIN_ERROR_USER_STORE_ACCESS", "Other", "Failure", - "LOGIN_ERROR_USERNAME_EMPTY", "Other", "Failure", - "LOGIN_ERROR_WIRELESS_DISABLED", "Other", "Failure", - "LOGIN_ERROR_WIRELESS_TRIAL_EXP", "Other", "Failure", - "LOGIN_LIGHTNING_LOGIN", "Other", "Failure", - "LOGIN_NO_ERROR", "", "Success", - "LOGIN_OAUTH_API_DISABLED", "Other", "Failure", - "LOGIN_OAUTH_CONSUMER_DELETED", "Other", "Failure", - "LOGIN_OAUTH_DS_NOT_EXPECTED", "Other", "Failure", - "LOGIN_OAUTH_EXCEED_GET_AT_LMT", "Other", "Failure", - "LOGIN_OAUTH_INVALID_CODE_CHALLENGE", "Other", "Failure", - "LOGIN_OAUTH_INVALID_CODE_VERIFIER", "Other", "Failure", - "LOGIN_OAUTH_INVALID_DEVICE", "Other", "Failure", - "LOGIN_OAUTH_INVALID_DS", "Other", "Failure", - "LOGIN_OAUTH_INVALID_DSIG", "Other", "Failure", - "LOGIN_OAUTH_INVALID_IP", "Other", "Failure", - "LOGIN_OAUTH_INVALID_NONCE", "Other", "Failure", - "LOGIN_OAUTH_INVALID_SIG_METHOD", "Other", "Failure", - "LOGIN_OAUTH_INVALID_TIMESTAMP", "Other", "Failure", - "LOGIN_OAUTH_INVALID_TOKEN", "Other", "Failure", - "LOGIN_OAUTH_INVALID_VERIFIER", "Other", "Failure", - "LOGIN_OAUTH_INVALID_VERSION", "Other", "Failure", - "LOGIN_OAUTH_MISSING_DS", "Other", "Failure", - "LOGIN_OAUTH_NO_CALLBACK_URL", "Other", "Failure", - "LOGIN_OAUTH_NO_CONSUMER", "Other", "Failure", - "LOGIN_OAUTH_NO_TOKEN", "Other", "Failure", - "LOGIN_OAUTH_NONCE_REPLAY", "Other", "Failure", - "LOGIN_OAUTH_PACKAGE_MISSING", "Other", "Failure", - "LOGIN_OAUTH_PACKAGE_OLD", "Other", "Failure", - "LOGIN_OAUTH_UNEXPECTED_PARAM", "Other", "Failure", - "LOGIN_ORG_TRIAL_EXP", "Other", "Failure", - "LOGIN_READONLY_CANNOT_VALIDATE", "Other", "Failure", - "LOGIN_SAML_INVALID_AUDIENCE", "Other", "Failure", - "LOGIN_SAML_INVALID_CONFIG", "Other", "Failure", - "LOGIN_SAML_INVALID_FORMAT", "Other", "Failure", - "LOGIN_SAML_INVALID_IN_RES_TO", "Other", "Failure", - "LOGIN_SAML_INVALID_ISSUER", "Other", "Failure", - "LOGIN_SAML_INVALID_ORG_ID", "Other", "Failure", - "LOGIN_SAML_INVALID_PORTAL_ID", "Other", "Failure", - "LOGIN_SAML_INVALID_RECIPIENT", "Other", "Failure", - "LOGIN_SAML_INVALID_SESSION_LEVEL", "Other", "Failure", - "LOGIN_SAML_INVALID_SIGNATURE", "Other", "Failure", - "LOGIN_SAML_INVALID_SITE_URL", "Other", "Failure", - "LOGIN_SAML_INVALID_STATUS", "Other", "Failure", - "LOGIN_SAML_INVALID_SUB_CONFIRM", "Other", "Failure", - "LOGIN_SAML_INVALID_TIMESTAMP", "Other", "Failure", - "LOGIN_SAML_INVALID_USERNAME", "No such user", "Failure", - "LOGIN_SAML_INVALID_VERSION", "Other", "Failure", - "LOGIN_SAML_MISMATCH_CERT", "Other", "Failure", - "LOGIN_SAML_MISSING_ORG_ID", "Other", "Failure", - "LOGIN_SAML_MISSING_PORTAL_ID", "Other", "Failure", - "LOGIN_SAML_PROVISION_ERROR", "Other", "Failure", - "LOGIN_SAML_REPLAY_ATTEMPTED", "Other", "Failure", - "LOGIN_SAML_SITE_INACTIVE", "Other", "Failure", - "LOGIN_TWOFACTOR_REQ", "Logon violates policy", "Failure" + "LOGIN_CHALLENGE_ISSUED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_CHALLENGE_PENDING", "Blocked", "Other", "Failure", "Informational", + "LOGIN_DATA_DOWNLOAD_ONLY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_END_SESSION_TXN_SECURITY_POLICY", "Blocked", "Logon violates policy", "Failure", "Informational", + "LOGIN_ERROR_API_TOO_OLD", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ASYNC_USER_CREATE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_AVANTGO_DISABLED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_AVANTGO_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_CLIENT_NO_ACCESS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_CLIENT_REQ_UPDATE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_CSS_FROZEN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_CSS_PW_LOCKOUT", "Blocked", "User locked", "Failure", "Informational", + "LOGIN_ERROR_DUPLICATE_USERNAME", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_EXPORT_RESTRICTED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_HT_DOWN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_HTP_METHD_INVALID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_INSECURE_LOGIN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_INVALID_GATEWAY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_INVALID_ID_FIELD", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_INVALID_PASSWORD", "Blocked", "Incorrect password", "Failure", "Informational", + "LOGIN_ERROR_LOGINS_EXCEEDED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_MUST_USE_API_TOKEN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_MUTUAL_AUTHENTICATION", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_NETWORK_INACTIVE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_NO_HT_ACCESS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_NO_NETWORK_ACCESS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_NO_NETWORK_INFO", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_NO_SET_COOKIES", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_OFFLINE_DISABLED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_OFFLINE_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_CLOSED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_DOMAIN_ONLY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_IN_MAINTENANCE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_INACTIVE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_IS_DOT_ORG", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_LOCKOUT", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_SIGNING_UP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_SUSPENDED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_OUTLOOK_DISABLED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_PAGE_REQUIRES_LOGIN", "Blocked", "Session expired", "Failure", "Informational", + "LOGIN_ERROR_PASSWORD_EMPTY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_PASSWORD_LOCKOUT", "Blocked", "User locked", "Failure", "Informational", + "LOGIN_ERROR_PORTAL_INACTIVE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_RATE_EXCEEDED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_RESTRICTED_DOMAIN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_RESTRICTED_TIME", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SESSION_TIMEOUT", "Blocked", "Session expired", "Failure", "Informational", + "LOGIN_ERROR_SSO_PWD_INVALID", "Blocked", "Incorrect password", "Failure", "Informational", + "LOGIN_ERROR_SSO_SVC_DOWN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SSO_URL_INVALID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_STORE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_STORE_DOWN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SWITCH_SFDC_INSTANCE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SWITCH_SFDC_LOGIN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SYNCOFFLINE_DISBLD", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SYSTEM_DOWN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_USER_API_ONLY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_USER_FROZEN", "Blocked", "User locked", "Failure", "Informational", + "LOGIN_ERROR_USER_INACTIVE", "Blocked", "User disabled", "Failure", "Informational", + "LOGIN_ERROR_USER_NON_MOBILE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_USER_STORE_ACCESS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_USERNAME_EMPTY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_WIRELESS_DISABLED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_WIRELESS_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_LIGHTNING_LOGIN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_NO_ERROR", "Allowed", "", "Success", "Informational", + "LOGIN_OAUTH_API_DISABLED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_CONSUMER_DELETED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_DS_NOT_EXPECTED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_EXCEED_GET_AT_LMT", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_CODE_CHALLENGE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_CODE_VERIFIER", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_DEVICE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_DS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_DSIG", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_IP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_NONCE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_SIG_METHOD", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_TIMESTAMP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_TOKEN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_VERIFIER", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_VERSION", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_MISSING_DS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_NO_CALLBACK_URL", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_NO_CONSUMER", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_NO_TOKEN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_NONCE_REPLAY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_PACKAGE_MISSING", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_PACKAGE_OLD", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_UNEXPECTED_PARAM", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ORG_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_READONLY_CANNOT_VALIDATE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_AUDIENCE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_CONFIG", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_FORMAT", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_IN_RES_TO", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_ISSUER", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_ORG_ID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_PORTAL_ID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_RECIPIENT", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_SESSION_LEVEL", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_SIGNATURE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_SITE_URL", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_STATUS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_SUB_CONFIRM", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_TIMESTAMP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_USERNAME", "Blocked", "No such user", "Failure", "Informational", + "LOGIN_SAML_INVALID_VERSION", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_MISMATCH_CERT", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_MISSING_ORG_ID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_MISSING_PORTAL_ID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_PROVISION_ERROR", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_REPLAY_ATTEMPTED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_SITE_INACTIVE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_TWOFACTOR_REQ", "Blocked", "Logon violates policy", "Failure", "Informational" ]; - let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']); - let EventTypeLookup = datatable(event_type_s: string, EventType: string)[ + let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']); + let EventTypeLookup = datatable(event_type_s: string, EventType: string)[ "Login", "Logon", "LoginAs", "Logon", "Logout", "Logoff" ]; - let DvcOSLookup = datatable( + let DvcOsLookup = datatable( platform_type_s: string, - DvcOS: string, + DvcOs: string, DvcOsVersion: string )[ "1000", "Windows", "", @@ -169,7 +168,7 @@ ParserQuery: | "5007", "iPad", "", "5200", "Android", "10.0" ]; - let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[ + let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[ "7", "AppExchange", "A", "Application", "s", "Certificate-based login", @@ -195,7 +194,7 @@ ParserQuery: | "E", "SelfService", "j", "Third Party SSO" ]; - let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[ + let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[ "S", "Success", "F", "Failure", "A", "Failure", @@ -203,7 +202,7 @@ ParserQuery: | "N", "Failure", "U", "NA" ]; - let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[ + let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[ "CsnOnly", "Other", "CspLitePortal", "Other", "CustomerSuccess", "Other", @@ -228,13 +227,20 @@ ParserQuery: | "S", "Regular", "X", "Admin" ]; - SalesforceServiceCloud_CL - | where not(disabled) - | lookup EventResultLookup on login_status_s + SalesforceServiceCloud_CL + | where not(disabled) + // -- Pre filtering + | where + (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + and (targetusername_has == '*' or (user_name_s has targetusername_has)) + and event_type_s in~ (SalesforceEventType) + // -- end pre-filtering + | lookup EventResultLookup on login_status_s | lookup EventTypeLookup on event_type_s //| lookup LogonMethodLookup on login_type_s | lookup TempEventResultLookup on request_status_s - | lookup DvcOSLookup on platform_type_s + | lookup DvcOsLookup on platform_type_s | lookup UserTypeLookup on user_type_s | project-rename EventProductVersion = api_version_s, @@ -245,7 +251,7 @@ ParserQuery: | TlsCipher = cipher_suite_s, TlsVersion = tls_protocol_s, HttpUserAgent= browser_type_s, - TargetScopeId = organization_id_s, + TargetUserScopeId = organization_id_s, TargetUrl = uri_s, TargetOriginalUserType = user_type_s, ActorUsername = delegated_user_name_s, @@ -259,20 +265,37 @@ ParserQuery: | EventSchema = 'Authentication', EventSchemaVersion = '0.1.3', EventStartTime = TimeGenerated, - EventEndTime = TimeGenerated + EventEndTime = TimeGenerated, + TargetAppName = "Salesforce Dot Com(SFDC)", + EventUid = _ItemId, + EventOriginalType=event_type_s | extend TargetSessionId = coalesce(session_key_s, login_key_s), SrcIpAddr = coalesce(SrcIpAddr, client_ip_s), TargetUserScope = "Salesforce Organization", TargetUserIdType = iff(isnotempty(TargetUserId), "SaleforceId", ""), + ActorUserIdType = iff(isnotempty(ActorUserId), "SaleforceId", ""), TargetUsernameType = iff(isnotempty(TargetUsername), "UPN", ""), - TargetAppName = "Salesforce Dot Com(SFDC)", + ActorUsernameType = iff(isnotempty(ActorUsername), "UPN", ""), User = coalesce(TargetUsername, TargetUserId), Src = SrcIpAddr, IpAddr = SrcIpAddr, - UserAgent = HttpUserAgent, Dvc = EventProduct, - EventResult = coalesce(EventResult, TempEventResult) - | project-away *_s, *_t, TenantId, SourceSystem + EventResult = coalesce(EventResult, TempEventResult), + Application = TargetAppName + | project-away + *_s, + *_t, + TenantId, + SourceSystem, + Computer, + MG, + ManagementGroupName, + Message, + RawData, + TempEventResult, + _ItemId, + _ResourceId, + wave_session_id_g }; - SalesforceSignin(disabled) \ No newline at end of file + parser(disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml index fd15e2f7b90..16c34f9763f 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml @@ -38,140 +38,139 @@ ParserQuery: | targetusername_has: string="*", disabled: bool=false ) { - let EventResultLookup = datatable ( + let EventResultLookup = datatable ( login_status_s: string, + DvcAction: string, EventResultDetails: string, - EventResult: string + EventResult: string, + EventSeverity: string )[ - "LOGIN_CHALLENGE_ISSUED", "Other", "Failure", - "LOGIN_CHALLENGE_PENDING", "Other", "Failure", - "LOGIN_DATA_DOWNLOAD_ONLY", "Other", "Failure", - "LOGIN_END_SESSION_TXN_SECURITY_POLICY", "Logon violates policy", "Failure", - "LOGIN_ERROR_API_TOO_OLD", "Other", "Failure", - "LOGIN_ERROR_APPEXCHANGE_DOWN", "Other", "Failure", - "LOGIN_ERROR_ASYNC_USER_CREATE", "Other", "Failure", - "LOGIN_ERROR_AVANTGO_DISABLED", "Other", "Failure", - "LOGIN_ERROR_AVANTGO_TRIAL_EXP", "Other", "Failure", - "LOGIN_ERROR_CLIENT_NO_ACCESS", "Other", "Failure", - "LOGIN_ERROR_CLIENT_REQ_UPDATE", "Other", "Failure", - "LOGIN_ERROR_CSS_FROZEN", "Other", "Failure", - "LOGIN_ERROR_CSS_PW_LOCKOUT", "User locked", "Failure", - "LOGIN_ERROR_DUPLICATE_USERNAME", "Other", "Failure", - "LOGIN_ERROR_EXPORT_RESTRICTED", "Other", "Failure", - "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN", "Other", "Failure", - "LOGIN_ERROR_HT_DOWN", "Other", "Failure", - "LOGIN_ERROR_HTP_METHD_INVALID", "Other", "Failure", - "LOGIN_ERROR_INSECURE_LOGIN", "Other", "Failure", - "LOGIN_ERROR_INVALID_GATEWAY", "Other", "Failure", - "LOGIN_ERROR_INVALID_ID_FIELD", "Other", "Failure", - "LOGIN_ERROR_INVALID_PASSWORD", "Incorrect password", "Failure", - "LOGIN_ERROR_LOGINS_EXCEEDED", "Other", "Failure", - "LOGIN_ERROR_MUST_USE_API_TOKEN", "Other", "Failure", - "LOGIN_ERROR_MUTUAL_AUTHENTICATION", "Other", "Failure", - "LOGIN_ERROR_NETWORK_INACTIVE", "Other", "Failure", - "LOGIN_ERROR_NO_HT_ACCESS", "Other", "Failure", - "LOGIN_ERROR_NO_NETWORK_ACCESS", "Other", "Failure", - "LOGIN_ERROR_NO_NETWORK_INFO", "Other", "Failure", - "LOGIN_ERROR_NO_PORTAL_ACCESS", "Other", "Failure", - "LOGIN_ERROR_NO_SET_COOKIES", "Other", "Failure", - "LOGIN_ERROR_OFFLINE_DISABLED", "Other", "Failure", - "LOGIN_ERROR_OFFLINE_TRIAL_EXP", "Other", "Failure", - "LOGIN_ERROR_ORG_CLOSED", "Other", "Failure", - "LOGIN_ERROR_ORG_DOMAIN_ONLY", "Other", "Failure", - "LOGIN_ERROR_ORG_IN_MAINTENANCE", "Other", "Failure", - "LOGIN_ERROR_ORG_INACTIVE", "Other", "Failure", - "LOGIN_ERROR_ORG_IS_DOT_ORG", "Other", "Failure", - "LOGIN_ERROR_ORG_LOCKOUT", "Other", "Failure", - "LOGIN_ERROR_ORG_SIGNING_UP", "Other", "Failure", - "LOGIN_ERROR_ORG_SUSPENDED", "Other", "Failure", - "LOGIN_ERROR_OUTLOOK_DISABLED", "Other", "Failure", - "LOGIN_ERROR_PAGE_REQUIRES_LOGIN", "Session expired", "Failure", - "LOGIN_ERROR_PASSWORD_EMPTY", "Other", "Failure", - "LOGIN_ERROR_PASSWORD_LOCKOUT", "User locked", "Failure", - "LOGIN_ERROR_PORTAL_INACTIVE", "Other", "Failure", - "LOGIN_ERROR_RATE_EXCEEDED", "Other", "Failure", - "LOGIN_ERROR_RESTRICTED_DOMAIN", "Other", "Failure", - "LOGIN_ERROR_RESTRICTED_TIME", "Other", "Failure", - "LOGIN_ERROR_SESSION_TIMEOUT", "Session expired", "Failure", - "LOGIN_ERROR_SSO_PWD_INVALID", "Incorrect password", "Failure", - "LOGIN_ERROR_SSO_SVC_DOWN", "Other", "Failure", - "LOGIN_ERROR_SSO_URL_INVALID", "Other", "Failure", - "LOGIN_ERROR_STORE", "Other", "Failure", - "LOGIN_ERROR_STORE_DOWN", "Other", "Failure", - "LOGIN_ERROR_SWITCH_SFDC_INSTANCE", "Other", "Failure", - "LOGIN_ERROR_SWITCH_SFDC_LOGIN", "Other", "Failure", - "LOGIN_ERROR_SYNCOFFLINE_DISBLD", "Other", "Failure", - "LOGIN_ERROR_SYSTEM_DOWN", "Other", "Failure", - "LOGIN_ERROR_UNKNOWN_ERROR", "Other", "Failure", - "LOGIN_ERROR_USER_API_ONLY", "Other", "Failure", - "LOGIN_ERROR_USER_FROZEN", "User locked", "Failure", - "LOGIN_ERROR_USER_INACTIVE", "User disabled", "Failure", - "LOGIN_ERROR_USER_NON_MOBILE", "Other", "Failure", - "LOGIN_ERROR_USER_STORE_ACCESS", "Other", "Failure", - "LOGIN_ERROR_USERNAME_EMPTY", "Other", "Failure", - "LOGIN_ERROR_WIRELESS_DISABLED", "Other", "Failure", - "LOGIN_ERROR_WIRELESS_TRIAL_EXP", "Other", "Failure", - "LOGIN_LIGHTNING_LOGIN", "Other", "Failure", - "LOGIN_NO_ERROR", "", "Success", - "LOGIN_OAUTH_API_DISABLED", "Other", "Failure", - "LOGIN_OAUTH_CONSUMER_DELETED", "Other", "Failure", - "LOGIN_OAUTH_DS_NOT_EXPECTED", "Other", "Failure", - "LOGIN_OAUTH_EXCEED_GET_AT_LMT", "Other", "Failure", - "LOGIN_OAUTH_INVALID_CODE_CHALLENGE", "Other", "Failure", - "LOGIN_OAUTH_INVALID_CODE_VERIFIER", "Other", "Failure", - "LOGIN_OAUTH_INVALID_DEVICE", "Other", "Failure", - "LOGIN_OAUTH_INVALID_DS", "Other", "Failure", - "LOGIN_OAUTH_INVALID_DSIG", "Other", "Failure", - "LOGIN_OAUTH_INVALID_IP", "Other", "Failure", - "LOGIN_OAUTH_INVALID_NONCE", "Other", "Failure", - "LOGIN_OAUTH_INVALID_SIG_METHOD", "Other", "Failure", - "LOGIN_OAUTH_INVALID_TIMESTAMP", "Other", "Failure", - "LOGIN_OAUTH_INVALID_TOKEN", "Other", "Failure", - "LOGIN_OAUTH_INVALID_VERIFIER", "Other", "Failure", - "LOGIN_OAUTH_INVALID_VERSION", "Other", "Failure", - "LOGIN_OAUTH_MISSING_DS", "Other", "Failure", - "LOGIN_OAUTH_NO_CALLBACK_URL", "Other", "Failure", - "LOGIN_OAUTH_NO_CONSUMER", "Other", "Failure", - "LOGIN_OAUTH_NO_TOKEN", "Other", "Failure", - "LOGIN_OAUTH_NONCE_REPLAY", "Other", "Failure", - "LOGIN_OAUTH_PACKAGE_MISSING", "Other", "Failure", - "LOGIN_OAUTH_PACKAGE_OLD", "Other", "Failure", - "LOGIN_OAUTH_UNEXPECTED_PARAM", "Other", "Failure", - "LOGIN_ORG_TRIAL_EXP", "Other", "Failure", - "LOGIN_READONLY_CANNOT_VALIDATE", "Other", "Failure", - "LOGIN_SAML_INVALID_AUDIENCE", "Other", "Failure", - "LOGIN_SAML_INVALID_CONFIG", "Other", "Failure", - "LOGIN_SAML_INVALID_FORMAT", "Other", "Failure", - "LOGIN_SAML_INVALID_IN_RES_TO", "Other", "Failure", - "LOGIN_SAML_INVALID_ISSUER", "Other", "Failure", - "LOGIN_SAML_INVALID_ORG_ID", "Other", "Failure", - "LOGIN_SAML_INVALID_PORTAL_ID", "Other", "Failure", - "LOGIN_SAML_INVALID_RECIPIENT", "Other", "Failure", - "LOGIN_SAML_INVALID_SESSION_LEVEL", "Other", "Failure", - "LOGIN_SAML_INVALID_SIGNATURE", "Other", "Failure", - "LOGIN_SAML_INVALID_SITE_URL", "Other", "Failure", - "LOGIN_SAML_INVALID_STATUS", "Other", "Failure", - "LOGIN_SAML_INVALID_SUB_CONFIRM", "Other", "Failure", - "LOGIN_SAML_INVALID_TIMESTAMP", "Other", "Failure", - "LOGIN_SAML_INVALID_USERNAME", "No such user", "Failure", - "LOGIN_SAML_INVALID_VERSION", "Other", "Failure", - "LOGIN_SAML_MISMATCH_CERT", "Other", "Failure", - "LOGIN_SAML_MISSING_ORG_ID", "Other", "Failure", - "LOGIN_SAML_MISSING_PORTAL_ID", "Other", "Failure", - "LOGIN_SAML_PROVISION_ERROR", "Other", "Failure", - "LOGIN_SAML_REPLAY_ATTEMPTED", "Other", "Failure", - "LOGIN_SAML_SITE_INACTIVE", "Other", "Failure", - "LOGIN_TWOFACTOR_REQ", "Logon violates policy", "Failure" + "LOGIN_CHALLENGE_ISSUED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_CHALLENGE_PENDING", "Blocked", "Other", "Failure", "Informational", + "LOGIN_DATA_DOWNLOAD_ONLY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_END_SESSION_TXN_SECURITY_POLICY", "Blocked", "Logon violates policy", "Failure", "Informational", + "LOGIN_ERROR_API_TOO_OLD", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ASYNC_USER_CREATE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_AVANTGO_DISABLED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_AVANTGO_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_CLIENT_NO_ACCESS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_CLIENT_REQ_UPDATE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_CSS_FROZEN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_CSS_PW_LOCKOUT", "Blocked", "User locked", "Failure", "Informational", + "LOGIN_ERROR_DUPLICATE_USERNAME", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_EXPORT_RESTRICTED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_HT_DOWN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_HTP_METHD_INVALID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_INSECURE_LOGIN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_INVALID_GATEWAY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_INVALID_ID_FIELD", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_INVALID_PASSWORD", "Blocked", "Incorrect password", "Failure", "Informational", + "LOGIN_ERROR_LOGINS_EXCEEDED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_MUST_USE_API_TOKEN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_MUTUAL_AUTHENTICATION", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_NETWORK_INACTIVE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_NO_HT_ACCESS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_NO_NETWORK_ACCESS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_NO_NETWORK_INFO", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_NO_SET_COOKIES", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_OFFLINE_DISABLED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_OFFLINE_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_CLOSED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_DOMAIN_ONLY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_IN_MAINTENANCE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_INACTIVE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_IS_DOT_ORG", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_LOCKOUT", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_SIGNING_UP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_ORG_SUSPENDED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_OUTLOOK_DISABLED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_PAGE_REQUIRES_LOGIN", "Blocked", "Session expired", "Failure", "Informational", + "LOGIN_ERROR_PASSWORD_EMPTY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_PASSWORD_LOCKOUT", "Blocked", "User locked", "Failure", "Informational", + "LOGIN_ERROR_PORTAL_INACTIVE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_RATE_EXCEEDED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_RESTRICTED_DOMAIN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_RESTRICTED_TIME", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SESSION_TIMEOUT", "Blocked", "Session expired", "Failure", "Informational", + "LOGIN_ERROR_SSO_PWD_INVALID", "Blocked", "Incorrect password", "Failure", "Informational", + "LOGIN_ERROR_SSO_SVC_DOWN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SSO_URL_INVALID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_STORE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_STORE_DOWN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SWITCH_SFDC_INSTANCE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SWITCH_SFDC_LOGIN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SYNCOFFLINE_DISBLD", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_SYSTEM_DOWN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_USER_API_ONLY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_USER_FROZEN", "Blocked", "User locked", "Failure", "Informational", + "LOGIN_ERROR_USER_INACTIVE", "Blocked", "User disabled", "Failure", "Informational", + "LOGIN_ERROR_USER_NON_MOBILE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_USER_STORE_ACCESS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_USERNAME_EMPTY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_WIRELESS_DISABLED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ERROR_WIRELESS_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_LIGHTNING_LOGIN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_NO_ERROR", "Allowed", "", "Success", "Informational", + "LOGIN_OAUTH_API_DISABLED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_CONSUMER_DELETED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_DS_NOT_EXPECTED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_EXCEED_GET_AT_LMT", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_CODE_CHALLENGE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_CODE_VERIFIER", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_DEVICE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_DS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_DSIG", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_IP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_NONCE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_SIG_METHOD", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_TIMESTAMP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_TOKEN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_VERIFIER", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_INVALID_VERSION", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_MISSING_DS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_NO_CALLBACK_URL", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_NO_CONSUMER", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_NO_TOKEN", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_NONCE_REPLAY", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_PACKAGE_MISSING", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_PACKAGE_OLD", "Blocked", "Other", "Failure", "Informational", + "LOGIN_OAUTH_UNEXPECTED_PARAM", "Blocked", "Other", "Failure", "Informational", + "LOGIN_ORG_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_READONLY_CANNOT_VALIDATE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_AUDIENCE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_CONFIG", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_FORMAT", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_IN_RES_TO", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_ISSUER", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_ORG_ID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_PORTAL_ID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_RECIPIENT", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_SESSION_LEVEL", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_SIGNATURE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_SITE_URL", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_STATUS", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_SUB_CONFIRM", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_TIMESTAMP", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_INVALID_USERNAME", "Blocked", "No such user", "Failure", "Informational", + "LOGIN_SAML_INVALID_VERSION", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_MISMATCH_CERT", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_MISSING_ORG_ID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_MISSING_PORTAL_ID", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_PROVISION_ERROR", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_REPLAY_ATTEMPTED", "Blocked", "Other", "Failure", "Informational", + "LOGIN_SAML_SITE_INACTIVE", "Blocked", "Other", "Failure", "Informational", + "LOGIN_TWOFACTOR_REQ", "Blocked", "Logon violates policy", "Failure", "Informational" ]; - let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']); - let EventTypeLookup = datatable(event_type_s: string, EventType: string)[ + let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']); + let EventTypeLookup = datatable(event_type_s: string, EventType: string)[ "Login", "Logon", "LoginAs", "Logon", "Logout", "Logoff" ]; - let DvcOSLookup = datatable( + let DvcOsLookup = datatable( platform_type_s: string, - DvcOS: string, + DvcOs: string, DvcOsVersion: string )[ "1000", "Windows", "", @@ -185,7 +184,7 @@ ParserQuery: | "5007", "iPad", "", "5200", "Android", "10.0" ]; - let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[ + let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[ "7", "AppExchange", "A", "Application", "s", "Certificate-based login", @@ -211,7 +210,7 @@ ParserQuery: | "E", "SelfService", "j", "Third Party SSO" ]; - let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[ + let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[ "S", "Success", "F", "Failure", "A", "Failure", @@ -219,7 +218,7 @@ ParserQuery: | "N", "Failure", "U", "NA" ]; - let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[ + let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[ "CsnOnly", "Other", "CspLitePortal", "Other", "CustomerSuccess", "Other", @@ -257,7 +256,7 @@ ParserQuery: | | lookup EventTypeLookup on event_type_s //| lookup LogonMethodLookup on login_type_s | lookup TempEventResultLookup on request_status_s - | lookup DvcOSLookup on platform_type_s + | lookup DvcOsLookup on platform_type_s | lookup UserTypeLookup on user_type_s | project-rename EventProductVersion = api_version_s, @@ -268,7 +267,7 @@ ParserQuery: | TlsCipher = cipher_suite_s, TlsVersion = tls_protocol_s, HttpUserAgent= browser_type_s, - TargetScopeId = organization_id_s, + TargetUserScopeId = organization_id_s, TargetUrl = uri_s, TargetOriginalUserType = user_type_s, ActorUsername = delegated_user_name_s, @@ -282,20 +281,37 @@ ParserQuery: | EventSchema = 'Authentication', EventSchemaVersion = '0.1.3', EventStartTime = TimeGenerated, - EventEndTime = TimeGenerated + EventEndTime = TimeGenerated, + TargetAppName = "Salesforce Dot Com(SFDC)", + EventUid = _ItemId, + EventOriginalType=event_type_s | extend TargetSessionId = coalesce(session_key_s, login_key_s), SrcIpAddr = coalesce(SrcIpAddr, client_ip_s), TargetUserScope = "Salesforce Organization", TargetUserIdType = iff(isnotempty(TargetUserId), "SaleforceId", ""), + ActorUserIdType = iff(isnotempty(ActorUserId), "SaleforceId", ""), TargetUsernameType = iff(isnotempty(TargetUsername), "UPN", ""), - TargetAppName = "Salesforce Dot Com(SFDC)", + ActorUsernameType = iff(isnotempty(ActorUsername), "UPN", ""), User = coalesce(TargetUsername, TargetUserId), Src = SrcIpAddr, IpAddr = SrcIpAddr, - UserAgent = HttpUserAgent, Dvc = EventProduct, - EventResult = coalesce(EventResult, TempEventResult) - | project-away *_s, *_t, TenantId, SourceSystem + EventResult = coalesce(EventResult, TempEventResult), + Application = TargetAppName + | project-away + *_s, + *_t, + TenantId, + SourceSystem, + Computer, + MG, + ManagementGroupName, + Message, + RawData, + TempEventResult, + _ItemId, + _ResourceId, + wave_session_id_g }; parser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Tests/Salesforce_Authentication_DataTest.csv b/Parsers/ASimAuthentication/Tests/Salesforce_Authentication_DataTest.csv new file mode 100644 index 00000000000..065127d0107 --- /dev/null +++ b/Parsers/ASimAuthentication/Tests/Salesforce_Authentication_DataTest.csv @@ -0,0 +1,22 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [ActorUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [IpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [SrcIpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 30 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Salesforce Service Cloud""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 30 records (100.0%) for field [TargetUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" +"(1) Warning: Empty value in 20 records (66.67%) in mandatory field [EventResult] (Schema:Authentication)" +"(2) Info: Empty value in 10 records (33.33%) in optional field [HttpUserAgent] (Schema:Authentication)" +"(2) Info: Empty value in 10 records (33.33%) in optional field [TargetUrl] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [ActorUserId] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [ActorUsername] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [DvcOsVersion] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [DvcOs] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [EventOriginalResultDetails] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [EventProductVersion] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [TargetOriginalUserType] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in recommended field [DvcAction] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in recommended field [EventSeverity] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in recommended field [Src] (Schema:Authentication)" +"(2) Info: Empty value in 30 records (100.0%) in optional field [TargetUserType] (Schema:Authentication)" +"(2) Info: Empty value in 30 records (100.0%) in optional field [TargetUsername] (Schema:Authentication)" +"(2) Info: Empty value in 30 records (100.0%) in recommended field [EventResultDetails] (Schema:Authentication)" diff --git a/Parsers/ASimAuthentication/Tests/Salesforce_Authentication_SchemaTest.csv b/Parsers/ASimAuthentication/Tests/Salesforce_Authentication_SchemaTest.csv new file mode 100644 index 00000000000..31a08852444 --- /dev/null +++ b/Parsers/ASimAuthentication/Tests/Salesforce_Authentication_SchemaTest.csv @@ -0,0 +1,88 @@ +Result +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [DvcHostname]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [TargetDomain]" +"(1) Warning: Missing recommended field [TargetHostname]" +"(2) Info: Missing optional field [ActingAppId]" +"(2) Info: Missing optional field [ActingAppName]" +"(2) Info: Missing optional field [ActingAppType]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserType]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalSeverity]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [LogonMethod]" +"(2) Info: Missing optional field [LogonProtocol]" +"(2) Info: Missing optional field [LogonTarget]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDomain]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcOs]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcHostname]" +"(2) Info: Missing optional field [SrcIsp]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [TargetAppId]" +"(2) Info: Missing optional field [TargetAppType]" +"(2) Info: Missing optional field [TargetDescription]" +"(2) Info: Missing optional field [TargetDeviceType]" +"(2) Info: Missing optional field [TargetDvcId]" +"(2) Info: Missing optional field [TargetDvcOs]" +"(2) Info: Missing optional field [TargetDvcScopeId]" +"(2) Info: Missing optional field [TargetDvcScope]" +"(2) Info: Missing optional field [TargetFQDN]" +"(2) Info: Missing optional field [TargetGeoCity]" +"(2) Info: Missing optional field [TargetGeoCountry]" +"(2) Info: Missing optional field [TargetGeoLatitude]" +"(2) Info: Missing optional field [TargetGeoLongitude]" +"(2) Info: Missing optional field [TargetGeoRegion]" +"(2) Info: Missing optional field [TargetHostname]" +"(2) Info: Missing optional field [TargetIpAddr]" +"(2) Info: Missing optional field [TargetOriginalRiskLevel]" +"(2) Info: Missing optional field [TargetPortNumber]" +"(2) Info: Missing optional field [TargetRiskLevel]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: extra unnormalized column [TlsCipher]" +"(2) Info: extra unnormalized column [TlsVersion]" From e6c5a72423227de8d5d3d0a4d5d43f7b85eca55e Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Mon, 17 Jul 2023 15:16:17 +0000 Subject: [PATCH 18/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationSalesforceSC.json | 2 +- .../vimAuthenticationSalesforceSC.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index 638a273125f..5113d6d3e46 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let parser=(disabled:bool=false){\n let EventResultLookup = datatable (\n login_status_s: string,\n EventResultDetails: string,\n EventResult: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Other\", \"Failure\",\n \"LOGIN_CHALLENGE_PENDING\", \"Other\", \"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Logon violates policy\", \"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HT_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"User disabled\", \"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_NO_ERROR\", \"\", \"Success\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Other\", \"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"No such user\", \"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Other\", \"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_TWOFACTOR_REQ\", \"Logon violates policy\", \"Failure\"\n];\nlet SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\nlet EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\nlet DvcOSLookup = datatable(\n platform_type_s: string,\n DvcOS: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\nlet LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[\n \"7\", \"AppExchange\",\n \"A\", \"Application\",\n \"s\", \"Certificate-based login\",\n \"k\", \"Chatter Communities External User\",\n \"n\", \"Chatter Communities External User Third Party SSO\",\n \"r\", \"Employee Login to Community\",\n \"z\", \"Lightning Login\",\n \"l\", \"Networks Portal API Only\",\n \"6\", \"Remote Access Client\",\n \"i\", \"Remote Access 2.0\",\n \"I\", \"Other Apex API\",\n \"R\", \"Partner Product\",\n \"w\", \"Passwordless Login\",\n \"3\", \"Customer Service Portal\",\n \"q\", \"Partner Portal Third-Party SSO\",\n \"9\", \"Partner Portal\",\n \"5\", \"SAML Idp Initiated SSO\",\n \"m\", \"SAML Chatter Communities External User SSO\",\n \"b\", \"SAML Customer Service Portal SSO\",\n \"c\", \"SAML Partner Portal SSO\",\n \"h\", \"SAML Site SSO\",\n \"8\", \"SAML Sfdc Initiated SSO\",\n \"E\", \"SelfService\",\n \"j\", \"Third Party SSO\"\n];\nlet TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\nlet UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\nSalesforceServiceCloud_CL \n | where not(disabled)\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n //| lookup LogonMethodLookup on login_type_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOSLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult)\n | project-away *_s, *_t, TenantId, SourceSystem\n};\nSalesforceSignin(disabled)", + "query": "let parser=(disabled:bool=false){\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[\n \"7\", \"AppExchange\",\n \"A\", \"Application\",\n \"s\", \"Certificate-based login\",\n \"k\", \"Chatter Communities External User\",\n \"n\", \"Chatter Communities External User Third Party SSO\",\n \"r\", \"Employee Login to Community\",\n \"z\", \"Lightning Login\",\n \"l\", \"Networks Portal API Only\",\n \"6\", \"Remote Access Client\",\n \"i\", \"Remote Access 2.0\",\n \"I\", \"Other Apex API\",\n \"R\", \"Partner Product\",\n \"w\", \"Passwordless Login\",\n \"3\", \"Customer Service Portal\",\n \"q\", \"Partner Portal Third-Party SSO\",\n \"9\", \"Partner Portal\",\n \"5\", \"SAML Idp Initiated SSO\",\n \"m\", \"SAML Chatter Communities External User SSO\",\n \"b\", \"SAML Customer Service Portal SSO\",\n \"c\", \"SAML Partner Portal SSO\",\n \"h\", \"SAML Site SSO\",\n \"8\", \"SAML Sfdc Initiated SSO\",\n \"E\", \"SelfService\",\n \"j\", \"Third Party SSO\"\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n //| lookup LogonMethodLookup on login_type_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser(disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json index 149c74d89e4..2df0df0762d 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "vimAuthenticationSalesforceSC", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\nlet EventResultLookup = datatable (\n login_status_s: string,\n EventResultDetails: string,\n EventResult: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Other\", \"Failure\",\n \"LOGIN_CHALLENGE_PENDING\", \"Other\", \"Failure\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Logon violates policy\", \"Failure\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_APPEXCHANGE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HT_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_PORTAL_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Session expired\", \"Failure\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Incorrect password\", \"Failure\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_UNKNOWN_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_FROZEN\", \"User locked\", \"Failure\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"User disabled\", \"Failure\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Other\", \"Failure\",\n \"LOGIN_NO_ERROR\", \"\", \"Success\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Other\", \"Failure\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Other\", \"Failure\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Other\", \"Failure\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Other\", \"Failure\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"No such user\", \"Failure\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Other\", \"Failure\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Other\", \"Failure\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Other\", \"Failure\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Other\", \"Failure\",\n \"LOGIN_TWOFACTOR_REQ\", \"Logon violates policy\", \"Failure\"\n];\nlet SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\nlet EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\nlet DvcOSLookup = datatable(\n platform_type_s: string,\n DvcOS: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\nlet LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[\n \"7\", \"AppExchange\",\n \"A\", \"Application\",\n \"s\", \"Certificate-based login\",\n \"k\", \"Chatter Communities External User\",\n \"n\", \"Chatter Communities External User Third Party SSO\",\n \"r\", \"Employee Login to Community\",\n \"z\", \"Lightning Login\",\n \"l\", \"Networks Portal API Only\",\n \"6\", \"Remote Access Client\",\n \"i\", \"Remote Access 2.0\",\n \"I\", \"Other Apex API\",\n \"R\", \"Partner Product\",\n \"w\", \"Passwordless Login\",\n \"3\", \"Customer Service Portal\",\n \"q\", \"Partner Portal Third-Party SSO\",\n \"9\", \"Partner Portal\",\n \"5\", \"SAML Idp Initiated SSO\",\n \"m\", \"SAML Chatter Communities External User SSO\",\n \"b\", \"SAML Customer Service Portal SSO\",\n \"c\", \"SAML Partner Portal SSO\",\n \"h\", \"SAML Site SSO\",\n \"8\", \"SAML Sfdc Initiated SSO\",\n \"E\", \"SelfService\",\n \"j\", \"Third Party SSO\"\n];\nlet TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\nlet UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n //| lookup LogonMethodLookup on login_type_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOSLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n UserAgent = HttpUserAgent,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult)\n | project-away *_s, *_t, TenantId, SourceSystem\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[\n \"7\", \"AppExchange\",\n \"A\", \"Application\",\n \"s\", \"Certificate-based login\",\n \"k\", \"Chatter Communities External User\",\n \"n\", \"Chatter Communities External User Third Party SSO\",\n \"r\", \"Employee Login to Community\",\n \"z\", \"Lightning Login\",\n \"l\", \"Networks Portal API Only\",\n \"6\", \"Remote Access Client\",\n \"i\", \"Remote Access 2.0\",\n \"I\", \"Other Apex API\",\n \"R\", \"Partner Product\",\n \"w\", \"Passwordless Login\",\n \"3\", \"Customer Service Portal\",\n \"q\", \"Partner Portal Third-Party SSO\",\n \"9\", \"Partner Portal\",\n \"5\", \"SAML Idp Initiated SSO\",\n \"m\", \"SAML Chatter Communities External User SSO\",\n \"b\", \"SAML Customer Service Portal SSO\",\n \"c\", \"SAML Partner Portal SSO\",\n \"h\", \"SAML Site SSO\",\n \"8\", \"SAML Sfdc Initiated SSO\",\n \"E\", \"SelfService\",\n \"j\", \"Third Party SSO\"\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n //| lookup LogonMethodLookup on login_type_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" } From 77ded46a442991b4f468711147846ec33f5266a9 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Tue, 18 Jul 2023 10:19:36 +0530 Subject: [PATCH 19/38] adding custom table fields --- .../SalesforceServiceCloud_CL.json | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloud_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloud_CL.json index 819436aa6b0..dc28254cb1a 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloud_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloud_CL.json @@ -804,6 +804,50 @@ { "Name": "TimeGenerated", "Type": "DateTime" + }, + { + "Name": "_ItemId", + "Type": "String" + }, + { + "Name": "starttime", + "Type": "DateTime" + }, + { + "Name": "endtime", + "Type": "DateTime" + }, + { + "Name": "targetusername_has", + "Type": "String" + }, + { + "Name": "SourceSystem", + "Type": "String" + }, + { + "Name": "Computer", + "Type": "String" + }, + { + "Name": "MG", + "Type": "String" + }, + { + "Name": "ManagementGroupName", + "Type": "String" + }, + { + "Name": "Message", + "Type": "String" + }, + { + "Name": "RawData", + "Type": "String" + }, + { + "Name": "_ResourceId", + "Type": "String" } ] } \ No newline at end of file From f8076051e6342e25b9d524b1241951c7b8d3de12 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Tue, 18 Jul 2023 15:38:50 +0530 Subject: [PATCH 20/38] updated couple lookup functions --- .../ASimAuthenticationSalesforceSC.yaml | 95 +++++++++++-------- .../Parsers/imAuthentication.yaml | 4 +- .../vimAuthenticationSalesforceSC.yaml | 75 +++++++++------ ...alesforce_ASimAuthentication_DataTest.csv} | 2 + ...esforce_ASimAuthentication_SchemaTest.csv} | 4 +- .../Salesforce_vimAuthentication_DataTest.csv | 24 +++++ ...alesforce_vimAuthentication_SchemaTest.csv | 88 +++++++++++++++++ 7 files changed, 222 insertions(+), 70 deletions(-) rename Parsers/ASimAuthentication/Tests/{Salesforce_Authentication_DataTest.csv => Salesforce_ASimAuthentication_DataTest.csv} (92%) rename Parsers/ASimAuthentication/Tests/{Salesforce_Authentication_SchemaTest.csv => Salesforce_ASimAuthentication_SchemaTest.csv} (97%) create mode 100644 Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_DataTest.csv create mode 100644 Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_SchemaTest.csv diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index 3cf2ab8e894..07f089021cb 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -21,13 +21,13 @@ ParserParams: Type: bool Default: false ParserQuery: | - let parser=(disabled:bool=false){ - let EventResultLookup = datatable ( - login_status_s: string, - DvcAction: string, - EventResultDetails: string, - EventResult: string, - EventSeverity: string + let parser=(disabled: bool=false) { + let EventResultLookup = datatable ( + login_status_s: string, + DvcAction: string, + EventResultDetails: string, + EventResult: string, + EventSeverity: string )[ "LOGIN_CHALLENGE_ISSUED", "Blocked", "Other", "Failure", "Informational", "LOGIN_CHALLENGE_PENDING", "Blocked", "Other", "Failure", "Informational", @@ -168,31 +168,49 @@ ParserQuery: | "5007", "iPad", "", "5200", "Android", "10.0" ]; - let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[ - "7", "AppExchange", - "A", "Application", - "s", "Certificate-based login", - "k", "Chatter Communities External User", - "n", "Chatter Communities External User Third Party SSO", - "r", "Employee Login to Community", - "z", "Lightning Login", - "l", "Networks Portal API Only", - "6", "Remote Access Client", - "i", "Remote Access 2.0", - "I", "Other Apex API", - "R", "Partner Product", - "w", "Passwordless Login", - "3", "Customer Service Portal", - "q", "Partner Portal Third-Party SSO", - "9", "Partner Portal", - "5", "SAML Idp Initiated SSO", - "m", "SAML Chatter Communities External User SSO", - "b", "SAML Customer Service Portal SSO", - "c", "SAML Partner Portal SSO", - "h", "SAML Site SSO", - "8", "SAML Sfdc Initiated SSO", - "E", "SelfService", - "j", "Third Party SSO" + let LogonMethodLookup = datatable( + LoginType_s: string, + LogonMethodOriginal: string, + LogonMethod: string + )[ + "7", "AppExchange", "Other", + "A", "Application", "Other", + "s", "Certificate-based login", "PKI", + "k", "Chatter Communities External User", "Other", + "n", "Chatter Communities External User Third Party SSO", "Other", + "r", "Employee Login to Community", "Other", + "z", "Lightning Login", "Username & Password", + "l", "Networks Portal API Only", "Other", + "6", "Remote Access Client", "Other", + "i", "Remote Access 2.0", "Other", + "I", "Other Apex API", "Other", + "R", "Partner Product", "Other", + "w", "Passwordless Login", "Passwordless", + "3", "Customer Service Portal", "Other", + "q", "Partner Portal Third-Party SSO", "Other", + "9", "Partner Portal", "Other", + "5", "SAML Idp Initiated SSO", "Other", + "m", "SAML Chatter Communities External User SSO", "Other", + "b", "SAML Customer Service Portal SSO", "Other", + "c", "SAML Partner Portal SSO", "Other", + "h", "SAML Site SSO", "Other", + "8", "SAML Sfdc Initiated SSO", "Other", + "E", "SelfService", "Other", + "j", "Third Party SSO", "Other" + ]; + let LogonProtocolLookup = datatable( + LoginSubType_s: string, + LogonProtocolOriginal: string, + LogonProtocol: string + )[ + "uiup", "UI Username-Password", "Basic Auth", + "oauthpassword", "OAuth Username-Password", "OAuth", + "oauthtoken", "OAuth User-Agent", "OAuth", + "oauthhybridtoken", "OAuth User-Agent for Hybrid Apps", "OAuth", + "oauthtokenidtoken", "OAuth User-Agent with ID Token", "OAuth", + "oauthclientcredential", "OAuth Client Credential", "OAuth", + "oauthcode", "OAuth Web Server", "OAuth", + "oauthhybridauthcode", "OAuth Web Server for Hybrid Apps", "OAuth", ]; let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[ "S", "Success", @@ -229,16 +247,13 @@ ParserQuery: | ]; SalesforceServiceCloud_CL | where not(disabled) - // -- Pre filtering - | where - (isnull(starttime) or TimeGenerated >= starttime) - and (isnull(endtime) or TimeGenerated <= endtime) - and (targetusername_has == '*' or (user_name_s has targetusername_has)) - and event_type_s in~ (SalesforceEventType) - // -- end pre-filtering + | where event_type_s in~ (SalesforceEventType) + | extend LoginType_s = column_ifexists("login_type_s", "") + | extend LoginSubType_s = column_ifexists("login_sub_type_s", "") | lookup EventResultLookup on login_status_s | lookup EventTypeLookup on event_type_s - //| lookup LogonMethodLookup on login_type_s + | lookup LogonMethodLookup on LoginType_s + | lookup LogonProtocolLookup on LoginSubType_s | lookup TempEventResultLookup on request_status_s | lookup DvcOsLookup on platform_type_s | lookup UserTypeLookup on user_type_s diff --git a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml index 8082a7afe71..7c94ca62500 100644 --- a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml @@ -43,6 +43,7 @@ ParserQuery: | , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) ))) , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) ))) , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) ))) + , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) ))) }; Generic(starttime, endtime, targetusername_has) @@ -58,4 +59,5 @@ Parsers: - vimAuthenticationMicrosoftWindowsEvent - vimAuthenticationMD4IoT - vimAuthenticationSshd - - vimAuthenticationSu \ No newline at end of file + - vimAuthenticationSu + - vimAuthenticationSalesforceSC \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml index 16c34f9763f..3f43985b0da 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml @@ -184,32 +184,50 @@ ParserQuery: | "5007", "iPad", "", "5200", "Android", "10.0" ]; - let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[ - "7", "AppExchange", - "A", "Application", - "s", "Certificate-based login", - "k", "Chatter Communities External User", - "n", "Chatter Communities External User Third Party SSO", - "r", "Employee Login to Community", - "z", "Lightning Login", - "l", "Networks Portal API Only", - "6", "Remote Access Client", - "i", "Remote Access 2.0", - "I", "Other Apex API", - "R", "Partner Product", - "w", "Passwordless Login", - "3", "Customer Service Portal", - "q", "Partner Portal Third-Party SSO", - "9", "Partner Portal", - "5", "SAML Idp Initiated SSO", - "m", "SAML Chatter Communities External User SSO", - "b", "SAML Customer Service Portal SSO", - "c", "SAML Partner Portal SSO", - "h", "SAML Site SSO", - "8", "SAML Sfdc Initiated SSO", - "E", "SelfService", - "j", "Third Party SSO" - ]; + let LogonMethodLookup = datatable( + LoginType_s: string, + LogonMethodOriginal: string, + LogonMethod: string + )[ + "7", "AppExchange", "Other", + "A", "Application", "Other", + "s", "Certificate-based login", "PKI", + "k", "Chatter Communities External User", "Other", + "n", "Chatter Communities External User Third Party SSO", "Other", + "r", "Employee Login to Community", "Other", + "z", "Lightning Login", "Username & Password", + "l", "Networks Portal API Only", "Other", + "6", "Remote Access Client", "Other", + "i", "Remote Access 2.0", "Other", + "I", "Other Apex API", "Other", + "R", "Partner Product", "Other", + "w", "Passwordless Login", "Passwordless", + "3", "Customer Service Portal", "Other", + "q", "Partner Portal Third-Party SSO", "Other", + "9", "Partner Portal", "Other", + "5", "SAML Idp Initiated SSO", "Other", + "m", "SAML Chatter Communities External User SSO", "Other", + "b", "SAML Customer Service Portal SSO", "Other", + "c", "SAML Partner Portal SSO", "Other", + "h", "SAML Site SSO", "Other", + "8", "SAML Sfdc Initiated SSO", "Other", + "E", "SelfService", "Other", + "j", "Third Party SSO", "Other" + ]; + let LogonProtocolLookup = datatable( + LoginSubType_s: string, + LogonProtocolOriginal: string, + LogonProtocol: string + )[ + "uiup", "UI Username-Password", "Basic Auth", + "oauthpassword", "OAuth Username-Password", "OAuth", + "oauthtoken", "OAuth User-Agent", "OAuth", + "oauthhybridtoken", "OAuth User-Agent for Hybrid Apps", "OAuth", + "oauthtokenidtoken", "OAuth User-Agent with ID Token", "OAuth", + "oauthclientcredential", "OAuth Client Credential", "OAuth", + "oauthcode", "OAuth Web Server", "OAuth", + "oauthhybridauthcode", "OAuth Web Server for Hybrid Apps", "OAuth", + ]; let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[ "S", "Success", "F", "Failure", @@ -252,9 +270,12 @@ ParserQuery: | and (targetusername_has == '*' or (user_name_s has targetusername_has)) and event_type_s in~ (SalesforceEventType) // -- end pre-filtering + | extend LoginType_s = column_ifexists("login_type_s", "") + | extend LoginSubType_s = column_ifexists("login_sub_type_s", "") | lookup EventResultLookup on login_status_s | lookup EventTypeLookup on event_type_s - //| lookup LogonMethodLookup on login_type_s + | lookup LogonMethodLookup on LoginType_s + | lookup LogonProtocolLookup on LoginSubType_s | lookup TempEventResultLookup on request_status_s | lookup DvcOsLookup on platform_type_s | lookup UserTypeLookup on user_type_s diff --git a/Parsers/ASimAuthentication/Tests/Salesforce_Authentication_DataTest.csv b/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_DataTest.csv similarity index 92% rename from Parsers/ASimAuthentication/Tests/Salesforce_Authentication_DataTest.csv rename to Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_DataTest.csv index 065127d0107..53b01c096da 100644 --- a/Parsers/ASimAuthentication/Tests/Salesforce_Authentication_DataTest.csv +++ b/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_DataTest.csv @@ -17,6 +17,8 @@ "(2) Info: Empty value in 20 records (66.67%) in recommended field [DvcAction] (Schema:Authentication)" "(2) Info: Empty value in 20 records (66.67%) in recommended field [EventSeverity] (Schema:Authentication)" "(2) Info: Empty value in 20 records (66.67%) in recommended field [Src] (Schema:Authentication)" +"(2) Info: Empty value in 30 records (100.0%) in optional field [LogonMethod] (Schema:Authentication)" +"(2) Info: Empty value in 30 records (100.0%) in optional field [LogonProtocol] (Schema:Authentication)" "(2) Info: Empty value in 30 records (100.0%) in optional field [TargetUserType] (Schema:Authentication)" "(2) Info: Empty value in 30 records (100.0%) in optional field [TargetUsername] (Schema:Authentication)" "(2) Info: Empty value in 30 records (100.0%) in recommended field [EventResultDetails] (Schema:Authentication)" diff --git a/Parsers/ASimAuthentication/Tests/Salesforce_Authentication_SchemaTest.csv b/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_SchemaTest.csv similarity index 97% rename from Parsers/ASimAuthentication/Tests/Salesforce_Authentication_SchemaTest.csv rename to Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_SchemaTest.csv index 31a08852444..0c8ab1874f7 100644 --- a/Parsers/ASimAuthentication/Tests/Salesforce_Authentication_SchemaTest.csv +++ b/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_SchemaTest.csv @@ -29,8 +29,6 @@ "(2) Info: Missing optional field [EventOwner]" "(2) Info: Missing optional field [EventReportUrl]" "(2) Info: Missing optional field [EventSubType]" -"(2) Info: Missing optional field [LogonMethod]" -"(2) Info: Missing optional field [LogonProtocol]" "(2) Info: Missing optional field [LogonTarget]" "(2) Info: Missing optional field [RuleName]" "(2) Info: Missing optional field [RuleNumber]" @@ -84,5 +82,7 @@ "(2) Info: Missing optional field [ThreatOriginalConfidence]" "(2) Info: Missing optional field [ThreatOriginalRiskLevel]" "(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: extra unnormalized column [LogonMethodOriginal]" +"(2) Info: extra unnormalized column [LogonProtocolOriginal]" "(2) Info: extra unnormalized column [TlsCipher]" "(2) Info: extra unnormalized column [TlsVersion]" diff --git a/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_DataTest.csv b/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_DataTest.csv new file mode 100644 index 00000000000..53b01c096da --- /dev/null +++ b/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_DataTest.csv @@ -0,0 +1,24 @@ +Result +"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [ActorUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [IpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [SrcIpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 30 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Salesforce Service Cloud""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 30 records (100.0%) for field [TargetUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" +"(1) Warning: Empty value in 20 records (66.67%) in mandatory field [EventResult] (Schema:Authentication)" +"(2) Info: Empty value in 10 records (33.33%) in optional field [HttpUserAgent] (Schema:Authentication)" +"(2) Info: Empty value in 10 records (33.33%) in optional field [TargetUrl] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [ActorUserId] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [ActorUsername] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [DvcOsVersion] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [DvcOs] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [EventOriginalResultDetails] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [EventProductVersion] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in optional field [TargetOriginalUserType] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in recommended field [DvcAction] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in recommended field [EventSeverity] (Schema:Authentication)" +"(2) Info: Empty value in 20 records (66.67%) in recommended field [Src] (Schema:Authentication)" +"(2) Info: Empty value in 30 records (100.0%) in optional field [LogonMethod] (Schema:Authentication)" +"(2) Info: Empty value in 30 records (100.0%) in optional field [LogonProtocol] (Schema:Authentication)" +"(2) Info: Empty value in 30 records (100.0%) in optional field [TargetUserType] (Schema:Authentication)" +"(2) Info: Empty value in 30 records (100.0%) in optional field [TargetUsername] (Schema:Authentication)" +"(2) Info: Empty value in 30 records (100.0%) in recommended field [EventResultDetails] (Schema:Authentication)" diff --git a/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_SchemaTest.csv b/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_SchemaTest.csv new file mode 100644 index 00000000000..0c8ab1874f7 --- /dev/null +++ b/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_SchemaTest.csv @@ -0,0 +1,88 @@ +Result +"(1) Warning: Missing recommended field [Dst]" +"(1) Warning: Missing recommended field [DvcDomain]" +"(1) Warning: Missing recommended field [DvcHostname]" +"(1) Warning: Missing recommended field [DvcIpAddr]" +"(1) Warning: Missing recommended field [TargetDomain]" +"(1) Warning: Missing recommended field [TargetHostname]" +"(2) Info: Missing optional field [ActingAppId]" +"(2) Info: Missing optional field [ActingAppName]" +"(2) Info: Missing optional field [ActingAppType]" +"(2) Info: Missing optional field [ActorOriginalUserType]" +"(2) Info: Missing optional field [ActorScopeId]" +"(2) Info: Missing optional field [ActorScope]" +"(2) Info: Missing optional field [ActorSessionId]" +"(2) Info: Missing optional field [ActorUserType]" +"(2) Info: Missing optional field [AdditionalFields]" +"(2) Info: Missing optional field [DvcDescription]" +"(2) Info: Missing optional field [DvcFQDN]" +"(2) Info: Missing optional field [DvcId]" +"(2) Info: Missing optional field [DvcInterface]" +"(2) Info: Missing optional field [DvcMacAddr]" +"(2) Info: Missing optional field [DvcOriginalAction]" +"(2) Info: Missing optional field [DvcScopeId]" +"(2) Info: Missing optional field [DvcScope]" +"(2) Info: Missing optional field [DvcZone]" +"(2) Info: Missing optional field [EventMessage]" +"(2) Info: Missing optional field [EventOriginalSeverity]" +"(2) Info: Missing optional field [EventOriginalSubType]" +"(2) Info: Missing optional field [EventOwner]" +"(2) Info: Missing optional field [EventReportUrl]" +"(2) Info: Missing optional field [EventSubType]" +"(2) Info: Missing optional field [LogonTarget]" +"(2) Info: Missing optional field [RuleName]" +"(2) Info: Missing optional field [RuleNumber]" +"(2) Info: Missing optional field [Rule]" +"(2) Info: Missing optional field [SrcDescription]" +"(2) Info: Missing optional field [SrcDeviceType]" +"(2) Info: Missing optional field [SrcDomain]" +"(2) Info: Missing optional field [SrcDvcId]" +"(2) Info: Missing optional field [SrcDvcOs]" +"(2) Info: Missing optional field [SrcDvcScopeId]" +"(2) Info: Missing optional field [SrcDvcScope]" +"(2) Info: Missing optional field [SrcFQDN]" +"(2) Info: Missing optional field [SrcGeoCity]" +"(2) Info: Missing optional field [SrcGeoCountry]" +"(2) Info: Missing optional field [SrcGeoLatitude]" +"(2) Info: Missing optional field [SrcGeoLongitude]" +"(2) Info: Missing optional field [SrcGeoRegion]" +"(2) Info: Missing optional field [SrcHostname]" +"(2) Info: Missing optional field [SrcIsp]" +"(2) Info: Missing optional field [SrcOriginalRiskLevel]" +"(2) Info: Missing optional field [SrcPortNumber]" +"(2) Info: Missing optional field [SrcRiskLevel]" +"(2) Info: Missing optional field [TargetAppId]" +"(2) Info: Missing optional field [TargetAppType]" +"(2) Info: Missing optional field [TargetDescription]" +"(2) Info: Missing optional field [TargetDeviceType]" +"(2) Info: Missing optional field [TargetDvcId]" +"(2) Info: Missing optional field [TargetDvcOs]" +"(2) Info: Missing optional field [TargetDvcScopeId]" +"(2) Info: Missing optional field [TargetDvcScope]" +"(2) Info: Missing optional field [TargetFQDN]" +"(2) Info: Missing optional field [TargetGeoCity]" +"(2) Info: Missing optional field [TargetGeoCountry]" +"(2) Info: Missing optional field [TargetGeoLatitude]" +"(2) Info: Missing optional field [TargetGeoLongitude]" +"(2) Info: Missing optional field [TargetGeoRegion]" +"(2) Info: Missing optional field [TargetHostname]" +"(2) Info: Missing optional field [TargetIpAddr]" +"(2) Info: Missing optional field [TargetOriginalRiskLevel]" +"(2) Info: Missing optional field [TargetPortNumber]" +"(2) Info: Missing optional field [TargetRiskLevel]" +"(2) Info: Missing optional field [ThreatCategory]" +"(2) Info: Missing optional field [ThreatConfidence]" +"(2) Info: Missing optional field [ThreatField]" +"(2) Info: Missing optional field [ThreatFirstReportedTime]" +"(2) Info: Missing optional field [ThreatId]" +"(2) Info: Missing optional field [ThreatIpAddr]" +"(2) Info: Missing optional field [ThreatIsActive]" +"(2) Info: Missing optional field [ThreatLastReportedTime]" +"(2) Info: Missing optional field [ThreatName]" +"(2) Info: Missing optional field [ThreatOriginalConfidence]" +"(2) Info: Missing optional field [ThreatOriginalRiskLevel]" +"(2) Info: Missing optional field [ThreatRiskLevel]" +"(2) Info: extra unnormalized column [LogonMethodOriginal]" +"(2) Info: extra unnormalized column [LogonProtocolOriginal]" +"(2) Info: extra unnormalized column [TlsCipher]" +"(2) Info: extra unnormalized column [TlsVersion]" From 31f11e21ae2941d1608db03cce7e56ac197252e7 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Tue, 18 Jul 2023 10:13:15 +0000 Subject: [PATCH 21/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationSalesforceSC.json | 2 +- .../ARM/imAuthentication/imAuthentication.json | 2 +- .../vimAuthenticationSalesforceSC.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index 5113d6d3e46..687ca5d3b8c 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let parser=(disabled:bool=false){\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[\n \"7\", \"AppExchange\",\n \"A\", \"Application\",\n \"s\", \"Certificate-based login\",\n \"k\", \"Chatter Communities External User\",\n \"n\", \"Chatter Communities External User Third Party SSO\",\n \"r\", \"Employee Login to Community\",\n \"z\", \"Lightning Login\",\n \"l\", \"Networks Portal API Only\",\n \"6\", \"Remote Access Client\",\n \"i\", \"Remote Access 2.0\",\n \"I\", \"Other Apex API\",\n \"R\", \"Partner Product\",\n \"w\", \"Passwordless Login\",\n \"3\", \"Customer Service Portal\",\n \"q\", \"Partner Portal Third-Party SSO\",\n \"9\", \"Partner Portal\",\n \"5\", \"SAML Idp Initiated SSO\",\n \"m\", \"SAML Chatter Communities External User SSO\",\n \"b\", \"SAML Customer Service Portal SSO\",\n \"c\", \"SAML Partner Portal SSO\",\n \"h\", \"SAML Site SSO\",\n \"8\", \"SAML Sfdc Initiated SSO\",\n \"E\", \"SelfService\",\n \"j\", \"Third Party SSO\"\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n //| lookup LogonMethodLookup on login_type_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser(disabled)", + "query": "let parser=(disabled: bool=false) {\nlet EventResultLookup = datatable (\nlogin_status_s: string,\nDvcAction: string,\nEventResultDetails: string,\nEventResult: string,\nEventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser(disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json index 84a10d1d805..fdbcc4f0f74 100644 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imAuthentication", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json index 2df0df0762d..823567e226e 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "vimAuthenticationSalesforceSC", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(login_type_s: string, LogonMethod: string)[\n \"7\", \"AppExchange\",\n \"A\", \"Application\",\n \"s\", \"Certificate-based login\",\n \"k\", \"Chatter Communities External User\",\n \"n\", \"Chatter Communities External User Third Party SSO\",\n \"r\", \"Employee Login to Community\",\n \"z\", \"Lightning Login\",\n \"l\", \"Networks Portal API Only\",\n \"6\", \"Remote Access Client\",\n \"i\", \"Remote Access 2.0\",\n \"I\", \"Other Apex API\",\n \"R\", \"Partner Product\",\n \"w\", \"Passwordless Login\",\n \"3\", \"Customer Service Portal\",\n \"q\", \"Partner Portal Third-Party SSO\",\n \"9\", \"Partner Portal\",\n \"5\", \"SAML Idp Initiated SSO\",\n \"m\", \"SAML Chatter Communities External User SSO\",\n \"b\", \"SAML Customer Service Portal SSO\",\n \"c\", \"SAML Partner Portal SSO\",\n \"h\", \"SAML Site SSO\",\n \"8\", \"SAML Sfdc Initiated SSO\",\n \"E\", \"SelfService\",\n \"j\", \"Third Party SSO\"\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n //| lookup LogonMethodLookup on login_type_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n )[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n ];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n )[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n ];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" } From e4a9fd9de023c295445640e31b4843275ae6dae1 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Wed, 30 Aug 2023 22:56:24 +0530 Subject: [PATCH 22/38] updated version and added reference link --- .../Parsers/ASimAuthenticationSalesforceSC.yaml | 4 +++- .../Parsers/vimAuthenticationSalesforceSC.yaml | 4 +++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index 07f089021cb..ba49ed41d57 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -1,6 +1,6 @@ Parser: Title: Authentication ASIM parser for Salesforce Service Cloud - Version: '0.1' + Version: '0.1.0' LastUpdated: September 30, 2022 Product: Name: Salesforce Service Cloud @@ -12,6 +12,8 @@ References: Link: https://aka.ms/ASimAuthenticationDoc - Title: ASIM Link: https:/aka.ms/AboutASIM +- Title: Salesforce Service Cloud + Link: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm Description: | This ASIM parser supports normalizing Salesforce sign in logs, stored in the SalesforceServiceCloud_CL table, to the ASIM Authentication schema. ParserName: ASimAuthenticationSalesforceSC diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml index 3f43985b0da..f1ded77d3fb 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml @@ -1,6 +1,6 @@ Parser: Title: ASIM Authentication filtering parser for Salesforce Service Cloud - Version: '0.1' + Version: '0.1.0' LastUpdated: July 8th, 2023 Product: Name: Salesforce Service Cloud @@ -14,6 +14,8 @@ References: Link: https://aka.ms/ASimAuthenticationDoc - Title: ASIM Link: https:/aka.ms/AboutASIM +- Title: Salesforce Service Cloud + Link: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm Description: | This ASIM parser supports filtering and normalizing the Salesforce Service Cloud logs stored in 'SalesforceServiceCloud_CL' table to the ASIM authentication normalized schema. ParserName: vimAuthenticationSalesforceSC From c8dc964142afafd6709238c54d92583a095c227a Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Wed, 30 Aug 2023 17:38:35 +0000 Subject: [PATCH 23/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthentication.json | 2 +- .../ASimAuthenticationAADManagedIdentity.json | 2 +- .../ASimAuthenticationAADNonInteractive.json | 2 +- ...ticationAADServicePrincipalSignInLogs.json | 2 +- .../ASimAuthenticationAADSigninLogs.json | 2 +- .../ASimAuthenticationAWSCloudTrail.json | 2 +- .../ASimAuthenticationBarracudaWAF.json | 46 ++++ .../ASimAuthenticationBarracudaWAF/README.md | 18 ++ .../ASimAuthenticationCiscoASA.json | 46 ++++ .../ARM/ASimAuthenticationCiscoASA/README.md | 18 ++ .../ASimAuthenticationCiscoISE.json | 46 ++++ .../ARM/ASimAuthenticationCiscoISE/README.md | 18 ++ .../ASimAuthenticationCiscoMeraki.json | 46 ++++ .../ASimAuthenticationCiscoMeraki/README.md | 18 ++ .../ASimAuthenticationM365Defender.json | 2 +- .../ASimAuthenticationMicrosoftMD4IoT.json | 2 +- ...imAuthenticationMicrosoftWindowsEvent.json | 2 +- .../ASimAuthenticationOktaOSS.json | 2 +- .../ASimAuthenticationPostgreSQL.json | 2 +- .../ASimAuthenticationSshd.json | 2 +- .../ASimAuthenticationSu.json | 2 +- .../ASimAuthenticationSudo.json | 2 +- .../ASimAuthenticationVectraXDRAudit.json | 46 ++++ .../README.md | 18 ++ .../ARM/FullDeploymentAuthentication.json | 200 ++++++++++++++++++ .../imAuthentication/imAuthentication.json | 2 +- .../vimAuthenticationBarracudaWAF/README.md | 18 ++ .../vimAuthenticationBarracudaWAF.json | 46 ++++ .../ARM/vimAuthenticationCiscoASA/README.md | 18 ++ .../vimAuthenticationCiscoASA.json | 46 ++++ .../ARM/vimAuthenticationCiscoISE/README.md | 18 ++ .../vimAuthenticationCiscoISE.json | 46 ++++ .../vimAuthenticationCiscoMeraki/README.md | 18 ++ .../vimAuthenticationCiscoMeraki.json | 46 ++++ .../vimAuthenticationVectraXDRAudit/README.md | 18 ++ .../vimAuthenticationVectraXDRAudit.json | 46 ++++ 36 files changed, 855 insertions(+), 15 deletions(-) create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/README.md create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/README.md create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/README.md create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/README.md create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index 492f075ed84..b0289436aba 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty\n , ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) ))\n , ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) ))\n , ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) ))\n , ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) ))\n , ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) ))\n , ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) ))\n , ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) ))\n , ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) ))\n , ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) ))\n , ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) ))\n , ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) ))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) ))\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) ))\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json index a7f9c3c38d2..e6cd556f988 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for AAD managed identity sign-in logs", "category": "ASIM", "FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs", - "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n , EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n , EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n , EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId\n , TargetAppId = ResourceIdentity \n , TargetAppName = ResourceDisplayName\n , TargetUsername = ServicePrincipalName\n , TargetUserId = ServicePrincipalId\n , EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcIpAddr = IPAddress\n , EventUid = _ItemId\n , EventProductVersion = OperationVersion\n | extend \n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.3'\n , Dvc = 'Microsft/AAD'\n , LogonMethod = \"Managed Identity\"\n , TargetAppType = \"Resource\"\n , EventCount = int(1)\n , TargetUserType = 'Service'\n , TargetUsernameType = 'Simple'\n , TargetUserIdType = 'AADID'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n User = TargetUsername\n , LogonTarget = TargetAppName\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , Application = TargetAppName\n , Dst = TargetAppName\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , TargetSimpleUsername = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nparser (disabled=disabled)", + "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/AAD',\n EventCount = int(1),\n EventProduct = 'AAD',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Managed Identity\",\n TargetAppType = \"Resource\",\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser (disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json index b38bce83623..8bd8bc8ad96 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for AAD non-interactive sign-in logs", "category": "ASIM", "FunctionAlias": "ASimAuthenticationAADNonInteractiveUserSignInLogs", - "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n ];\nlet AADNIAuthentication=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs | where not(disabled)\n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchemaVersion='0.1.0'\n , EventCount=int(1)\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , EventSubType='NonInteractive'\n , TargetUsernameType='UPN'\n , TargetUserIdType='AADID'\n , TargetAppName=ResourceDisplayName\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , SrcDvcIpAddr=IPAddress\n | lookup FailedReason on ResultType\n // -- Aliases\n | extend \n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor\n // -- Entity identifier explicit aliases\n , TargetUserUpn = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nAADNIAuthentication(disabled)", + "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password' ,\n '700016', 'No such user or password'\n ];\nlet parser=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs \n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'AAD',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'NonInteractive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcDvcHostname = tostring(todynamic(DeviceDetail).displayName),\n SrcDvcId = tostring(todynamic(DeviceDetail).deviceId),\n SrcDvcOs = tostring(todynamic(DeviceDetail).operatingSystem),\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'UPN'\n | extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n SrcDvcIpAddr = IPAddress,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n | lookup FailedReason on ResultType\n // -- Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = ResourceIdentity,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n};\nparser \n (\n disabled = disabled\n )", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json index f3be7e9f403..ab04186cdc3 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for AAD service principal sign-in logs", "category": "ASIM", "FunctionAlias": "ASimAuthenticationAADServicePrincipalSignInLogs", - "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n , EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n , EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n , EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where \n not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId\n , TargetAppId = ResourceIdentity \n , TargetAppName = ResourceDisplayName\n , TargetUsername = ServicePrincipalName\n , TargetUserId = ServicePrincipalId\n , EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcIpAddr = IPAddress\n , EventUid = _ItemId\n , EventProductVersion = OperationVersion\n | extend \n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.3'\n , Dvc = 'Microsft/AAD'\n , LogonMethod = \"Service Principal\"\n , TargetAppType = \"Resource\"\n , EventCount = int(1)\n , TargetUserType = 'Service'\n , TargetUsernameType = 'Simple'\n , TargetUserIdType = 'AADID'\n | extend\n LocationDetails = todynamic(LocationDetails)\n | extend\n SrcGeoCity = tostring(LocationDetails.city)\n , SrcGeoCountry = Location\n , SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude)\n , SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude)\n , SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n User = TargetUsername\n , LogonTarget = TargetAppName\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , Application = TargetAppName\n , Dst = TargetAppName\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , TargetSimpleUsername = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nparser \n(\n disabled = disabled\n)", + "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (\n disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/AAD',\n EventCount = int(1),\n EventProduct = 'AAD',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Service Principal\",\n LocationDetails = todynamic(LocationDetails),\n TargetAppType = \"Resource\",\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | extend\n SrcGeoCity = tostring(LocationDetails.city),\n SrcGeoCountry = Location,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude),\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser \n(\n disabled = disabled\n)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json index 518d0178770..d7093b5169b 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for AAD interactive sign-in logs", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSigninLogs", - "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Member', 'Regular',\n 'Guest','Guest', \n '',''\n];\nlet AADSigninLogs=(disabled:bool=false){\nSigninLogs | where not(disabled)\n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , EventSubType = 'Interactive'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='UPN'\n , TargetUserIdType='AADID'\n , SrcDvcIpAddr=IPAddress\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n //\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor\n // -- Entity identifier explicit aliases\n , TargetUserUpn = TargetUsername\n , TargetUserAadId = TargetUserId\n };\n AADSigninLogs(disabled)\n", + "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password',\n '700016', 'No such user or password', \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Guest','Guest', \n 'Member', 'Regular',\n '',''\n];\nlet parser=(disabled:bool=false){\nSigninLogs \n| where not(disabled)\n| extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'AAD',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcDvcHostname = tostring(DeviceDetail.displayName),\n SrcDvcId = tostring(DeviceDetail.deviceId),\n SrcDvcIpAddr = IPAddress,\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'UPN'\n| extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n //\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = TargetAppName,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n };\n parser \n (\n disabled = disabled\n )", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json index f451771481a..ef59fc9cb07 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for AWS sign-in logs", "category": "ASIM", "FunctionAlias": "ASimAuthenticationAWSCloudTrail", - "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType:string, TargetUserType:string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role' ,'Service', \n 'FederatedUser', 'Regular',\n 'Directory','Other',\n 'AWSAccount','Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (EventOriginalResultDetails:string, EventOriginalDetails:string) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username:string) { \n case ( \n username contains \"@\" , \"UPN\"\n , username contains \"\\\\\", \"Windows\"\n , (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\"\n , isempty(username), \"\"\n , \"Simple\"\n )\n};\nlet parser=(disabled:bool=false){\n AWSCloudTrail \n | where not(disabled)\n | where EventName == 'ConsoleLogin'\n | project-rename\n EventOriginalUid = AwsEventId,\n EventOriginalResultDetails = ErrorMessage,\n TargetOriginalUserType = UserIdentityType,\n EventProductVersion = EventVersion,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetUserScopeId = UserIdentityAccountId,\n HttpUserAgent = UserAgent,\n EventUid = _ItemId\n | extend\n EventVendor = 'AWS',\n Dvc = 'AWS',\n EventProduct = 'CloudTrail',\n EventCount = int(1),\n EventSchemaVersion = '0.1.3',\n EventSchema = 'Authentication',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n EventSubType = 'Interactive',\n TargetUserIdType = 'AWSId',\n LogonProtocol = 'HTTPS',\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA',''),\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure'),\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\", \"\",\n TargetOriginalUserType == 'IAMUser' , UserIdentityUserName,\n TargetOriginalUserType == 'Root' , 'root',\n TargetOriginalUserType == 'AssumedRole' , tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl:string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n LogonTarget=tostring(split(TargetUrl,'?')[0]),\n EventSeverity = iff(EventResult == 'Failure', 'Low','Informational')\n // -- Specific idetifier aliases\n | extend \n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = EventVendor,\n Dst = LogonTarget,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away EventSource, EventTypeName, EventName, ResponseElements, AdditionalEventData, Session*, Category, ErrorCode, Aws*, ManagementEvent, OperationName, ReadOnly, RequestParameters, Resources, ServiceEventDetails, SharedEventId, SourceSystem, UserIdentity*, VpcEndpointId, APIVersion, RecipientAccountId, TenantId, EC2RoleDelivery\n };\n parser (disabled=disabled) ", + "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType:string, TargetUserType:string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role' ,'Service', \n 'FederatedUser', 'Regular',\n 'Directory','Other',\n 'AWSAccount','Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n];\nlet eventresultdetails_lookup = datatable (EventOriginalResultDetails:string, EventOriginalDetails:string) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n];\nlet ASIM_GetUsernameType = (username:string) { \n case ( \n username contains \"@\" , \"UPN\",\n username contains \"\\\\\", \"Windows\",\n (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\",\n isempty(username), \"\",\n \"Simple\"\n )\n};\nlet parser=(disabled:bool=false){\n AWSCloudTrail \n | where not(disabled)\n | where EventName == 'ConsoleLogin'\n | project-rename\n EventOriginalResultDetails = ErrorMessage,\n EventOriginalUid = AwsEventId,\n EventProductVersion = EventVersion,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetOriginalUserType = UserIdentityType,\n TargetUserScopeId = UserIdentityAccountId\n | extend\n Dvc = 'AWS',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'CloudTrail',\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'AWS',\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA',''),\n LogonProtocol = 'HTTPS',\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n TargetUserIdType = 'AWSId',\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\", \"\",\n TargetOriginalUserType == 'IAMUser' , UserIdentityUserName,\n TargetOriginalUserType == 'Root' , 'root',\n TargetOriginalUserType == 'AssumedRole' , tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl:string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n EventSeverity = iff(EventResult == 'Failure', 'Low','Informational'),\n LogonTarget=tostring(split(TargetUrl,'?')[0]),\n // -- Specific identifier aliases\n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n Dst = LogonTarget,\n Dvc = EventVendor,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n User = TargetUsername\n | project-away EventSource, EventTypeName, EventName, ResponseElements, AdditionalEventData, Session*, Category, ErrorCode, Aws*, ManagementEvent, OperationName, ReadOnly, RequestParameters, Resources, ServiceEventDetails, SharedEventId, SourceSystem, UserIdentity*, VpcEndpointId, APIVersion, RecipientAccountId, TenantId, EC2RoleDelivery\n };\n parser \n (\n disabled = disabled\n )", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json new file mode 100644 index 00000000000..070f3cfe65f --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationBarracudaWAF", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n)\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n];\nlet EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n)\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n];\nlet parser = (disabled: bool=false)\n{\nlet BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n *_s,\n *_d,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\nlet BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername= DestinationUserName\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\")\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\nunion isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/README.md new file mode 100644 index 00000000000..c798a479c18 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/README.md @@ -0,0 +1,18 @@ +# Barracuda WAF ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Barracuda WAF. + +This ASIM parser supports normalizing the Barracuda WAF logs to the ASIM authentication normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationBarracudaWAF%2FASimAuthenticationBarracudaWAF.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationBarracudaWAF%2FASimAuthenticationBarracudaWAF.json) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json new file mode 100644 index 00000000000..0777b3bdadc --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationCiscoASA", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Cisco Device Logon Events", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoASA", + "query": "let parser = (\n disabled:bool=false\n){\n let DeviceEventClassIDLookup = datatable (DeviceEventClassID:string, EventResultDetails:string, EventType:string, EventResult:string, DvcAction:string, EventSubType:string)\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog\n | where not(disabled) \n | where DeviceVendor =~ \"Cisco\"\n | where DeviceProduct == \"ASA\"\n | where DeviceEventClassID in(FilteredDeviceEventClassID)\n | extend EventOriginalSeverity = tostring(split(Message,\"-\",1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project TimeGenerated, Type, Computer, _ItemId, DeviceEventClassID, Message, DeviceAddress,EventOriginalSeverity, EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID;\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004,605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber:int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101,611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008,113012)\n | parse Message with * 'user = ' TargetUsername\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039,716002,716039,722022,722023,722028,722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003,772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | project-away Message\n ) \n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n};\nparser (\n disabled = disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/README.md new file mode 100644 index 00000000000..a5736c74ab9 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/README.md @@ -0,0 +1,18 @@ +# Cisco Adaptive Security Appliance (ASA) ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Cisco Adaptive Security Appliance (ASA). + +This ASIM parser supports normalizing authentication events, collected from Cisco ASA devices, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoASA%2FASimAuthenticationCiscoASA.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoASA%2FASimAuthenticationCiscoASA.json) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json new file mode 100644 index 00000000000..4511c0681c7 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationCiscoISE", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoISE", + "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n)[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n ];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(disabled: bool=false) {\n Syslog\n | where not(disabled)\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType \n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n , TargetIpAddr=DestinationIPAddress\n , TargetPortNumber=DestinationPort\n , TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n , SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n , SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n | extend \n EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"Authentication\"\n , EventSchemaVersion = \"0.1.3\"\n // **************** *****************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , IpAddr = SrcIpAddr\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = TargetUsername\n // **************** ****************\n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/README.md new file mode 100644 index 00000000000..6451de3a36f --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/README.md @@ -0,0 +1,18 @@ +# Cisco ISE ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Cisco ISE. + +This ASIM parser supports normalizing Cisco ISE events produced by the Microsoft Sentinel Cisco ISE connector to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoISE%2FASimAuthenticationCiscoISE.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoISE%2FASimAuthenticationCiscoISE.json) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json new file mode 100644 index 00000000000..d3bebebf18d --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationCiscoMeraki", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoMeraki", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool=false) {\n union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all(\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n TargetUsername = identity,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n TargetUsername = trim('\"', TargetUsername),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\")\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/README.md new file mode 100644 index 00000000000..cbaeaa28df2 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/README.md @@ -0,0 +1,18 @@ +# Cisco Meraki ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Cisco Meraki. + +This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Authentication normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoMeraki%2FASimAuthenticationCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCiscoMeraki%2FASimAuthenticationCiscoMeraki.json) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json index 4d1c5c28f8b..ad62a970a48 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for M365 Defender Device Logon Events", "category": "ASIM", "FunctionAlias": "ASimAuthenticationM365Defender", - "query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Interactive', 'Interactive',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'Network', 'Remote',\n 'Batch', 'Service',\n 'Service', 'Service',\n 'Unknown', '',\n 'RemoteInteractive', 'RemoteInteractive',\n 'CachedInteractive', 'Interactive'\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonSuccess', 'Success',\n 'LogonFailed', 'Failure',\n 'LogonAttempted', 'NA'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n TargetDvcOs = \"Linux\"\n , ActorUsernameType = \"Simple\"\n , TargetUsernameType = \"Simple\"\n | project-rename \n ActorUsername = InitiatingProcessAccountName\n , ActingProcessName = InitiatingProcessFolderPath\n , TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n TargetDvcOs = \"Windows\"\n , TargetUserIdType = 'SID'\n , ActorUserIdType = 'SID'\n , ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n )\n , TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ) \n , TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n , ActorUsernameType = iff (InitiatingProcessAccountDomain == '','Simple', 'Windows')\n , ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName)\n | project-rename \n ActorUserId = InitiatingProcessAccountSid\n , TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId\n , ActorUserSid = ActorUserId\n , TargetWindowsUsername = TargetUsername\n , ActorWindowsUsername = ActorUsername\n , ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n EventOriginalResultDetails = FailureReason \n , EventOriginalType = LogonType\n , EventUid = _ItemId\n , LogonProtocol = Protocol\n , TargetDvcId = DeviceId\n , SrcHostname = RemoteDeviceName\n , ActingProcessCommandLine = InitiatingProcessCommandLine\n , ActingProcessCreationTime = InitiatingProcessCreationTime\n , ActingProcessMD5 = InitiatingProcessMD5\n , ActingProcessSHA1 = InitiatingProcessSHA1 \n , ActingProcessSHA256 = InitiatingProcessSHA256\n , ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel\n , ActingProcessTokenElevation = InitiatingProcessTokenElevation\n , ParentProcessName = InitiatingProcessParentFileName\n , ParentProcessCreationTime = InitiatingProcessParentCreationTime\n //??, ActingProcessName = InitiatingProcessFolderPath \n , ActorUserUpn = InitiatingProcessAccountUpn\n , ActorUserAadId = InitiatingProcessAccountObjectId\n , SrcPortNumber = RemotePort\n | extend \n EventCount = int(1)\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventSchemaVersion = '0.1.3'\n , EventType = 'Logon'\n , EventVendor = 'Microsoft'\n , EventProduct = 'M365 Defender for EndPoint'\n , EventSchema = 'Authentication'\n , TargetDvcIdType = 'MDEid'\n , ActingProcessId = tostring (InitiatingProcessId)\n , ParentProcessId = tostring (InitiatingProcessParentId)\n , EventOriginalUid = tostring (ReportId)\n , TargetSessionId = tostring (LogonId)\n , SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP)\n | extend\n Hash = coalesce(\n ActingProcessSHA256\n , ActingProcessSHA1\n , ActingProcessMD5\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetFQDN = FQDN\n , TargetHostname = ExtractedHostname\n , TargetDomainType = DomainType\n , TargetDomain = Domain \n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n TargetDvcMDEid = TargetDvcId\n , DvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n User = TargetUsername \n , Prcess = ActingProcessName\n , IpAddr = SrcIpAddr\n , ActingAppName = ActingProcessName\n , ActingAppType = \"Process\"\n , Dvc = coalesce (TargetFQDN, TargetHostname)\n , Src = coalesce (SrcIpAddr, SrcHostname)\n // -- Alias Dvc to Target\n , DvcFQDN = TargetFQDN\n , DvcHostname = TargetHostname\n , DvcDomain = TargetDomain\n , DvcDomainType = TargetDomainType\n , DvcId = TargetDvcId\n , DvcIdType = TargetDvcIdType\n , DvcOs = TargetDvcOs\n | extend \n LogonTarget = Dvc\n , Dst = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)", + "query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Batch', 'Service',\n 'CachedInteractive', 'Interactive',\n 'Interactive', 'Interactive',\n 'Network', 'Remote',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'RemoteInteractive', 'RemoteInteractive',\n 'Service', 'Service',\n 'Unknown', ''\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonAttempted', 'NA',\n 'LogonFailed', 'Failure',\n 'LogonSuccess', 'Success'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n ActorUsernameType = \"Simple\",\n TargetDvcOs = \"Linux\",\n TargetUsernameType = \"Simple\"\n | project-rename \n ActingProcessName = InitiatingProcessFolderPath,\n ActorUsername = InitiatingProcessAccountName,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\n ActorUserIdType = 'SID',\n ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n ),\n ActorUsernameType = iff (\n InitiatingProcessAccountDomain == '','Simple',\n 'Windows'\n ),\n TargetDvcOs = \"Windows\",\n TargetUserIdType = 'SID',\n TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ),\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n | project-rename \n ActorUserId = InitiatingProcessAccountSid,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n TargetWindowsUsername = TargetUsername,\n ActorWindowsUsername = ActorUsername,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n EventOriginalResultDetails = FailureReason,\n EventOriginalType = LogonType,\n EventUid = _ItemId,\n LogonProtocol = Protocol,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n ParentProcessName = InitiatingProcessParentFileName,\n SrcHostname = RemoteDeviceName,\n SrcPortNumber = RemotePort,\n TargetDvcId = DeviceId\n | extend \n ActingProcessId = tostring (InitiatingProcessId),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalUid = tostring (ReportId),\n EventProduct = 'M365 Defender for EndPoint',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n ParentProcessId = tostring (InitiatingProcessParentId),\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\n TargetDvcIdType = 'MDEid',\n TargetSessionId = tostring (LogonId)\n | extend\n Hash = coalesce(\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetDomain = Domain, \n TargetDomainType = DomainType,\n TargetFQDN = FQDN,\n TargetHostname = ExtractedHostname\n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n DvcMDEid = TargetDvcId,\n TargetDvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n ActingAppName = ActingProcessName,\n ActingAppType = \"Process\",\n Dvc = coalesce (TargetFQDN, TargetHostname),\n IpAddr = SrcIpAddr,\n Prcess = ActingProcessName,\n Src = coalesce (SrcIpAddr, SrcHostname),\n User = TargetUsername,\n // -- Alias Dvc to Target,\n DvcDomain = TargetDomain,\n DvcDomainType = TargetDomainType,\n DvcFQDN = TargetFQDN,\n DvcHostname = TargetHostname,\n DvcId = TargetDvcId,\n DvcIdType = TargetDvcIdType,\n DvcOs = TargetDvcOs\n | extend \n Dst = Dvc,\n LogonTarget = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json index 378e59e75a2..1e3a7d8b4a2 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Microsoft Defender for IoT endpoint logs", "category": "ASIM", "FunctionAlias": "ASimAuthenticationMD4IoT", - "query": "let Authentication_MD4IoT=(disabled:bool=false)\n {\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\" \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n //\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName),\n SrcIpAddr = tostring(EventDetails.RemoteAddress) \n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n };\n Authentication_MD4IoT(disabled)", + "query": "let parser=(disabled:bool=false)\n{\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\" \n | project-rename EventUid = _ItemId\n | extend\n EventDetails = todynamic(EventDetails)\n | extend\n EventCount = int(1),\n EventEndTime = todatetime(TimeGenerated), \n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success'), \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventVendor = 'Microsoft'\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n SrcIpAddr = tostring(EventDetails.RemoteAddress), \n TargetUsername = tostring(EventDetails.UserName),\n TargetUsernameType = \"Simple\"\n | project-rename\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId, \n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion // -- Not available in Windows\n // -- aliases\n | extend \n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Process = ActingProcessName, \n SrcDvcIpAddr = SrcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled = disabled\n )", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json index 86928df5cf7..b5a1546bf08 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Windows Security Events", "category": "ASIM", "FunctionAlias": "ASimAuthenticationMicrosoftWindowsEvent", - "query": "let LogonEvents=dynamic([4624,4625]);\nlet LogoffEvents=dynamic([4634,4647]);\nlet LogonTypes=datatable(LogonType:int, EventSubType:string)[\n 2, 'Interactive',\n 3, 'Network',\n 4, 'Batch',\n 5, 'Service',\n 7, 'Unlock',\n 8, 'NetworkCleartext',\n 9, 'NewCredentials',\n 10, 'RemoteInteractive',\n 11, 'CachedInteractive'];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN','Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE','Other',\n '0xc0000017', 'STATUS_NO_MEMORY','Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED','Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE','Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED','Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];\n let WinLogon=(disabled:bool=false){ \n WindowsEvent | where not(disabled)\n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | extend LogonProtocol = tostring(EventData.AuthenticationPackageName),\n SrcDvcIpAddr = tostring(EventData.IpAddress),\n TargetPortNumber = toint(EventData.IpPort),\n LogonGuid = tostring(EventData.LogonGuid),\n LogonType = toint(EventData.LogonType),\n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n Status = tostring(EventData.Status),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-',''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))),\n ActorUserId = tostring(EventData.SubjectUserSid),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-',''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\" , EventData.TargetUserName))),\n SrcDvcHostname = tostring(EventData.WorkstationName),\n EventProduct = \"Security Events\"\n | extend EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend EventMessage = case(EventID == 4634, \"4634 - An account was logged off.\", \n EventID == 4625, \"4625 - An account failed to log on.\",\n EventID == 4624 ,\"4624 - An account was successfully logged on.\",\n \"4647 - User initiated logoff.\"),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n TargetDvcHostname = Computer\n , EventOriginalUid=EventOriginId \n , EventOriginalType=EventID\n | extend EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , ActorUserIdType='SID'\n , TargetUserIdType='SID'\n , EventVendor='Microsoft' \n , EventStartTime =TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') \n , ActorUsernameType= iff(EventData.SubjectDomainName in ('-',''),'Simple', 'Windows' ) \n , TargetUsernameType=iff(TargetDomainName in ('-',''), 'Simple', 'Windows')\n , SrcDvcOs = 'Windows'\n , EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n , LogonTarget=TargetDvcHostname\n , Dvc=SrcDvcHostname\n};\nlet SecEventLogon=(disabled:bool=false){\n SecurityEvent | where not(disabled)\n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project-rename \n EventMessage = Activity\n , ActorSessionId=SubjectLogonId\n , TargetSessionId=TargetLogonId\n , ActorUserId=SubjectUserSid\n , TargetUserId =TargetUserSid\n , SrcDvcHostname = WorkstationName\n , TargetDvcHostname = Computer\n , EventOriginalUid = EventOriginId\n , LogonProtocol=AuthenticationPackageName\n , SrcDvcIpAddr=IpAddress\n , EventOriginalType=EventID\n | extend EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventProduct = \"Security Events\"\n , ActorUserIdType='SID'\n , TargetUserIdType='SID'\n , EventVendor='Microsoft' \n , EventStartTime =TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\n , ActorUsername = iff (SubjectDomainName in ('-',''), SubjectUserName, SubjectAccount)\n , ActorUsernameType= iff(SubjectDomainName in ('-',''), 'Simple', 'Windows' )\n , TargetUsername = iff (TargetDomainName in ('-',''), trim(@'\\\\',TargetUserName), trim(@'\\\\',TargetAccount))\n , TargetUsernameType=iff (TargetDomainName in ('-',''), 'Simple', 'Windows')\n , SrcDvcOs = 'Windows'\n , EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n , LogonTarget=TargetDvcHostname\n , Dvc=SrcDvcHostname\n };\nunion isfuzzy=true SecEventLogon(disabled), WinLogon(disabled)\n", + "query": "let LogonEvents=dynamic([4624,4625]);\nlet LogoffEvents=dynamic([4634,4647]);\nlet LogonTypes=datatable(LogonType:int, EventSubType:string)[\n 2, 'Interactive',\n 3, 'Network',\n 4, 'Batch',\n 5, 'Service',\n 7, 'Unlock',\n 8, 'NetworkCleartext',\n 9, 'NewCredentials',\n 10, 'RemoteInteractive',\n 11, 'CachedInteractive'];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN','Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE','Other',\n '0xc0000017', 'STATUS_NO_MEMORY','Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED','Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE','Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED','Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];\nlet WinLogon=(disabled:bool=false){ \n WindowsEvent \n | where not(disabled)\n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | extend \n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUserId = tostring(EventData.SubjectUserSid),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-',''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))),\n EventProduct = \"Security Events\",\n LogonGuid = tostring(EventData.LogonGuid),\n LogonProtocol = tostring(EventData.AuthenticationPackageName),\n LogonType = toint(EventData.LogonType),\n SrcDvcHostname = tostring(EventData.WorkstationName),\n SrcDvcIpAddr = tostring(EventData.IpAddress),\n Status = tostring(EventData.Status),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetPortNumber = toint(EventData.IpPort),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-',''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\" , EventData.TargetUserName)))\n | extend \n EventStatus = iff(SubStatus=='0x0',Status,SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend \n EventMessage = case(\n EventID == 4624 ,\"4624 - An account was successfully logged on.\",\n EventID == 4625, \"4625 - An account failed to log on.\",\n EventID == 4634, \"4634 - An account was logged off.\", \n \"4647 - User initiated logoff.\"),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId, \n EventUid = _ItemId, \n TargetDvcHostname = Computer\n | extend \n ActorUserIdType = 'SID',\n ActorUsernameType = iff(EventData.SubjectDomainName in ('-',''),'Simple', 'Windows' ),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus=='0x0',Status,SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsernameType = iff(TargetDomainName in ('-',''), 'Simple', 'Windows')\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcDvcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername\n};\nlet SecEventLogon=(disabled:bool=false){\n SecurityEvent \n | where not(disabled)\n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project-rename \n ActorSessionId = SubjectLogonId,\n ActorUserId = SubjectUserSid,\n EventMessage = Activity,\n EventOriginalType = EventID,\n EventOriginalUid = EventOriginId,\n LogonProtocol = AuthenticationPackageName,\n SrcDvcHostname = WorkstationName,\n SrcDvcIpAddr = IpAddress,\n TargetDvcHostname = Computer,\n TargetSessionId = TargetLogonId,\n TargetUserId = TargetUserSid\n | extend \n ActorUserIdType = 'SID',\n ActorUsername = iff (SubjectDomainName in ('-',''), SubjectUserName, SubjectAccount),\n ActorUsernameType = iff(SubjectDomainName in ('-',''), 'Simple', 'Windows' ),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = \"Security Events\",\n EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventStatus = iff(SubStatus=='0x0',Status,SubStatus),\n EventType = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),\n EventVendor = 'Microsoft',\n SrcDvcOs = 'Windows',\n TargetUserIdType = 'SID',\n TargetUsername = iff (TargetDomainName in ('-',''), trim(@'\\\\',TargetUserName), trim(@'\\\\',TargetAccount)),\n TargetUsernameType = iff (TargetDomainName in ('-',''), 'Simple', 'Windows')\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId),\n TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n Dvc = SrcDvcHostname,\n LogonTarget = TargetDvcHostname,\n User = TargetUsername\n };\nunion isfuzzy=true \n SecEventLogon(disabled=disabled), \n WinLogon(disabled=disabled)\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json index b9ca13c2f11..a12916786e4 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Okta", "category": "ASIM", "FunctionAlias": "ASimAuthenticationOktaSSO", - "query": "let OktaSignin=(disabled:bool=false){\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n Okta_CL | where not(disabled)\n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventVendor='Okta'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n , EventSubType=legacyEventType_s\n , TargetUserIdType='OktaId'\n , TargetUsernameType='UPN'\n , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n , ActingAppType = \"Browser\"\n | project-rename \n EventMessage=displayMessage_s\n ,EventOriginalResultDetails=outcome_reason_s\n , LogonMethod = authenticationContext_credentialType_s\n , TargetSessionId=authenticationContext_externalSessionId_s\n , TargetUserId= actor_id_s\n , TargetUsername=actor_alternateId_s\n , TargetUserType=actor_type_s\n , SrcDvcOs=client_userAgent_os_s\n , HttpUserAgent=client_userAgent_rawUserAgent_s\n , ActingAppName = client_userAgent_browser_s\n , SrcIsp=securityContext_isp_s\n , SrcGeoCity=client_geographicalContext_city_s\n , SrcGeoCountry=client_geographicalContext_country_s\n , EventOriginalUid = uuid_g\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n | project-away *_s, *_d, *_b, *_g, *_t\n };\nOktaSignin(disabled)\n", + "query": "let parser=(disabled:bool=false){\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n Okta_CL \n | where not(disabled)\n | where eventType_s in (OktaSigninEvents)\n | extend \n ActingAppType = \"Browser\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Okta',\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = legacyEventType_s,\n EventType = iff(eventType_s hassuffix 'start', 'Logon', 'Logoff'),\n EventVendor = 'Okta',\n SrcGeoLatitude = toreal(client_geographicalContext_geolocation_lat_d),\n SrcGeoLongitude = toreal(client_geographicalContext_geolocation_lon_d),\n TargetUserIdType = 'OktaId',\n TargetUsernameType = 'UPN'\n | project-rename \n ActingAppName = client_userAgent_browser_s,\n EventMessage = displayMessage_s,\n EventOriginalResultDetails = outcome_reason_s,\n EventOriginalUid = uuid_g,\n HttpUserAgent = client_userAgent_rawUserAgent_s,\n LogonMethod = authenticationContext_credentialType_s,\n SrcDvcOs = client_userAgent_os_s,\n SrcGeoCity = client_geographicalContext_city_s,\n SrcGeoCountry = client_geographicalContext_country_s,\n SrcIsp = securityContext_isp_s,\n TargetSessionId = authenticationContext_externalSessionId_s,\n TargetUserId = actor_id_s,\n TargetUsername = actor_alternateId_s,\n TargetUserType = actor_type_s,\n EventUid = _ItemId\n // ** Aliases\n | extend \n Dvc = EventVendor,\n User = TargetUsername\n | project-away *_s, *_d, *_b, *_g, *_t\n };\nparser(disabled=disabled)\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json index 7b42e3b357e..89c5ce196a9 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for PostgreSQL", "category": "ASIM", "FunctionAlias": "ASimAuthenticationPostgreSQL", - "query": "let PostgreSQLSignInAuthorized=(disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n | where RawData has 'connection authorized'\n | extend\n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData)\n , EventOriginalRestultDetails = 'Connection authorized'\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure1=(disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n | where RawData has 'authentication failed'\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'User authentication failed'\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure2=(disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n | where RawData has_all ('role', 'does', 'not', 'exist')\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'Role does not exist'\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure3=(disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n | where RawData has_all ('no', 'entry', 'user')\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData)\n , SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'No entry for user'\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLDisconnect=(disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n | where RawData has 'disconnection'\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logoff'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData)\n , SrcIpAddr = extract(@'host=\\[?(.*?)\\]?', 1, RawData)\n , EventResultDetails = 'Session expired'\n , EventOriginalRestultDetails = 'User session closed'\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nunion isfuzzy=false PostgreSQLSignInAuthorized(disabled), PostgreSQLAuthFailure1(disabled), PostgreSQLAuthFailure2(disabled), PostgreSQLAuthFailure3(disabled), PostgreSQLDisconnect(disabled)\n", + "query": "let PostgreSQLSignInAuthorized=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'connection authorized'\n| project-rename \n EventUid = _ItemId\n| extend\n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Connection authorized',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc=Computer,\n User=TargetUsername\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure1=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'authentication failed'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure2=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('role', 'does', 'not', 'exist')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'Role does not exist',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLAuthFailure3=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has_all ('no', 'entry', 'user')\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'No entry for user',\n EventProduct = 'PostgreSQL',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData),\n TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nlet PostgreSQLDisconnect=(disabled:bool=false){\nPostgreSQL_CL \n| where not(disabled)\n| where RawData has 'disconnection'\n| extend \n DvcHostname = Computer,\n DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'PostgreSQL',\n EventResult = 'Success',\n EventResultDetails = 'Session expired',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'PostgreSQL',\n SrcIpAddr = extract(@'host=\\[?(.*?)\\]?', 1, RawData),\n TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData),\n TargetUsernameType = 'Simple'\n// ************************ \n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************ \n// \n// ************************\n| project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n};\nunion isfuzzy=false \n PostgreSQLSignInAuthorized(disabled = disabled), \n PostgreSQLAuthFailure1(disabled = disabled), \n PostgreSQLAuthFailure2(disabled = disabled), \n PostgreSQLAuthFailure3(disabled = disabled), \n PostgreSQLDisconnect(disabled = disabled)\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json index c7943e41adf..a370118546f 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for OpenSSH sshd", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSshd", - "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | parse SyslogMessage with \"Accepted password for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventResult = 'Success'\n , EventSeverity = 'Informational'\n , EventType = 'Logon'\n , EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format \"Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventResult = 'Failure'\n , EventSeverity = 'Low' \n , EventType = 'Logon'\n , LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n , EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password')\n , EventCount = toint(coalesce(EventCount,1))\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventSeverity = 'Informational'\n , EventType = 'Logoff'\n , EventResult = 'Success'\n , EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend\n EventResult = 'Failure'\n , EventSeverity = 'Low'\n , EventType = 'Logon'\n , EventResultDetails = 'No such user'\n , EventCount = int(1)\n , SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser)\n , SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Reverse mapping failed\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Address to host to address mapping does not map back to address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Nasty PTR record set for IP Address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled)\n , SSHDFailed (disabled=disabled)\n , SSHDInvalidUser (disabled=disabled)\n , SSHDTimeout (disabled=disabled)\n , SSHDABreakInAttemptMappingFailed (disabled=disabled)\n , SSHDABreakInAttemptMappingMismatch (disabled=disabled)\n , SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n EventVendor = 'OpenBSD'\n , EventProduct = 'OpenSSH'\n , DvcOs = 'Linux'\n , TargetDvcOs = 'Linux'\n , LogonProtocol = 'ssh'\n , TargetAppName = 'sshd'\n , TargetAppType = 'Service'\n , EventSubType = 'Remote'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.2'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetUsernameType = 'Simple'\n , DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n , TargetAppId = tostring(ProcessID)\n | project-away Computer, ProcessID\n | project-rename \n EventUid = _ItemId\n , DvcScopeId = _SubscriptionId\n , DvcId = _ResourceId\n , DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n , Dvc = DvcHostname\n , Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n , TargetDomain = DvcDomain\n , TargetFQDN = DvcFQDN\n , TargetDomainType = DvcDomainType\n , TargetHostname = DvcHostname\n , TargetDvcId = DvcId\n , TargetDvcScopeId = DvcScopeId\n , TargetDvcIdType = DvcDomainType\n , IpAddr = DvcIpAddr\n , TargetIpAddr = DvcIpAddr\n };\n parser (disabled=disabled)", + "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | parse SyslogMessage with \"Accepted password for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logon'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format \"Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventCount = toint(coalesce(EventCount,1)),\n EventResult = 'Failure',\n EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password'),\n EventSeverity = 'Low' ,\n EventType = 'Logon',\n LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventCount = int(1),\n EventResult = 'Success',\n EventSeverity = 'Informational',\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'No such user',\n EventSeverity = 'Low',\n EventType = 'Logon',\n SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser),\n SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Reverse mapping failed\", \n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Address to host to address mapping does not map back to address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n DvcAction = 'Block',\n EventCount = int(1),\n EventResult = 'Failure',\n EventResultDetails = 'Logon violates policy',\n EventSeverity = 'Medium',\n EventType = 'Logon',\n RuleName = \"Nasty PTR record set for IP Address\",\n TargetUsername = ''\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled),\n SSHDFailed (disabled=disabled),\n SSHDInvalidUser (disabled=disabled),\n SSHDTimeout (disabled=disabled),\n SSHDABreakInAttemptMappingFailed (disabled=disabled),\n SSHDABreakInAttemptMappingMismatch (disabled=disabled),\n SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventEndTime = TimeGenerated,\n EventProduct = 'OpenSSH',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventStartTime = TimeGenerated,\n EventSubType = 'Remote',\n EventVendor = 'OpenBSD',\n LogonProtocol = 'ssh',\n TargetAppId = tostring(ProcessID),\n TargetAppName = 'sshd',\n TargetAppType = 'Service',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n };\n parser (\n disabled=disabled\n )", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json index 5e9205fd09c..d9ffad48a12 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Linux su", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSu", - "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | parse SyslogMessage with * \"for \" TargetUsername:string \" by \" ActorUsername:string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n };\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SuSignInAuthorized (disabled = disabled)\n , SuDisconnect(disabled = disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n EventVendor = 'Linux'\n , EventProduct = 'su'\n , DvcOs = 'Linux'\n , TargetDvcOs = 'Linux'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.2'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , ActorUsernameType = 'Simple'\n , TargetUsernameType = 'Simple'\n , EventSeverity = 'Informational'\n , ActingAppType = 'Process'\n , DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n , ActingAppId = tostring(ProcessID)\n | project-away Computer, ProcessID\n | project-rename \n EventUid = _ItemId\n , DvcScopeId = _SubscriptionId\n , DvcId = _ResourceId\n , DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n , Dvc = DvcHostname\n , Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n , TargetDomain = DvcDomain\n , TargetFQDN = DvcFQDN\n , TargetDomainType = DvcDomainType\n , TargetHostname = DvcHostname\n , TargetDvcId = DvcId\n , TargetDvcScopeId = DvcScopeId\n , TargetDvcIdType = DvcDomainType\n , IpAddr = DvcIpAddr\n , TargetIpAddr = DvcIpAddr\n};\n parser (disabled=disabled) ", + "query": "let parser = (disabled:bool=false) {\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | parse SyslogMessage with * \"for \" TargetUsername:string \" by \" ActorUsername:string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n };\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SuDisconnect(disabled = disabled),\n SuSignInAuthorized (disabled = disabled)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n ActingAppId = tostring(ProcessID),\n ActingAppType = 'Process',\n ActorUsernameType = 'Simple',\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'su',\n EventResult = 'Success',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.2',\n EventSeverity = 'Informational',\n EventStartTime = TimeGenerated,\n EventVendor = 'Linux',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple'\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n Dvc = DvcHostname,\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n};\n parser (\n disabled=disabled\n) ", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json index 8c43f376256..787a1217f61 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Syslog sudo", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSudo", - "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and SyslogMessage has 'TTY=' and SyslogMessage has 'USER='and SyslogMessage has 'COMMAND='\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo'\n , EventProduct = 'sudo'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , ActorUsernameType = 'Simple'\n , ActorUsername = extract(@'^(.*?):', 1, SyslogMessage)\n , TargetUsernameType = 'Simple'\n , EventResultDetails = 'Other'\n , EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo'\n , EventProduct = 'sudo'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , ActorUsernameType = 'Simple'\n , ActorUsername = extract(@'^(.*?):', 1, SyslogMessage)\n , TargetUsernameType = 'Simple'\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'User authentication failed'\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoDisconnect=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and SyslogMessage has 'session closed for user '\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n EventVendor = 'sudo'\n , EventProduct = 'sudo'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logoff'\n , DvcHostname = Computer\n , TargetUsernameType = 'Simple'\n , EventResultDetails = 'Other'\n , EventOriginalRestultDetails = 'User session closed'\n// ************************\n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nunion isfuzzy=false SudoSignInAuthorized(disabled), SudoAuthFailure1(disabled), SudoDisconnect(disabled)", + "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n// \n// ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoDisconnect=(disabled:bool=false){\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'session closed for user '\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n// ************************\n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nunion isfuzzy=false \n SudoSignInAuthorized(disabled = disabled), \n SudoAuthFailure1(disabled = disabled), \n SudoDisconnect(disabled = disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json new file mode 100644 index 00000000000..1d1acc98e3a --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationVectraXDRAudit", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationVectraXDRAudit", + "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s in (\"login\",\"logout\")\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/README.md new file mode 100644 index 00000000000..45a71334feb --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/README.md @@ -0,0 +1,18 @@ +# Vectra ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Vectra. + +This ASIM parser supports normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationVectraXDRAudit%2FASimAuthenticationVectraXDRAudit.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationVectraXDRAudit%2FASimAuthenticationVectraXDRAudit.json) diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json index 68301cc5322..ad8e5b99bed 100644 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -138,6 +138,86 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationBarracudaWAF", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationCiscoASA", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationCiscoISE", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationCiscoMeraki", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -318,6 +398,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationVectraXDRAudit", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -438,6 +538,86 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationBarracudaWAF", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationCiscoASA", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationCiscoISE", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationCiscoMeraki", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -617,6 +797,26 @@ } } } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationVectraXDRAudit", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } } ], "outputs": {} diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json index fdbcc4f0f74..d17b9962222 100644 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imAuthentication", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md new file mode 100644 index 00000000000..653affdcc9f --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md @@ -0,0 +1,18 @@ +# Barracuda WAF ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Barracuda WAF. + +This ASIM parser supports normalizing the Barracuda WAF logs to the ASIM authentication normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationBarracudaWAF%2FvimAuthenticationBarracudaWAF.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationBarracudaWAF%2FvimAuthenticationBarracudaWAF.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json new file mode 100644 index 00000000000..732f70611bb --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationBarracudaWAF", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string,\n TimeGenerated: datetime\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n)\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n];\nlet EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n)\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n];\nlet parser = (\n starttime: datetime = datetime(null),\n endtime: datetime = datetime(null),\n targetusername_has: string = \"*\",\n disabled: bool = false) { \n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (AdminName_s has targetusername_has))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (DestinationUserName has targetusername_has))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"), \n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\n union isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n targetusername_has = targetusername_has,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md new file mode 100644 index 00000000000..98149d223ff --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md @@ -0,0 +1,18 @@ +# Cisco Adaptive Security Appliance (ASA) ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Cisco Adaptive Security Appliance (ASA). + +This ASIM parser supports normalizing authentication events, collected from Cisco ASA devices, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoASA%2FvimAuthenticationCiscoASA.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoASA%2FvimAuthenticationCiscoASA.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json new file mode 100644 index 00000000000..080a87ca1f0 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationCiscoASA", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering for Cisco Device Logon Events", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCiscoASA", + "query": "let parser = (\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , targetusername_has:string=\"*\"\n , disabled:bool=false\n) {\n let DeviceEventClassIDLookup = datatable (DeviceEventClassID:string, EventResultDetails:string, EventType:string, EventResult:string, DvcAction:string, EventSubType:string)\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime) \n | where DeviceVendor =~ \"Cisco\"\n | where DeviceProduct == \"ASA\"\n | where (targetusername_has=='*' or (Message has targetusername_has))\n | where DeviceEventClassID in(FilteredDeviceEventClassID)\n | extend EventOriginalSeverity = tostring(split(Message,\"-\",1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project TimeGenerated, Type, Computer, _ItemId, DeviceEventClassID, Message, DeviceAddress, EventOriginalSeverity, EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID;\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004,605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber:int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101,611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008,113012)\n | parse Message with * 'user = ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039,716002,716039,722022,722023,722028,722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003,772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | project-away Message\n )\n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , targetusername_has = targetusername_has\n , disabled = disabled\n) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md new file mode 100644 index 00000000000..ff0a2814501 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md @@ -0,0 +1,18 @@ +# Cisco ISE ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Cisco ISE. + +This ASIM parser supports normalizing Cisco ISE events produced by the Microsoft Sentinel Cisco ISE connector to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoISE%2FvimAuthenticationCiscoISE.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoISE%2FvimAuthenticationCiscoISE.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json new file mode 100644 index 00000000000..b9cb22b3228 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationCiscoISE", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoISE", + "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n )[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n ];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\", \n disabled: bool=false) {\n Syslog\n | where not(disabled)\n // ************************** ******************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or SyslogMessage has targetusername_has)\n // ************************** *****************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType \n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n ,\n TargetIpAddr=DestinationIPAddress\n ,\n TargetPortNumber=DestinationPort\n ,\n TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n ,\n SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n ,\n EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n ,\n SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n // ********************** **********************************\n | where (targetusername_has == '*' or TargetUsername has targetusername_has)\n // ********************** *********************************\n | extend \n EventVendor = \"Cisco\"\n ,\n EventProduct = \"ISE\"\n ,\n EventProductVersion = \"3.2\"\n ,\n EventCount = int(1)\n ,\n EventSchema = \"Authentication\"\n ,\n EventSchemaVersion = \"0.1.3\" \n // ************************* **********************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n ,\n IpAddr = SrcIpAddr\n ,\n Dst = TargetIpAddr\n ,\n Src = SrcIpAddr\n ,\n User = TargetUsername\n // ************************* ******************** \n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(\n starttime=starttime, \n endtime=endtime,\n targetusername_has=targetusername_has, \n disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md new file mode 100644 index 00000000000..a36bf373a9a --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md @@ -0,0 +1,18 @@ +# Cisco Meraki ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Cisco Meraki. + +This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Authentication normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoMeraki%2FvimAuthenticationCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoMeraki%2FvimAuthenticationCiscoMeraki.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json new file mode 100644 index 00000000000..412ad7f6428 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationCiscoMeraki", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoMeraki", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), targetusername_has: string='*') {\n union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and targetusername_has == \"*\" or LogMessage has targetusername_has\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n | where (targetusername_has == \"*\" or TargetUsername has targetusername_has)\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, targetusername_has=targetusername_has)\n", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md new file mode 100644 index 00000000000..cb7cfd9ba2d --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md @@ -0,0 +1,18 @@ +# Vectra ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Vectra. + +This ASIM parser supports filtering and normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVectraXDRAudit%2FvimAuthenticationVectraXDRAudit.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVectraXDRAudit%2FvimAuthenticationVectraXDRAudit.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json new file mode 100644 index 00000000000..c0e1080bac8 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationVectraXDRAudit", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationVectraXDRAudit", + "query": "let parser = (disabled:bool = false, starttime:datetime=datetime(null), endtime:datetime=datetime(null))\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s in (\"login\",\"logout\") and (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime)\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, starttime=starttime, endtime=endtime)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null)" + } + } + ] + } + ] +} \ No newline at end of file From 30741fa912624cef3fa38e639fa6d218722b3848 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Wed, 30 Aug 2023 23:35:27 +0530 Subject: [PATCH 24/38] added schema support --- .../ASimAuthenticationSalesforceSC.yaml | 58 +++++++++++++------ .../vimAuthenticationSalesforceSC.yaml | 48 +++++++++++---- 2 files changed, 77 insertions(+), 29 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index ba49ed41d57..601dba88629 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -1,29 +1,51 @@ Parser: - Title: Authentication ASIM parser for Salesforce Service Cloud - Version: '0.1.0' - LastUpdated: September 30, 2022 + Title: Authentication ASIM parser for Salesforce Service Cloud + Version: "0.1.0" + LastUpdated: September 30, 2022 Product: - Name: Salesforce Service Cloud + Name: Salesforce Service Cloud Normalization: - Schema: Authentication - Version: '0.1.3' + Schema: Authentication + Version: "0.1.3" References: -- Title: ASIM Authentication Schema - Link: https://aka.ms/ASimAuthenticationDoc -- Title: ASIM - Link: https:/aka.ms/AboutASIM -- Title: Salesforce Service Cloud - Link: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm + - Title: ASIM Authentication Schema + Link: https://aka.ms/ASimAuthenticationDoc + - Title: ASIM + Link: https:/aka.ms/AboutASIM + - Title: Salesforce Service Cloud + Link: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm Description: | - This ASIM parser supports normalizing Salesforce sign in logs, stored in the SalesforceServiceCloud_CL table, to the ASIM Authentication schema. + This ASIM parser supports normalizing Salesforce sign in logs, stored in the SalesforceServiceCloud_CL table, to the ASIM Authentication schema. ParserName: ASimAuthenticationSalesforceSC EquivalentBuiltInParser: _ASim_Authentication_SalesforceSC ParserParams: - - Name: disabled - Type: bool - Default: false + - Name: disabled + Type: bool + Default: false ParserQuery: | let parser=(disabled: bool=false) { + let SalesforceSchema = datatable( + api_version_s: string, + browser_type_s: string, + cipher_suite_s: string, + client_ip_s: string, + delegated_user_id_s: string, + delegated_user_name_s: string, + event_type_s: string, + login_key_s: string, + login_status_s: string, + organization_id_s: string, + platform_type_s: string, + request_id_s: string, + session_key_s: string, + source_ip_s: string, + timestamp_s: string, + tls_protocol_s: string, + uri_s: string, + user_id_s: string, + user_name_s: string, + user_type_s: string + )[]; let EventResultLookup = datatable ( login_status_s: string, DvcAction: string, @@ -247,6 +269,8 @@ ParserQuery: | "S", "Regular", "X", "Admin" ]; + union isfuzzy=true + SalesforceSchema, SalesforceServiceCloud_CL | where not(disabled) | where event_type_s in~ (SalesforceEventType) @@ -315,4 +339,4 @@ ParserQuery: | _ResourceId, wave_session_id_g }; - parser(disabled) \ No newline at end of file + parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml index f1ded77d3fb..a719e9648aa 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml @@ -1,21 +1,21 @@ Parser: Title: ASIM Authentication filtering parser for Salesforce Service Cloud - Version: '0.1.0' + Version: "0.1.0" LastUpdated: July 8th, 2023 Product: Name: Salesforce Service Cloud Normalization: Schema: Authentication - Version: '0.1.3' + Version: "0.1.3" References: -- Title: Using functions - Link: https://docs.microsoft.com/azure/azure-monitor/log-query/function -- Title: ASIM Authentication Schema - Link: https://aka.ms/ASimAuthenticationDoc -- Title: ASIM - Link: https:/aka.ms/AboutASIM -- Title: Salesforce Service Cloud - Link: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm + - Title: Using functions + Link: https://docs.microsoft.com/azure/azure-monitor/log-query/function + - Title: ASIM Authentication Schema + Link: https://aka.ms/ASimAuthenticationDoc + - Title: ASIM + Link: https:/aka.ms/AboutASIM + - Title: Salesforce Service Cloud + Link: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm Description: | This ASIM parser supports filtering and normalizing the Salesforce Service Cloud logs stored in 'SalesforceServiceCloud_CL' table to the ASIM authentication normalized schema. ParserName: vimAuthenticationSalesforceSC @@ -29,7 +29,7 @@ ParserParams: Default: datetime(null) - Name: targetusername_has Type: string - Default: '*' + Default: "*" - Name: disabled Type: bool Default: false @@ -40,6 +40,28 @@ ParserQuery: | targetusername_has: string="*", disabled: bool=false ) { + let SalesforceSchema = datatable( + api_version_s: string, + browser_type_s: string, + cipher_suite_s: string, + client_ip_s: string, + delegated_user_id_s: string, + delegated_user_name_s: string, + event_type_s: string, + login_key_s: string, + login_status_s: string, + organization_id_s: string, + platform_type_s: string, + request_id_s: string, + session_key_s: string, + source_ip_s: string, + timestamp_s: string, + tls_protocol_s: string, + uri_s: string, + user_id_s: string, + user_name_s: string, + user_type_s: string + )[]; let EventResultLookup = datatable ( login_status_s: string, DvcAction: string, @@ -263,7 +285,9 @@ ParserQuery: | "S", "Regular", "X", "Admin" ]; - SalesforceServiceCloud_CL + union isfuzzy=true + SalesforceSchema, + SalesforceServiceCloud_CL | where not(disabled) // -- Pre filtering | where From f4d8bd6355bcf75451bc19bd23fb066c0349f16d Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Wed, 30 Aug 2023 18:18:24 +0000 Subject: [PATCH 25/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationSalesforceSC.json | 2 +- .../vimAuthenticationSalesforceSC.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index 687ca5d3b8c..20ee0cff6fe 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let parser=(disabled: bool=false) {\nlet EventResultLookup = datatable (\nlogin_status_s: string,\nDvcAction: string,\nEventResultDetails: string,\nEventResult: string,\nEventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser(disabled)", + "query": "let parser=(disabled: bool=false) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string\n)[];\nlet EventResultLookup = datatable (\nlogin_status_s: string,\nDvcAction: string,\nEventResultDetails: string,\nEventResult: string,\nEventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser(disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json index 823567e226e..44058c5c882 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "vimAuthenticationSalesforceSC", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n )[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n ];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n )[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n ];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n let SalesforceSchema = datatable(\n api_version_s: string,\n browser_type_s: string,\n cipher_suite_s: string,\n client_ip_s: string,\n delegated_user_id_s: string,\n delegated_user_name_s: string,\n event_type_s: string,\n login_key_s: string,\n login_status_s: string,\n organization_id_s: string,\n platform_type_s: string,\n request_id_s: string,\n session_key_s: string,\n source_ip_s: string,\n timestamp_s: string,\n tls_protocol_s: string,\n uri_s: string,\n user_id_s: string,\n user_name_s: string,\n user_type_s: string\n )[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n )[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n ];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n )[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n ];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" } From 05d38d2f7e00cc541ea62db60effa364d9cdbc86 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Fri, 1 Sep 2023 10:35:28 +0530 Subject: [PATCH 26/38] updating timestamp --- .../Parsers/ASimAuthenticationSalesforceSC.yaml | 6 +++--- .../Parsers/vimAuthenticationSalesforceSC.yaml | 10 +++++----- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index 601dba88629..1df36b193cc 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -305,8 +305,6 @@ ParserQuery: | EventCount = int(1), EventSchema = 'Authentication', EventSchemaVersion = '0.1.3', - EventStartTime = TimeGenerated, - EventEndTime = TimeGenerated, TargetAppName = "Salesforce Dot Com(SFDC)", EventUid = _ItemId, EventOriginalType=event_type_s @@ -323,7 +321,9 @@ ParserQuery: | IpAddr = SrcIpAddr, Dvc = EventProduct, EventResult = coalesce(EventResult, TempEventResult), - Application = TargetAppName + Application = TargetAppName, + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated | project-away *_s, *_t, diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml index a719e9648aa..57a01297dfa 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml @@ -291,8 +291,8 @@ ParserQuery: | | where not(disabled) // -- Pre filtering | where - (isnull(starttime) or TimeGenerated >= starttime) - and (isnull(endtime) or TimeGenerated <= endtime) + (isnull(starttime) or todatetime(tostring(split(timestamp_s, '.', 0)[0])) >= starttime) + and (isnull(endtime) or todatetime(tostring(split(timestamp_s, '.', 0)[0])) <= endtime) and (targetusername_has == '*' or (user_name_s has targetusername_has)) and event_type_s in~ (SalesforceEventType) // -- end pre-filtering @@ -327,8 +327,6 @@ ParserQuery: | EventCount = int(1), EventSchema = 'Authentication', EventSchemaVersion = '0.1.3', - EventStartTime = TimeGenerated, - EventEndTime = TimeGenerated, TargetAppName = "Salesforce Dot Com(SFDC)", EventUid = _ItemId, EventOriginalType=event_type_s @@ -345,7 +343,9 @@ ParserQuery: | IpAddr = SrcIpAddr, Dvc = EventProduct, EventResult = coalesce(EventResult, TempEventResult), - Application = TargetAppName + Application = TargetAppName, + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated | project-away *_s, *_t, From 343f96de316de231947b7735c46bc35d3f404b3f Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Fri, 1 Sep 2023 05:08:44 +0000 Subject: [PATCH 27/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationSalesforceSC.json | 2 +- .../vimAuthenticationSalesforceSC.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index 20ee0cff6fe..f1a4aeede1f 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let parser=(disabled: bool=false) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string\n)[];\nlet EventResultLookup = datatable (\nlogin_status_s: string,\nDvcAction: string,\nEventResultDetails: string,\nEventResult: string,\nEventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser(disabled=disabled)", + "query": "let parser=(disabled: bool=false) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string\n)[];\nlet EventResultLookup = datatable (\nlogin_status_s: string,\nDvcAction: string,\nEventResultDetails: string,\nEventResult: string,\nEventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser(disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json index 44058c5c882..7c75582def9 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "vimAuthenticationSalesforceSC", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n let SalesforceSchema = datatable(\n api_version_s: string,\n browser_type_s: string,\n cipher_suite_s: string,\n client_ip_s: string,\n delegated_user_id_s: string,\n delegated_user_name_s: string,\n event_type_s: string,\n login_key_s: string,\n login_status_s: string,\n organization_id_s: string,\n platform_type_s: string,\n request_id_s: string,\n session_key_s: string,\n source_ip_s: string,\n timestamp_s: string,\n tls_protocol_s: string,\n uri_s: string,\n user_id_s: string,\n user_name_s: string,\n user_type_s: string\n )[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n )[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n ];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n )[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n ];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n let SalesforceSchema = datatable(\n api_version_s: string,\n browser_type_s: string,\n cipher_suite_s: string,\n client_ip_s: string,\n delegated_user_id_s: string,\n delegated_user_name_s: string,\n event_type_s: string,\n login_key_s: string,\n login_status_s: string,\n organization_id_s: string,\n platform_type_s: string,\n request_id_s: string,\n session_key_s: string,\n source_ip_s: string,\n timestamp_s: string,\n tls_protocol_s: string,\n uri_s: string,\n user_id_s: string,\n user_name_s: string,\n user_type_s: string\n )[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n )[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n ];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n )[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n ];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or todatetime(tostring(split(timestamp_s, '.', 0)[0])) >= starttime) \n and (isnull(endtime) or todatetime(tostring(split(timestamp_s, '.', 0)[0])) <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" } From 1e33a0f73d3ddce554ac6662878737f410a519f2 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Fri, 1 Sep 2023 10:52:57 +0530 Subject: [PATCH 28/38] updated custom table --- .../CustomTables/SalesforceServiceCloud_CL.json | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloud_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloud_CL.json index dc28254cb1a..0d02769f3a1 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloud_CL.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloud_CL.json @@ -848,6 +848,10 @@ { "Name": "_ResourceId", "Type": "String" + }, + { + "Name": "TenantId", + "Type": "String" } ] } \ No newline at end of file From d86bde68aef8f292e0340c04bd722d235286d029 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Fri, 1 Sep 2023 11:00:43 +0530 Subject: [PATCH 29/38] Fixing ASIM Authentication union parser --- Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index a5dd3e22b33..dfd96774099 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -41,7 +41,7 @@ ParserQuery: | ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )), ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )), ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )), - ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )) + ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )), ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )) Parsers: From 8a8fff590a592d5b5e0f582aa9035a38a6a3c4be Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Fri, 1 Sep 2023 05:33:54 +0000 Subject: [PATCH 30/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ARM/ASimAuthentication/ASimAuthentication.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index b0289436aba..4b01a0ded35 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) ))\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) ))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) ))\n", "version": 1, "functionParameters": "disabled:bool=False" } From df353947a3216b2471919a62acd51d2f955fdd77 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Fri, 8 Dec 2023 14:47:01 +0530 Subject: [PATCH 31/38] changes post review --- .../ASimAuthenticationSalesforceSC.yaml | 44 +++--- .../vimAuthenticationSalesforceSC.yaml | 128 +++++++++--------- 2 files changed, 89 insertions(+), 83 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index 1df36b193cc..9c6c6938930 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -1,7 +1,7 @@ Parser: Title: Authentication ASIM parser for Salesforce Service Cloud Version: "0.1.0" - LastUpdated: September 30, 2022 + LastUpdated: Dec 12th, 2023 Product: Name: Salesforce Service Cloud Normalization: @@ -23,7 +23,9 @@ ParserParams: Type: bool Default: false ParserQuery: | - let parser=(disabled: bool=false) { + let parser = ( + disabled: bool=false + ) { let SalesforceSchema = datatable( api_version_s: string, browser_type_s: string, @@ -34,9 +36,12 @@ ParserQuery: | event_type_s: string, login_key_s: string, login_status_s: string, + login_type_s: string, + login_sub_type_s: string, organization_id_s: string, platform_type_s: string, request_id_s: string, + request_status_s: string, session_key_s: string, source_ip_s: string, timestamp_s: string, @@ -44,14 +49,15 @@ ParserQuery: | uri_s: string, user_id_s: string, user_name_s: string, - user_type_s: string + user_type_s: string, + wave_session_id_g: string )[]; - let EventResultLookup = datatable ( - login_status_s: string, - DvcAction: string, - EventResultDetails: string, - EventResult: string, - EventSeverity: string + let EventResultLookup = datatable ( + login_status_s: string, + DvcAction: string, + EventResultDetails: string, + EventResult: string, + EventSeverity: string )[ "LOGIN_CHALLENGE_ISSUED", "Blocked", "Other", "Failure", "Informational", "LOGIN_CHALLENGE_PENDING", "Blocked", "Other", "Failure", "Informational", @@ -270,12 +276,12 @@ ParserQuery: | "X", "Admin" ]; union isfuzzy=true - SalesforceSchema, - SalesforceServiceCloud_CL + SalesforceSchema, + SalesforceServiceCloud_CL | where not(disabled) | where event_type_s in~ (SalesforceEventType) - | extend LoginType_s = column_ifexists("login_type_s", "") - | extend LoginSubType_s = column_ifexists("login_sub_type_s", "") + | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])) + | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s | lookup EventResultLookup on login_status_s | lookup EventTypeLookup on event_type_s | lookup LogonMethodLookup on LoginType_s @@ -299,18 +305,17 @@ ParserQuery: | ActorUserId = delegated_user_id_s, TargetUsername = user_name_s | extend - TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])), EventVendor = 'Salesforce', - EventProduct='Salesforce Service Cloud', + EventProduct='Service Cloud', EventCount = int(1), EventSchema = 'Authentication', EventSchemaVersion = '0.1.3', TargetAppName = "Salesforce Dot Com(SFDC)", EventUid = _ItemId, - EventOriginalType=event_type_s + EventOriginalType=event_type_s, + SrcIpAddr = coalesce(SrcIpAddr, client_ip_s) | extend TargetSessionId = coalesce(session_key_s, login_key_s), - SrcIpAddr = coalesce(SrcIpAddr, client_ip_s), TargetUserScope = "Salesforce Organization", TargetUserIdType = iff(isnotempty(TargetUserId), "SaleforceId", ""), ActorUserIdType = iff(isnotempty(ActorUserId), "SaleforceId", ""), @@ -327,6 +332,7 @@ ParserQuery: | | project-away *_s, *_t, + *_g, TenantId, SourceSystem, Computer, @@ -335,8 +341,6 @@ ParserQuery: | Message, RawData, TempEventResult, - _ItemId, - _ResourceId, - wave_session_id_g + _ItemId }; parser(disabled=disabled) \ No newline at end of file diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml index 57a01297dfa..8a85961ad08 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml @@ -1,7 +1,7 @@ Parser: Title: ASIM Authentication filtering parser for Salesforce Service Cloud Version: "0.1.0" - LastUpdated: July 8th, 2023 + LastUpdated: Dec 12th, 2023 Product: Name: Salesforce Service Cloud Normalization: @@ -35,11 +35,11 @@ ParserParams: Default: false ParserQuery: | let parser = ( - starttime: datetime=datetime(null), - endtime: datetime=datetime(null), - targetusername_has: string="*", - disabled: bool=false - ) { + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + targetusername_has: string="*", + disabled: bool=false + ) { let SalesforceSchema = datatable( api_version_s: string, browser_type_s: string, @@ -50,9 +50,12 @@ ParserQuery: | event_type_s: string, login_key_s: string, login_status_s: string, + login_type_s: string, + login_sub_type_s: string, organization_id_s: string, platform_type_s: string, request_id_s: string, + request_status_s: string, session_key_s: string, source_ip_s: string, timestamp_s: string, @@ -60,8 +63,9 @@ ParserQuery: | uri_s: string, user_id_s: string, user_name_s: string, - user_type_s: string - )[]; + user_type_s: string, + wave_session_id_g: string + )[]; let EventResultLookup = datatable ( login_status_s: string, DvcAction: string, @@ -209,49 +213,49 @@ ParserQuery: | "5200", "Android", "10.0" ]; let LogonMethodLookup = datatable( - LoginType_s: string, - LogonMethodOriginal: string, - LogonMethod: string - )[ - "7", "AppExchange", "Other", - "A", "Application", "Other", - "s", "Certificate-based login", "PKI", - "k", "Chatter Communities External User", "Other", - "n", "Chatter Communities External User Third Party SSO", "Other", - "r", "Employee Login to Community", "Other", - "z", "Lightning Login", "Username & Password", - "l", "Networks Portal API Only", "Other", - "6", "Remote Access Client", "Other", - "i", "Remote Access 2.0", "Other", - "I", "Other Apex API", "Other", - "R", "Partner Product", "Other", - "w", "Passwordless Login", "Passwordless", - "3", "Customer Service Portal", "Other", - "q", "Partner Portal Third-Party SSO", "Other", - "9", "Partner Portal", "Other", - "5", "SAML Idp Initiated SSO", "Other", - "m", "SAML Chatter Communities External User SSO", "Other", - "b", "SAML Customer Service Portal SSO", "Other", - "c", "SAML Partner Portal SSO", "Other", - "h", "SAML Site SSO", "Other", - "8", "SAML Sfdc Initiated SSO", "Other", - "E", "SelfService", "Other", - "j", "Third Party SSO", "Other" - ]; + LoginType_s: string, + LogonMethodOriginal: string, + LogonMethod: string + )[ + "7", "AppExchange", "Other", + "A", "Application", "Other", + "s", "Certificate-based login", "PKI", + "k", "Chatter Communities External User", "Other", + "n", "Chatter Communities External User Third Party SSO", "Other", + "r", "Employee Login to Community", "Other", + "z", "Lightning Login", "Username & Password", + "l", "Networks Portal API Only", "Other", + "6", "Remote Access Client", "Other", + "i", "Remote Access 2.0", "Other", + "I", "Other Apex API", "Other", + "R", "Partner Product", "Other", + "w", "Passwordless Login", "Passwordless", + "3", "Customer Service Portal", "Other", + "q", "Partner Portal Third-Party SSO", "Other", + "9", "Partner Portal", "Other", + "5", "SAML Idp Initiated SSO", "Other", + "m", "SAML Chatter Communities External User SSO", "Other", + "b", "SAML Customer Service Portal SSO", "Other", + "c", "SAML Partner Portal SSO", "Other", + "h", "SAML Site SSO", "Other", + "8", "SAML Sfdc Initiated SSO", "Other", + "E", "SelfService", "Other", + "j", "Third Party SSO", "Other" + ]; let LogonProtocolLookup = datatable( - LoginSubType_s: string, - LogonProtocolOriginal: string, - LogonProtocol: string - )[ - "uiup", "UI Username-Password", "Basic Auth", - "oauthpassword", "OAuth Username-Password", "OAuth", - "oauthtoken", "OAuth User-Agent", "OAuth", - "oauthhybridtoken", "OAuth User-Agent for Hybrid Apps", "OAuth", - "oauthtokenidtoken", "OAuth User-Agent with ID Token", "OAuth", - "oauthclientcredential", "OAuth Client Credential", "OAuth", - "oauthcode", "OAuth Web Server", "OAuth", - "oauthhybridauthcode", "OAuth Web Server for Hybrid Apps", "OAuth", - ]; + LoginSubType_s: string, + LogonProtocolOriginal: string, + LogonProtocol: string + )[ + "uiup", "UI Username-Password", "Basic Auth", + "oauthpassword", "OAuth Username-Password", "OAuth", + "oauthtoken", "OAuth User-Agent", "OAuth", + "oauthhybridtoken", "OAuth User-Agent for Hybrid Apps", "OAuth", + "oauthtokenidtoken", "OAuth User-Agent with ID Token", "OAuth", + "oauthclientcredential", "OAuth Client Credential", "OAuth", + "oauthcode", "OAuth Web Server", "OAuth", + "oauthhybridauthcode", "OAuth Web Server for Hybrid Apps", "OAuth", + ]; let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[ "S", "Success", "F", "Failure", @@ -286,18 +290,18 @@ ParserQuery: | "X", "Admin" ]; union isfuzzy=true - SalesforceSchema, - SalesforceServiceCloud_CL + SalesforceSchema, + SalesforceServiceCloud_CL | where not(disabled) + | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])) // -- Pre filtering | where - (isnull(starttime) or todatetime(tostring(split(timestamp_s, '.', 0)[0])) >= starttime) - and (isnull(endtime) or todatetime(tostring(split(timestamp_s, '.', 0)[0])) <= endtime) + (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) and (targetusername_has == '*' or (user_name_s has targetusername_has)) and event_type_s in~ (SalesforceEventType) // -- end pre-filtering - | extend LoginType_s = column_ifexists("login_type_s", "") - | extend LoginSubType_s = column_ifexists("login_sub_type_s", "") + | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s | lookup EventResultLookup on login_status_s | lookup EventTypeLookup on event_type_s | lookup LogonMethodLookup on LoginType_s @@ -321,18 +325,17 @@ ParserQuery: | ActorUserId = delegated_user_id_s, TargetUsername = user_name_s | extend - TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])), EventVendor = 'Salesforce', - EventProduct='Salesforce Service Cloud', + EventProduct='Service Cloud', EventCount = int(1), EventSchema = 'Authentication', EventSchemaVersion = '0.1.3', TargetAppName = "Salesforce Dot Com(SFDC)", EventUid = _ItemId, - EventOriginalType=event_type_s + EventOriginalType=event_type_s, + SrcIpAddr = coalesce(SrcIpAddr, client_ip_s) | extend TargetSessionId = coalesce(session_key_s, login_key_s), - SrcIpAddr = coalesce(SrcIpAddr, client_ip_s), TargetUserScope = "Salesforce Organization", TargetUserIdType = iff(isnotempty(TargetUserId), "SaleforceId", ""), ActorUserIdType = iff(isnotempty(ActorUserId), "SaleforceId", ""), @@ -349,6 +352,7 @@ ParserQuery: | | project-away *_s, *_t, + *_g, TenantId, SourceSystem, Computer, @@ -357,8 +361,6 @@ ParserQuery: | Message, RawData, TempEventResult, - _ItemId, - _ResourceId, - wave_session_id_g + _ItemId }; parser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled) \ No newline at end of file From c6324f622f8d2ad26c8bb6f11a8fb06a5a214886 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Fri, 8 Dec 2023 10:35:33 +0000 Subject: [PATCH 32/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthentication.json | 2 +- .../ASimAuthenticationOktaOSS.json | 2 +- .../ARM/ASimAuthenticationOktaOSS/README.md | 2 +- .../ASimAuthenticationSalesforceSC.json | 2 +- .../ASimAuthenticationSentinelOne.json | 46 + .../README.md | 8 +- .../ARM/FullDeploymentAuthentication.json | 823 ------------------ Parsers/ASimAuthentication/ARM/README.md | 17 - .../ARM/imAuthentication/README.md | 18 - .../imAuthentication/imAuthentication.json | 46 - .../README.md | 18 - .../vimAuthenticationAADManagedIdentity.json | 46 - .../README.md | 18 - .../vimAuthenticationAADNonInteractive.json | 46 - .../README.md | 18 - ...ticationAADServicePrincipalSignInLogs.json | 46 - .../vimAuthenticationAADSigninLogs/README.md | 18 - .../vimAuthenticationAADSigninLogs.json | 46 - .../vimAuthenticationAWSCloudTrail/README.md | 18 - .../vimAuthenticationAWSCloudTrail.json | 46 - .../vimAuthenticationBarracudaWAF.json | 46 - .../ARM/vimAuthenticationCiscoASA/README.md | 18 - .../vimAuthenticationCiscoASA.json | 46 - .../ARM/vimAuthenticationCiscoISE/README.md | 18 - .../vimAuthenticationCiscoISE.json | 46 - .../vimAuthenticationCiscoMeraki/README.md | 18 - .../vimAuthenticationCiscoMeraki.json | 46 - .../ARM/vimAuthenticationEmpty/README.md | 18 - .../vimAuthenticationEmpty.json | 45 - .../vimAuthenticationM365Defender/README.md | 18 - .../vimAuthenticationM365Defender.json | 46 - .../README.md | 18 - .../vimAuthenticationMicrosoftMD4IoT.json | 46 - .../README.md | 18 - ...imAuthenticationMicrosoftWindowsEvent.json | 46 - .../ARM/vimAuthenticationOktaOSS/README.md | 18 - .../vimAuthenticationOktaOSS.json | 46 - .../ARM/vimAuthenticationPostgreSQL/README.md | 18 - .../vimAuthenticationPostgreSQL.json | 46 - .../vimAuthenticationSalesforceSC/README.md | 18 - .../vimAuthenticationSalesforceSC.json | 46 - .../ARM/vimAuthenticationSshd/README.md | 18 - .../vimAuthenticationSshd.json | 46 - .../ARM/vimAuthenticationSu/README.md | 18 - .../vimAuthenticationSu.json | 46 - .../vimAuthenticationVectraXDRAudit/README.md | 18 - .../vimAuthenticationVectraXDRAudit.json | 46 - 47 files changed, 54 insertions(+), 2109 deletions(-) create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json rename Parsers/ASimAuthentication/ARM/{vimAuthenticationBarracudaWAF => ASimAuthenticationSentinelOne}/README.md (55%) delete mode 100644 Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json delete mode 100644 Parsers/ASimAuthentication/ARM/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/imAuthentication/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSu/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md delete mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index 68c3061b3da..e7d0c515335 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) ))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) ))\n\nParsers:\n - _Im_Authentication_Empty\n - _ASim_Authentication_AADManagedIdentitySignInLogs \n - _ASim_Authentication_AADNonInteractiveUserSignInLogs\n - _ASim_Authentication_AADServicePrincipalSignInLogs \n - _ASim_Authentication_AWSCloudTrail\n - _ASim_Authentication_BarracudaWAF\n - _ASim_Authentication_CiscoASA\n - _ASim_Authentication_CiscoISE\n - _ASim_Authentication_CiscoMeraki\n - _ASim_Authentication_M365Defender \n - _ASim_Authentication_MD4IoT \n - _ASim_Authentication_MicrosoftWindowsEvent \n - _ASim_Authentication_OktaSSO \n - _ASim_Authentication_PostgreSQL\n - _ASim_Authentication_SigninLogs \n - _ASim_Authentication_Sshd\n - _ASim_Authentication_Su\n - _ASim_Authentication_VectraXDRAudit\n - _ASim_Authentication_SentinelOne\n - _ASim_Authentication_SalesforceSC\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json index a12916786e4..024b2147c6c 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Okta", "category": "ASIM", "FunctionAlias": "ASimAuthenticationOktaSSO", - "query": "let parser=(disabled:bool=false){\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n Okta_CL \n | where not(disabled)\n | where eventType_s in (OktaSigninEvents)\n | extend \n ActingAppType = \"Browser\",\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'Okta',\n EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = legacyEventType_s,\n EventType = iff(eventType_s hassuffix 'start', 'Logon', 'Logoff'),\n EventVendor = 'Okta',\n SrcGeoLatitude = toreal(client_geographicalContext_geolocation_lat_d),\n SrcGeoLongitude = toreal(client_geographicalContext_geolocation_lon_d),\n TargetUserIdType = 'OktaId',\n TargetUsernameType = 'UPN'\n | project-rename \n ActingAppName = client_userAgent_browser_s,\n EventMessage = displayMessage_s,\n EventOriginalResultDetails = outcome_reason_s,\n EventOriginalUid = uuid_g,\n HttpUserAgent = client_userAgent_rawUserAgent_s,\n LogonMethod = authenticationContext_credentialType_s,\n SrcDvcOs = client_userAgent_os_s,\n SrcGeoCity = client_geographicalContext_city_s,\n SrcGeoCountry = client_geographicalContext_country_s,\n SrcIsp = securityContext_isp_s,\n TargetSessionId = authenticationContext_externalSessionId_s,\n TargetUserId = actor_id_s,\n TargetUsername = actor_alternateId_s,\n TargetUserType = actor_type_s,\n EventUid = _ItemId\n // ** Aliases\n | extend \n Dvc = EventVendor,\n User = TargetUsername\n | project-away *_s, *_d, *_b, *_g, *_t\n };\nparser(disabled=disabled)\n", + "query": "let parser=(disabled:bool=false)\n{\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyTable = datatable(TimeGenerated:datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyTable, Okta_CL \n | where not(disabled)\n | extend outcome_result_s=column_ifexists('outcome_result_s', \"\")\n , eventType_s=column_ifexists('eventType_s', \"\")\n , legacyEventType_s=column_ifexists('legacyEventType_s', \"\")\n , client_geographicalContext_geolocation_lat_d=column_ifexists('client_geographicalContext_geolocation_lat_d', \"\")\n , client_geographicalContext_geolocation_lon_d=column_ifexists('client_geographicalContext_geolocation_lon_d', \"\")\n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventVendor='Okta'\n , EventSchema = 'Authentication'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n , EventSubType=legacyEventType_s\n , EventMessage=column_ifexists('displayMessage_s', \"\")\n , EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n , EventOriginalUid = column_ifexists('uuid_g', \"\")\n , TargetUserIdType='OktaId'\n , TargetUsernameType='UPN'\n , TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n , TargetUserId=column_ifexists('actor_id_s', \"\")\n , TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n , TargetUserType=column_ifexists('actor_type_s', \"\")\n , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n , SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n , SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n , SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n , SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n , SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n , ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n , ActingAppType=\"Browser\"\n , LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n , HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n , IpAddr=SrcIpAddr\n | project-away*_s,*_d,*_b,*_g,*_t;\n let OktaV2 = union isfuzzy=true emptyTable, OktaV2_CL\n | where not(disabled) \n | extend EventOriginalType=column_ifexists('EventOriginalType', \"\") \n | where EventOriginalType in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventSchema = 'Authentication'\n , EventVendor='Okta'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n , TargetSessionId=column_ifexists('ActorSessionId', \"\")\n , TargetUserId= column_ifexists('ActorUserId', \"\")\n , TargetUsername=column_ifexists('ActorUsername', \"\")\n , TargetUserType=column_ifexists('ActorUserType', \"\")\n , TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n , TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n , SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n //** extend non-normalized fields to be projected-away \n , ActorDetailEntry, ActorDisplayName, AuthenticationContextAuthenticationProvider, AuthenticationContextAuthenticationStep\n , AuthenticationContextCredentialProvider, AuthenticationContextInterface, AuthenticationContextIssuerId, AuthenticationContextIssuerType\n , DebugData, DvcAction, OriginalActorAlternateId, OriginalClientDevice, OriginalOutcomeResult, OriginalSeverity, OriginalTarget\n , OriginalUserId, OriginalUserType, Request, SecurityContextAsNumber, SecurityContextAsOrg, SecurityContextDomain, SecurityContextIsProxy\n , TransactionDetail, TransactionId, TransactionType\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n , IpAddr=SrcIpAddr\n | project-away ActorDetailEntry, ActorDisplayName, AuthenticationContextAuthenticationProvider, AuthenticationContextAuthenticationStep\n , AuthenticationContextCredentialProvider, AuthenticationContextInterface, AuthenticationContextIssuerId, AuthenticationContextIssuerType\n , DebugData, DvcAction, OriginalActorAlternateId, OriginalClientDevice, OriginalOutcomeResult, OriginalSeverity, OriginalTarget\n , OriginalUserId, OriginalUserType, Request, SecurityContextAsNumber, SecurityContextAsOrg, SecurityContextDomain, SecurityContextIsProxy\n , TransactionDetail, TransactionId, TransactionType;\n union isfuzzy=true OktaV1, OktaV2\n};\nparser(disabled = disabled)\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/README.md index 9b67d10bedc..6e6d6c8792a 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/README.md +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/README.md @@ -2,7 +2,7 @@ ARM template for ASIM Authentication schema parser for Okta. -This ASIM parser supports normalizing Okta sign in logs, stored in the Okta_CL table, to the ASIM Authentication schema. +This ASIM parser supports normalizing Okta sign in logs, stored in the Okta_CL table and in OktaV2_CL table, to the ASIM Authentication schema. The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index f1a4aeede1f..045571f5068 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let parser=(disabled: bool=false) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string\n)[];\nlet EventResultLookup = datatable (\nlogin_status_s: string,\nDvcAction: string,\nEventResultDetails: string,\nEventResult: string,\nEventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser(disabled=disabled)", + "query": "let parser = (\ndisabled: bool=false\n) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\nlogin_type_s: string,\nlogin_sub_type_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nrequest_status_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string,\nwave_session_id_g: string\n)[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId\n};\nparser(disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json new file mode 100644 index 00000000000..31f496f83d3 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationSentinelOne", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationSentinelOne", + "query": "let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\n [\n \"invalid 2FA code\", \"Incorrect password\",\n \"IP/User mismatch\", \"No such user or password\",\n \"invalid password\", \"Incorrect password\",\n \"user temporarily locked 2FA attempt\", \"User locked\",\n \"no active site\", \"Other\"\n ];\n let EventFieldsLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string\n )\n [\n 27, \"Logon\", \"Success\", \"User Logged In\",\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\n ];\n let EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"WINLOGONATTEMPT\", \"Logon\",\n \"WINLOGOFFATTEMPT\", \"Logoff\"\n ];\n let EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\n [\n \"BATCH\", \"System\",\n \"CACHED_INTERACTIVE\", \"Interactive\",\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"CACHED_UNLOCK\", \"System\",\n \"INTERACTIVE\", \"Interactive\",\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\n \"NETWORK_CREDENTIALS\", \"Remote\",\n \"NETWORK\", \"Remote\",\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"SERVICE\", \"Service\",\n \"SYSTEM\", \"System\",\n \"UNLOCK\", \"System\"\n ];\n let DeviceTypeLookup = datatable (\n agentDetectionInfo_machineType_s: string,\n SrcDeviceType: string\n )\n [\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n ];\n let ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n )\n [\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n ];\n let ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n )\n [\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n ];\n let ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n )\n [\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n ];\n let TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\n let parser = (disabled: bool=false) {\n let alldata = SentinelOne_CL\n | where not(disabled);\n let activitydata = alldata\n | where event_name_s == \"Activities.\"\n and activityType_d in (27, 33, 133, 134, 139, 3629)\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | lookup EventFieldsLookup on activityType_d\n | lookup EventResultDetailsLookup on comments_s\n | extend \n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\n EventOriginalType = tostring(toint(activityType_d)),\n TargetUsername = username,\n TargetUserScope = userScope,\n AdditionalFields = bag_pack(\n \"accountName\", accountName,\n \"fullScopeDetails\", fullScopeDetails,\n \"fullScopeDetailsPath\", fullScopeDetailsPath,\n \"scopeLevel\", scopeLevel,\n \"source\", source,\n \"sourceType\", sourceType\n ),\n TargetOriginalUserType = role,\n TargetUserType = case(\n role in (TargetUserTypesList), role,\n role == \"null\", \"\",\n \"Other\"\n )\n | project-rename\n EventStartTime = createdAt_t,\n TargetUserId = userId_s,\n EventOriginalUid = activityUuid_g,\n EventMessage = primaryDescription_s\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\n let alertdata = alldata\n | where event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\n | lookup EventTypeLookup on alertInfo_eventType_s\n | lookup EventSubTypeLookup on alertInfo_loginType_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alertdata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n let alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\n | extend\n EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\"),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = alertInfo_createdAt_t,\n SrcIpAddr = alertInfo_srcMachineIp_s,\n ActingAppName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSubType = alertInfo_loginType_s,\n RuleName = ruleInfo_name_s,\n TargetUserId = alertInfo_loginAccountSid_s,\n TargetUsername = alertInfo_loginsUserName_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n Rule = RuleName,\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\n union activitydata, alertdatawiththreatfield\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"Authentication\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct),\n EventEndTime = EventStartTime,\n EventUid = _ItemId,\n User = TargetUsername,\n TargetHostname = SrcHostname,\n TargetDomain = SrcDomain,\n TargetDomainType = SrcDomainType,\n TargetFQDN = SrcFQDN,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n ipAddress,\n username,\n accountName,\n fullScopeDetails,\n fullScopeDetailsPath,\n role,\n scopeLevel,\n source,\n sourceType,\n userScope,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ItemId,\n _ResourceId,\n ThreatConfidence_*\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/README.md similarity index 55% rename from Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md rename to Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/README.md index 653affdcc9f..968958bfe72 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/README.md @@ -1,8 +1,8 @@ -# Barracuda WAF ASIM Authentication Normalization Parser +# SentinelOne ASIM Authentication Normalization Parser -ARM template for ASIM Authentication schema parser for Barracuda WAF. +ARM template for ASIM Authentication schema parser for SentinelOne. -This ASIM parser supports normalizing the Barracuda WAF logs to the ASIM authentication normalized schema. +This ASIM parser supports normalizing SentinelOne logs to the ASIM Authentication normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. @@ -15,4 +15,4 @@ For more information, see:
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationBarracudaWAF%2FvimAuthenticationBarracudaWAF.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationBarracudaWAF%2FvimAuthenticationBarracudaWAF.json) +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationSentinelOne%2FASimAuthenticationSentinelOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationSentinelOne%2FASimAuthenticationSentinelOne.json) diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json deleted file mode 100644 index ad8e5b99bed..00000000000 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ /dev/null @@ -1,823 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "variables": {}, - "resources": [ - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthentication", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationAADManagedIdentity", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationAADNonInteractive", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationAADServicePrincipalSignInLogs", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationAADSigninLogs", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationAWSCloudTrail", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationBarracudaWAF", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationCiscoASA", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationCiscoISE", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationCiscoMeraki", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationM365Defender", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationMicrosoftMD4IoT", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationMicrosoftWindowsEvent", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationOktaOSS", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationPostgreSQL", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationSalesforceSC", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationSshd", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationSu", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationSudo", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedASimAuthenticationVectraXDRAudit", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedimAuthentication", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationAADManagedIdentity", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationAADNonInteractive", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationAADServicePrincipalSignInLogs", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationAADSigninLogs", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationAWSCloudTrail", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationBarracudaWAF", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationCiscoASA", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationCiscoISE", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationCiscoMeraki", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationEmpty", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationM365Defender", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationMicrosoftMD4IoT", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationMicrosoftWindowsEvent", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationOktaOSS", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationPostgreSQL", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationSalesforceSC", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationSshd", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationSu", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - }, - { - "type": "Microsoft.Resources/deployments", - "apiVersion": "2020-10-01", - "name": "linkedvimAuthenticationVectraXDRAudit", - "properties": { - "mode": "Incremental", - "templateLink": { - "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json", - "contentVersion": "1.0.0.0" - }, - "parameters": { - "Workspace": { - "value": "[parameters('Workspace')]" - }, - "WorkspaceRegion": { - "value": "[parameters('WorkspaceRegion')]" - } - } - } - } - ], - "outputs": {} -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/README.md b/Parsers/ASimAuthentication/ARM/README.md deleted file mode 100644 index ece8022e885..00000000000 --- a/Parsers/ASimAuthentication/ARM/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Advanced Security Information Model (ASIM) Authentication parsers - -This template deploys all ASIM Authentication parsers. - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimAuthenticationARM) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimAuthenticationARMgov) - -
diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/README.md b/Parsers/ASimAuthentication/ARM/imAuthentication/README.md deleted file mode 100644 index dd57a727410..00000000000 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Source agnostic ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for Source agnostic. - -This ASIM parser supports filtering and normalizing Authentication logs from all supported sources to the ASIM Authentication normalized schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FimAuthentication%2FimAuthentication.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FimAuthentication%2FimAuthentication.json) diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json deleted file mode 100644 index 4e464d705f6..00000000000 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "imAuthentication", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser", - "category": "ASIM", - "FunctionAlias": "imAuthentication", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n, vimAuthenticationVectraXDRAudit (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md deleted file mode 100644 index c64e0bb0867..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# AAD ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for AAD. - -This ASIM parser supports filtering and normalizing Azure Active Directory Managed Identity sign in logs, stored in the AADManagedIdentitySignInLogs table, to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADManagedIdentity%2FvimAuthenticationAADManagedIdentity.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADManagedIdentity%2FvimAuthenticationAADManagedIdentity.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json deleted file mode 100644 index cb7cfa55e91..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAADManagedIdentitySignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for AAD managed identity sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs", - "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n , EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n , EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n , EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n };\nlet parser = (\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , targetusername_has:string=\"*\"\n , disabled:bool=false\n ) {\n AADManagedIdentitySignInLogs\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (ServicePrincipalName has targetusername_has))\n and not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId\n , TargetAppId = ResourceIdentity \n , TargetAppName = ResourceDisplayName\n , TargetUsername = ServicePrincipalName\n , TargetUserId = ServicePrincipalId\n , EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcIpAddr = IPAddress\n , EventUid = _ItemId\n , EventProductVersion = OperationVersion\n | extend \n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.3'\n , Dvc = 'Microsft/AAD'\n , LogonMethod = \"Managed Identity\"\n , TargetAppType = \"Resource\"\n , EventCount = int(1)\n , TargetUserType = 'Application'\n , TargetUsernameType = 'Simple'\n , TargetUserIdType = 'AADID'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n User = TargetUsername\n , LogonTarget = TargetAppName\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , Application = TargetAppName\n , Dst = TargetAppName\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , TargetSimpleUsername = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , targetusername_has = targetusername_has\n , disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md deleted file mode 100644 index 5231f86118a..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# AAD ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for AAD. - -This ASIM parser supports filtering and normalizing Azure Active Directory Non Interactive sign in logs, stored in the AADNonInteractiveUserSignInLogs table, to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADNonInteractive%2FvimAuthenticationAADNonInteractive.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADNonInteractive%2FvimAuthenticationAADNonInteractive.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json deleted file mode 100644 index b257b3e45c3..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAADNonInteractiveUserSignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for AAD non-interactive sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs", - "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n ];\nlet AADNIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n AADNonInteractiveUserSignInLogs | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchemaVersion='0.1.0'\n , EventCount=int(1)\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , EventSubType = 'NonInteractive'\n , TargetUsernameType='UPN'\n , TargetUserIdType='AADID'\n , TargetAppName=ResourceDisplayName\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , SrcDvcIpAddr=IPAddress\n | lookup FailedReason on ResultType\n | extend\n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor\n // -- Entity identifier explicit aliases\n , TargetUserUpn = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nAADNIAuthentication(starttime, endtime, targetusername_has, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md deleted file mode 100644 index fa1659c75a6..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# AAD ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for AAD. - -This ASIM parser supports filtering and normalizing Azure Active Directory Service Principal sign in logs, stored in the AADServicePrincipalSignInLogs table, to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADServicePrincipalSignInLogs%2FvimAuthenticationAADServicePrincipalSignInLogs.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADServicePrincipalSignInLogs%2FvimAuthenticationAADServicePrincipalSignInLogs.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json deleted file mode 100644 index 241734fdde9..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAADServicePrincipalSignInLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for AAD service principal sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs", - "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n , EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n , EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n , EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , targetusername_has:string=\"*\"\n , disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (ServicePrincipalName has targetusername_has))\n and not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId\n , TargetAppId = ResourceIdentity \n , TargetAppName = ResourceDisplayName\n , TargetUsername = ServicePrincipalName\n , TargetUserId = ServicePrincipalId\n , EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcIpAddr = IPAddress\n , EventUid = _ItemId\n , EventProductVersion = OperationVersion\n | extend \n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.3'\n , Dvc = 'Microsft/AAD'\n , LogonMethod = \"Service Principal\"\n , TargetAppType = \"Resource\"\n , EventCount = int(1)\n , TargetUserType = 'Service'\n , TargetUsernameType = 'Simple'\n , TargetUserIdType = 'AADID'\n | extend\n LocationDetails = todynamic(LocationDetails)\n | extend\n SrcGeoCity = tostring(LocationDetails.city)\n , SrcGeoCountry = Location\n , SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude)\n , SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude)\n , SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n User = TargetUsername\n , LogonTarget = TargetAppName\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , Application = TargetAppName\n , Dst = TargetAppName\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , TargetSimpleUsername = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nparser \n(\n starttime = starttime\n , endtime = endtime\n , targetusername_has = targetusername_has\n , disabled = disabled\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md deleted file mode 100644 index bf5232202f5..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# AAD ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for AAD. - -This ASIM parser supports filtering and normalizing Azure Active Directory Interactive sign in logs, stored in the SigninLogs table, to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADSigninLogs%2FvimAuthenticationAADSigninLogs.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADSigninLogs%2FvimAuthenticationAADSigninLogs.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json deleted file mode 100644 index 23c08601506..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSigninLogs", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for AAD interactive sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSigninLogs", - "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Member', 'Regular',\n 'Guest','Guest', \n '',''\n];\nlet AADSigninLogs=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nSigninLogs | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n// ************************************************************************* \n// \n// ************************************************************************* \n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , SrcDvcIpAddr=IPAddress\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor\n // -- Entity identifier explicit aliases\n , TargetUserUpn = TargetUsername\n , TargetUserAadId = TargetUserId \n };\nAADSigninLogs(starttime, endtime, targetusername_has, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md deleted file mode 100644 index e1dfb41e1e6..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# AWS ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for AWS. - -This ASIM parser supports filtering and normalizing Amazon Web Service sign in logs, stored in the AWSCloudTrail table, to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAWSCloudTrail%2FvimAuthenticationAWSCloudTrail.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAWSCloudTrail%2FvimAuthenticationAWSCloudTrail.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json deleted file mode 100644 index 9f7d84f9423..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationAWSCloudTrail", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for AWS sign-in logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationAWSCloudTrail", - "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType:string, TargetUserType:string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role' ,'Service', \n 'FederatedUser', 'Regular',\n 'Directory','Other',\n 'AWSAccount','Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n ];\n let eventresultdetails_lookup = datatable (EventOriginalResultDetails:string, EventOriginalDetails:string) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n ];\n let ASIM_GetUsernameType = (username:string) { \n case ( \n username contains \"@\" , \"UPN\"\n , username contains \"\\\\\", \"Windows\"\n , (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\"\n , isempty(username), \"\"\n , \"Simple\"\n )\n };\n let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n targetusername_has:string=\"*\", \n disabled:bool=false\n ) {\n AWSCloudTrail \n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and not(disabled)\n and EventName == 'ConsoleLogin'\n and (targetusername_has=='*' or UserIdentityArn has targetusername_has or UserIdentityUserName has targetusername_has)\n // -- end pre-filtering\n | project-rename\n EventOriginalUid = AwsEventId,\n EventOriginalResultDetails = ErrorMessage,\n TargetOriginalUserType = UserIdentityType,\n EventProductVersion = EventVersion,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetUserScopeId = UserIdentityAccountId,\n HttpUserAgent = UserAgent,\n EventUid = _ItemId\n | extend\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\", \"\",\n TargetOriginalUserType == 'IAMUser' , UserIdentityUserName,\n TargetOriginalUserType == 'Root' , 'root',\n TargetOriginalUserType == 'AssumedRole' , tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n | where \n (targetusername_has=='*' or TargetUsername has targetusername_has)\n | extend\n EventVendor = 'AWS',\n Dvc = 'AWS',\n EventProduct = 'CloudTrail',\n EventCount = int(1),\n EventSchemaVersion = '0.1.3',\n EventSchema = 'Authentication',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n EventSubType = 'Interactive',\n TargetUserIdType = 'AWSId',\n LogonProtocol = 'HTTPS',\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA',''),\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure')\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl:string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n LogonTarget=tostring(split(TargetUrl,'?')[0]),\n EventSeverity = iff(EventResult == 'Failure', 'Low','Informational')\n // -- Specific idetifier aliases\n | extend \n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = EventVendor,\n Dst = LogonTarget,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away EventSource, EventTypeName, EventName, ResponseElements, AdditionalEventData, Session*, Category, ErrorCode, Aws*, ManagementEvent, OperationName, ReadOnly, RequestParameters, Resources, ServiceEventDetails, SharedEventId, SourceSystem, UserIdentity*, VpcEndpointId, APIVersion, RecipientAccountId, TenantId, EC2RoleDelivery\n };\n parser (\n starttime = starttime,\n endtime = endtime, \n targetusername_has = targetusername_has,\n disabled = disabled\n )\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json deleted file mode 100644 index 732f70611bb..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationBarracudaWAF", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Barracuda WAF", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationBarracudaWAF", - "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string,\n TimeGenerated: datetime\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n)\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n];\nlet EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n)\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n];\nlet parser = (\n starttime: datetime = datetime(null),\n endtime: datetime = datetime(null),\n targetusername_has: string = \"*\",\n disabled: bool = false) { \n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (AdminName_s has targetusername_has))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (DestinationUserName has targetusername_has))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"), \n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\n union isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n targetusername_has = targetusername_has,\n disabled=disabled\n)", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md deleted file mode 100644 index 98149d223ff..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Cisco Adaptive Security Appliance (ASA) ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for Cisco Adaptive Security Appliance (ASA). - -This ASIM parser supports normalizing authentication events, collected from Cisco ASA devices, to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoASA%2FvimAuthenticationCiscoASA.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoASA%2FvimAuthenticationCiscoASA.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json deleted file mode 100644 index f3a3cebc7aa..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoASA", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering for Cisco Device Logon Events", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoASA", - "query": "let parser = (\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , targetusername_has:string=\"*\"\n , disabled:bool=false\n) {\n let DeviceEventClassIDLookup = datatable (DeviceEventClassID:string, EventResultDetails:string, EventType:string, EventResult:string, DvcAction:string, EventSubType:string)\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime) \n | where DeviceVendor =~ \"Cisco\"\n | where DeviceProduct == \"ASA\"\n | where (targetusername_has=='*' or (Message has targetusername_has))\n | where DeviceEventClassID in(FilteredDeviceEventClassID)\n | extend EventOriginalSeverity = tostring(split(Message,\"-\",1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project TimeGenerated, Type, Computer, _ItemId, DeviceEventClassID, Message, DeviceAddress, EventOriginalSeverity, EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID;\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004,605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber:int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101,611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008,113012)\n | parse Message with * 'user = ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039,716002,716039,722022,722023,722028,722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003,772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | project-away Message\n )\n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , targetusername_has = targetusername_has\n , disabled = disabled\n) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md deleted file mode 100644 index ff0a2814501..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Cisco ISE ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for Cisco ISE. - -This ASIM parser supports normalizing Cisco ISE events produced by the Microsoft Sentinel Cisco ISE connector to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoISE%2FvimAuthenticationCiscoISE.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoISE%2FvimAuthenticationCiscoISE.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json deleted file mode 100644 index b9cb22b3228..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoISE", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Cisco ISE", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoISE", - "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n )[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n ];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\", \n disabled: bool=false) {\n Syslog\n | where not(disabled)\n // ************************** ******************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or SyslogMessage has targetusername_has)\n // ************************** *****************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType \n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n ,\n TargetIpAddr=DestinationIPAddress\n ,\n TargetPortNumber=DestinationPort\n ,\n TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n ,\n SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n ,\n EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n ,\n SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n // ********************** **********************************\n | where (targetusername_has == '*' or TargetUsername has targetusername_has)\n // ********************** *********************************\n | extend \n EventVendor = \"Cisco\"\n ,\n EventProduct = \"ISE\"\n ,\n EventProductVersion = \"3.2\"\n ,\n EventCount = int(1)\n ,\n EventSchema = \"Authentication\"\n ,\n EventSchemaVersion = \"0.1.3\" \n // ************************* **********************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n ,\n IpAddr = SrcIpAddr\n ,\n Dst = TargetIpAddr\n ,\n Src = SrcIpAddr\n ,\n User = TargetUsername\n // ************************* ******************** \n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(\n starttime=starttime, \n endtime=endtime,\n targetusername_has=targetusername_has, \n disabled=disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md deleted file mode 100644 index a36bf373a9a..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Cisco Meraki ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for Cisco Meraki. - -This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Authentication normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoMeraki%2FvimAuthenticationCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoMeraki%2FvimAuthenticationCiscoMeraki.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json deleted file mode 100644 index 412ad7f6428..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationCiscoMeraki", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication parser for Cisco Meraki", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationCiscoMeraki", - "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), targetusername_has: string='*') {\n union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and targetusername_has == \"*\" or LogMessage has targetusername_has\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n | where (targetusername_has == \"*\" or TargetUsername has targetusername_has)\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, targetusername_has=targetusername_has)\n", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md deleted file mode 100644 index c828412636d..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Microsoft Sentinel ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for Microsoft Sentinel. - -This function returns an empty ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationEmpty%2FvimAuthenticationEmpty.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationEmpty%2FvimAuthenticationEmpty.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json deleted file mode 100644 index 1bcaffc0c0e..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationEmpty", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM schema function", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationEmpty", - "query": "let EmptyAuthenticationTable=datatable(\n EventProduct:string\n , EventProductVersion: string\n , EventVendor:string\n , EventCount:int\n , EventReportUrl:string\n , EventSchemaVersion:string\n , EventSchema:string\n , TimeGenerated:datetime\n , EventOriginalUid:string\n , EventOriginalType:string\n , EventOriginalSubType:string\n , EventMessage:string\n , EventResult:string\n , EventResultDetails:string\n , EventOriginalResultDetails:string\n , EventStartTime:datetime\n , EventEndTime:datetime\n , EventType:string\n , EventSubType:string\n , EventUid:string\n , EventSeverity:string\n , EventOriginalSeverity:string\n , EventOwner:string\n , ActorSessionId:string\n , TargetSessionId:string\n , ActorUserId:string\n , ActorUsername:string\n , ActorUserType:string\n , ActorUserIdType:string\n , ActorUsernameType:string\n , ActorScopeId:string\n , ActorOriginalUserType:string\n , TargetUserId:string\n , TargetUsername:string\n , TargetUserType:string\n , SrcDvcId:string\n , SrcDvcIdType:string\n , SrcDeviceType:string\n , SrcDvcOs:string\n , HttpUserAgent:string\n , SrcIsp:string\n , SrcGeoCity:string\n , SrcGeoCountry:string\n , SrcGeoRegion:string\n , SrcGeoLatitude:real\n , SrcGeoLongitude:real\n , SrcIpAddr:string\n , SrcPortNumber:string\n , SrcHostname:string\n , SrcDomain:string\n , SrcDomainType:string\n , SrcFQDN:string\n , SrcDescription:string\n , SrcDvcScopeId:string\n , SrcRiskLevel:int\n , SrcOriginalRiskLevel:string\n , ActingAppId:string\n , ActingAppName:string\n , ActingAppType:string\n , TargetAppId:string\n , TargetAppName:string\n , TargetAppType:string\n , TargetDvcId:string\n , TargetDvcIdType:string\n , TargetHostname:string\n , TargetDomain:string\n , TargetDomainType:string\n , TargetFQDN:string\n , TargetDescription:string\n , TargetDeviceType:string\n , TargetIpAddr:string\n , TargetDvcOs:string\n , TargetUrl:string\n , TargetPortNumber:int\n , TargetDvcScope:string\n , TargetDvcScopeId:string\n , TargetGeoCity:string\n , TargetGeoCountry:string\n , TargetGeoRegion:string\n , TargetGeoLatitude:real\n , TargetGeoLongitude:real\n , LogonMethod: string\t\n , LogonProtocol: string\t\n , TargetUserIdType: string\t\n , TargetUsernameType: string\t\n , UserScope:string\n , UserScopeId:string\n , TargetOriginalUserType:string\n , TargetUserSessionId:string\n , User: string\t\n , IpAddr: string\n , SrcDvcHostnameType: string\t\n , LogonTarget: string\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , DvcDomain:string\n , DvcDomainType:string\n , DvcFQDN:string\n , DvcDescription:string\n , DvcIdType:string\n , DvcMacAddr:string\n , DvcZone:string\n , DvcOs:string\n , DvcOsVersion:string\n , DvcAction:string\n , DvcOriginalAction:string\n , DvcScope:string\n , DvcScopeOd:string\n , AdditionalFields:dynamic\n , Type:string\n , Src:string\n , Dst:string\n , Rule:string\n , RuleName:string\n , RuleNumber:int\n , ThreatId:string\n , ThreatName:string\n , ThreatCategory:string\n , ThreatOriginalRiskLevel:string\n , ThreatOriginalConfidence:string\n , ThreatIsActive:bool\n , ThreatField:string\n , ThreatConfidence:int\n , ThreatRiskLevel:string\n , ThreatFirstReportedTime:datetime\n , ThreatLastReportedTime:datetime\n , Application:string\n )[];\nEmptyAuthenticationTable", - "version": 1 - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md deleted file mode 100644 index f9ed86e6a33..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# M365 Defender for EndPoint ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for M365 Defender for EndPoint. - -This ASIM parser supports filtering and normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationM365Defender%2FvimAuthenticationM365Defender.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationM365Defender%2FvimAuthenticationM365Defender.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json deleted file mode 100644 index 8f32ff85fde..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationM365Defender", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for M365 Defender Device Logon Events", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationM365Defender", - "query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Interactive', 'Interactive',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'Network', 'Remote',\n 'Batch', 'Service',\n 'Service', 'Service',\n 'Unknown', '',\n 'RemoteInteractive', 'RemoteInteractive',\n 'CachedInteractive', 'Interactive'\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonSuccess', 'Success',\n 'LogonFailed', 'Failure',\n 'LogonAttempted', 'NA'\n];\nlet parser = (\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , targetusername_has:string=\"*\"\n , disabled:bool=false\n) {\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (AccountName has targetusername_has))\n // -- end prefilter\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n TargetDvcOs = \"Linux\"\n , ActorUsernameType = \"Simple\"\n , TargetUsernameType = \"Simple\"\n | project-rename \n ActorUsername = InitiatingProcessAccountName\n , ActingProcessName = InitiatingProcessFolderPath\n , TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (AccountName has targetusername_has) or (isnotempty(AccountDomain) and AccountDomain has targetusername_has))\n // -- end prefilter\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n TargetDvcOs = \"Windows\"\n , TargetUserIdType = 'SID'\n , ActorUserIdType = 'SID'\n , ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n )\n , TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ) \n , TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n , ActorUsernameType = iff (InitiatingProcessAccountDomain == '','Simple', 'Windows')\n , ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName)\n | project-rename \n ActorUserId = InitiatingProcessAccountSid\n , TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId\n , ActorUserSid = ActorUserId\n , TargetWindowsUsername = TargetUsername\n , ActorWindowsUsername = ActorUsername\n , ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n EventOriginalResultDetails = FailureReason \n , EventOriginalType = LogonType\n , EventUid = _ItemId\n , LogonProtocol = Protocol\n , TargetDvcId = DeviceId\n , SrcHostname = RemoteDeviceName\n , ActingProcessCommandLine = InitiatingProcessCommandLine\n , ActingProcessCreationTime = InitiatingProcessCreationTime\n , ActingProcessMD5 = InitiatingProcessMD5\n , ActingProcessSHA1 = InitiatingProcessSHA1 \n , ActingProcessSHA256 = InitiatingProcessSHA256\n , ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel\n , ActingProcessTokenElevation = InitiatingProcessTokenElevation\n , ParentProcessName = InitiatingProcessParentFileName\n , ParentProcessCreationTime = InitiatingProcessParentCreationTime\n //??, ActingProcessName = InitiatingProcessFolderPath \n , ActorUserUpn = InitiatingProcessAccountUpn\n , ActorUserAadId = InitiatingProcessAccountObjectId\n , SrcPortNumber = RemotePort\n | extend \n EventCount = int(1)\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventSchemaVersion = '0.1.3'\n , EventType = 'Logon'\n , EventVendor = 'Microsoft'\n , EventProduct = 'M365 Defender for EndPoint'\n , EventSchema = 'Authentication'\n , TargetDvcIdType = 'MDEid'\n , ActingProcessId = tostring (InitiatingProcessId)\n , ParentProcessId = tostring (InitiatingProcessParentId)\n , EventOriginalUid = tostring (ReportId)\n , TargetSessionId = tostring (LogonId)\n , SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP)\n | extend\n Hash = coalesce(\n ActingProcessSHA256\n , ActingProcessSHA1\n , ActingProcessMD5\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetFQDN = FQDN\n , TargetHostname = ExtractedHostname\n , TargetDomainType = DomainType\n , TargetDomain = Domain \n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n TargetDvcMDEid = TargetDvcId\n , DvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n User = TargetUsername \n , Prcess = ActingProcessName\n , IpAddr = SrcIpAddr\n , ActingAppName = ActingProcessName\n , ActingAppType = \"Process\"\n , Dvc = coalesce (TargetFQDN, TargetHostname)\n , Src = coalesce (SrcIpAddr, SrcHostname)\n // -- Alias Dvc to Target\n , DvcFQDN = TargetFQDN\n , DvcHostname = TargetHostname\n , DvcDomain = TargetDomain\n , DvcDomainType = TargetDomainType\n , DvcId = TargetDvcId\n , DvcIdType = TargetDvcIdType\n , DvcOs = TargetDvcOs\n | extend \n LogonTarget = Dvc\n , Dst = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , targetusername_has = targetusername_has\n , disabled = disabled\n) ", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md deleted file mode 100644 index e7dac30911f..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Microsoft Defender for IoT ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for Microsoft Defender for IoT. - -This ASIM parser supports filtering and normalizing Microsoft Defender for IoT endpoint logs to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftMD4IoT%2FvimAuthenticationMicrosoftMD4IoT.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftMD4IoT%2FvimAuthenticationMicrosoftMD4IoT.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json deleted file mode 100644 index b238fc2ebbe..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationMD4IoT", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Microsoft Defender for IoT endpoint logs", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationMD4IoT", - "query": "let Authentication_MD4IoT=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false)\n {\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\"\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or EventDetails has targetusername_has)\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n //\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (targetusername_has=='*' or TargetUsername has targetusername_has)\n // ************************************************************************* \n // \n // *************************************************************************\n | extend SrcIpAddr = tostring(EventDetails.RemoteAddress) \n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n };\n Authentication_MD4IoT(starttime, endtime, targetusername_has, disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md deleted file mode 100644 index b1129481c95..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Windows Security Events ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for Windows Security Events. - -This ASIM parser supports filtering and normalizing Windows Authentication events (4624, 4625, 4634, and 4647), collected either by the Log Analytics Agent or the Azure Monitor Agent, into either the WindowsEvent (WEF) or SecurityEvent tables, to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftWindowsEvent%2FvimAuthenticationMicrosoftWindowsEvent.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftWindowsEvent%2FvimAuthenticationMicrosoftWindowsEvent.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json deleted file mode 100644 index c21a982381c..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationMicrosoftWindowsEvent", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Windows Security Events", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationMicrosoftWindowsEvent", - "query": "let LogonEvents=dynamic([4624,4625]);\nlet LogoffEvents=dynamic([4634,4647]);\nlet LogonTypes=datatable(LogonType:int, EventSubType:string)[\n 2, 'Interactive',\n 3, 'Network',\n 4, 'Batch',\n 5, 'Service',\n 7, 'Unlock',\n 8, 'NetworkCleartext',\n 9, 'NewCredentials',\n 10, 'RemoteInteractive',\n 11, 'CachedInteractive'];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN','Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE','Other',\n '0xc0000017', 'STATUS_NO_MEMORY','Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED','Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE','Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED','Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];\n let WinLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){ \n WindowsEvent | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or EventData.TargetUserName has targetusername_has)\n // ************************************************************************* \n // \n // ************************************************************************* \n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | extend LogonProtocol = tostring(EventData.AuthenticationPackageName),\n SrcDvcIpAddr = tostring(EventData.IpAddress),\n TargetPortNumber = toint(EventData.IpPort),\n LogonGuid = tostring(EventData.LogonGuid),\n LogonType = toint(EventData.LogonType),\n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n Status = tostring(EventData.Status),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-',''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))),\n ActorUserId = tostring(EventData.SubjectUserSid),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-',''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\" , EventData.TargetUserName)))\n // *************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n // *************** ********************************** \n | extend \n SrcDvcHostname = tostring(EventData.WorkstationName),\n EventProduct = \"Security Events\"\n | extend EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend EventMessage = case(EventID == 4634, \"4634 - An account was logged off.\", \n EventID == 4625, \"4625 - An account failed to log on.\",\n EventID == 4624 ,\"4624 - An account was successfully logged on.\",\n \"4647 - User initiated logoff.\"),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n TargetDvcHostname = Computer\n , EventOriginalUid = EventOriginId\n , EventOriginalType=EventID\n | extend EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , ActorUserIdType='SID'\n , TargetUserIdType='SID'\n , EventVendor='Microsoft' \n , EventStartTime =TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') \n , ActorUsernameType= iff(EventData.SubjectDomainName in ('-',''),'Simple', 'Windows' ) \n , TargetUsernameType=iff (TargetDomainName in ('-',''), 'Simple', 'Windows')\n , SrcDvcOs = 'Windows'\n , EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n , LogonTarget=TargetDvcHostname\n , Dvc=SrcDvcHostname\n };\nlet SecEventLogon =(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n SecurityEvent | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or TargetUserName has targetusername_has)\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project-rename \n EventMessage = Activity\n , ActorSessionId=SubjectLogonId\n , TargetSessionId=TargetLogonId\n , ActorUserId=SubjectUserSid\n , TargetUserId =TargetUserSid\n , SrcDvcHostname = WorkstationName\n , TargetDvcHostname = Computer\n , EventOriginalUid = EventOriginId\n , LogonProtocol=AuthenticationPackageName\n , SrcDvcIpAddr=IpAddress\n , EventOriginalType=EventID\n | extend EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventProduct = \"Security Events\"\n , ActorUserIdType='SID'\n , TargetUserIdType='SID'\n , EventVendor='Microsoft' \n , EventStartTime =TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\n , ActorUsername = iff (SubjectDomainName in ('-',''), SubjectUserName, SubjectAccount)\n , ActorUsernameType= iff(SubjectDomainName in ('-',''),'Simple', 'Windows' )\n , TargetUsername = iff (TargetDomainName in ('-',''), trim(@'\\\\',TargetUserName), trim(@'\\\\',TargetAccount))\n , TargetUsernameType=iff (TargetDomainName in ('-',''), 'Simple', 'Windows')\n , SrcDvcOs = 'Windows'\n , EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n , LogonTarget=TargetDvcHostname\n , Dvc=SrcDvcHostname\n };\nunion isfuzzy=true SecEventLogon(starttime, endtime, targetusername_has, disabled)\n , WinLogon(starttime, endtime, targetusername_has, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/README.md deleted file mode 100644 index ac61dab7662..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Okta ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for Okta. - -This ASIM parser supports filtering and normalizing Okta sign in logs, stored in the Okta_CL table, to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationOktaOSS%2FvimAuthenticationOktaOSS.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationOktaOSS%2FvimAuthenticationOktaOSS.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json deleted file mode 100644 index 71d5a0d8b98..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationOktaSSO", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Okta", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationOktaSSO", - "query": "let OktaSignin=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n Okta_CL | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (actor_alternateId_s has targetusername_has))\n // ************************************************************************* \n // \n // ************************************************************************* \n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventVendor='Okta'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n , EventSubType=legacyEventType_s\n , TargetUserIdType='OktaId'\n , TargetUsernameType='UPN'\n , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n , ActingAppType = \"Browser\"\n | project-rename \n EventMessage=displayMessage_s\n ,EventOriginalResultDetails=outcome_reason_s\n , LogonMethod = authenticationContext_credentialType_s\n , TargetSessionId=authenticationContext_externalSessionId_s\n , TargetUserId= actor_id_s\n , TargetUsername=actor_alternateId_s\n , TargetUserType=actor_type_s\n , SrcDvcOs=client_userAgent_os_s\n , HttpUserAgent=client_userAgent_rawUserAgent_s\n , ActingAppName = client_userAgent_browser_s\n , SrcIsp=securityContext_isp_s\n , SrcGeoCity=client_geographicalContext_city_s\n , SrcGeoCountry=client_geographicalContext_country_s\n , EventOriginalUid = uuid_g\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n | project-away *_s, *_d, *_b, *_g, *_t\n };\nOktaSignin(starttime, endtime, targetusername_has, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/README.md deleted file mode 100644 index 50d3ac9150b..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# PostgreSQL ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for PostgreSQL. - -This ASIM parser supports filtering and normalizing PostgreSQL sign in logs to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationPostgreSQL%2FvimAuthenticationPostgreSQL.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationPostgreSQL%2FvimAuthenticationPostgreSQL.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json deleted file mode 100644 index 85e9ff9b864..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationPostgreSQL", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for PostgreSQL", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationPostgreSQL", - "query": "let PostgreSQLSignInAuthorized=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or RawData has targetusername_has)\n// ************************************************************************* \n// \n// ************************************************************************* \n | where RawData has 'connection authorized'\n | extend\n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData)\n , EventOriginalRestultDetails = 'Connection authorized'\n// ********************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n// ********************** *********************************\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure1=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or RawData has targetusername_has)\n// ************************************************************************* \n// \n// *************************************************************************\n | where RawData has 'authentication failed'\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'User authentication failed'\n// ********************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n// ********************** **********************************\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure2=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or RawData has targetusername_has)\n// ************************************************************************* \n// \n// *************************************************************************\n | where RawData has_all ('role', 'does', 'not', 'exist')\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'Role does not exist'\n// ********************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n// ********************** **********************************\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure3=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or RawData has targetusername_has)\n// ************************************************************************* \n// \n// *************************************************************************\n | where RawData has_all ('no', 'entry', 'user')\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData)\n , SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'No entry for user'\n// ********************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n// ********************** **********************************\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLDisconnect=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or RawData has targetusername_has)\n// ************************************************************************* \n// \n// *************************************************************************\n | where RawData has 'disconnection'\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logoff'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData)\n , SrcIpAddr = extract(@'host=\\[?(.*?)\\]?', 1, RawData)\n , EventResultDetails = 'Session expired'\n , EventOriginalRestultDetails = 'User session closed'\n// ********************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n// ********************** **********************************\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nunion isfuzzy=false PostgreSQLSignInAuthorized(starttime, endtime, targetusername_has, disabled)\n , PostgreSQLAuthFailure1(starttime, endtime, targetusername_has, disabled)\n , PostgreSQLAuthFailure2(starttime, endtime, targetusername_has, disabled)\n , PostgreSQLAuthFailure3(starttime, endtime, targetusername_has, disabled)\n , PostgreSQLDisconnect(starttime, endtime, targetusername_has, disabled)\n", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md deleted file mode 100644 index d8f007d0480..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Salesforce Service Cloud ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for Salesforce Service Cloud. - -This ASIM parser supports filtering and normalizing the Salesforce Service Cloud logs stored in 'SalesforceServiceCloud_CL' table to the ASIM authentication normalized schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSalesforceSC%2FvimAuthenticationSalesforceSC.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSalesforceSC%2FvimAuthenticationSalesforceSC.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json deleted file mode 100644 index 7c75582def9..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSalesforceSC", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSalesforceSC", - "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n let SalesforceSchema = datatable(\n api_version_s: string,\n browser_type_s: string,\n cipher_suite_s: string,\n client_ip_s: string,\n delegated_user_id_s: string,\n delegated_user_name_s: string,\n event_type_s: string,\n login_key_s: string,\n login_status_s: string,\n organization_id_s: string,\n platform_type_s: string,\n request_id_s: string,\n session_key_s: string,\n source_ip_s: string,\n timestamp_s: string,\n tls_protocol_s: string,\n uri_s: string,\n user_id_s: string,\n user_name_s: string,\n user_type_s: string\n )[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n )[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n ];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n )[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n ];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n // -- Pre filtering\n | where \n (isnull(starttime) or todatetime(tostring(split(timestamp_s, '.', 0)[0])) >= starttime) \n and (isnull(endtime) or todatetime(tostring(split(timestamp_s, '.', 0)[0])) <= endtime) \n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | extend LoginType_s = column_ifexists(\"login_type_s\", \"\")\n | extend LoginSubType_s = column_ifexists(\"login_sub_type_s\", \"\")\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0])),\n EventVendor = 'Salesforce',\n EventProduct='Salesforce Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId,\n _ResourceId,\n wave_session_id_g\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/README.md deleted file mode 100644 index 8ab78d3b8de..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# OpenSSH ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for OpenSSH. - -This ASIM parser supports filtering and normalizing OpenSSH server (sshd) sign in logs, collected using Syslog to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSshd%2FvimAuthenticationSshd.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSshd%2FvimAuthenticationSshd.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json deleted file mode 100644 index 0f4e835fd08..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSshd", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for OpenSSH sshd", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSshd", - "query": "let parser = (\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n targetusername_has:string = \"*\", \n disabled:bool = false\n ) {\n let prefilter = (T:(SyslogMessage:string, TimeGenerated:datetime)) {\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (SyslogMessage has targetusername_has))\n };\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | invoke prefilter()\n | parse SyslogMessage with \"Accepted password for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventResult = 'Success'\n , EventSeverity = 'Informational'\n , EventType = 'Logon'\n , EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | invoke prefilter()\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventResult = 'Failure'\n , EventSeverity = 'Low' \n , EventType = 'Logon'\n , LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n , EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password')\n , EventCount = toint(coalesce(EventCount,1))\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | invoke prefilter()\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventSeverity = 'Informational'\n , EventType = 'Logoff'\n , EventResult = 'Success'\n , EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | invoke prefilter()\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend\n EventResult = 'Failure'\n , EventSeverity = 'Low'\n , EventType = 'Logon'\n , EventResultDetails = 'No such user'\n , EventCount = int(1)\n , SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser)\n , SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | invoke prefilter()\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Reverse mapping failed\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | invoke prefilter()\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Address to host to address mapping does not map back to address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | invoke prefilter()\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Nasty PTR record set for IP Address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled)\n , SSHDFailed (disabled=disabled)\n , SSHDInvalidUser (disabled=disabled)\n , SSHDTimeout (disabled=disabled)\n , SSHDABreakInAttemptMappingFailed (disabled=disabled)\n , SSHDABreakInAttemptMappingMismatch (disabled=disabled)\n , SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | where targetusername_has=='*' or (TargetUsername has targetusername_has)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n EventVendor = 'OpenBSD'\n , EventProduct = 'OpenSSH'\n , DvcOs = 'Linux'\n , TargetDvcOs = 'Linux'\n , LogonProtocol = 'ssh'\n , TargetAppName = 'sshd'\n , TargetAppType = 'Service'\n , EventSubType = 'Remote'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.2'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetUsernameType = 'Simple'\n , DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n , TargetAppId = tostring(ProcessID)\n | project-away Computer, ProcessID\n | project-rename \n EventUid = _ItemId\n , DvcScopeId = _SubscriptionId\n , DvcId = _ResourceId\n , DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n , Dvc = DvcHostname\n , Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n , TargetDomain = DvcDomain\n , TargetFQDN = DvcFQDN\n , TargetDomainType = DvcDomainType\n , TargetHostname = DvcHostname\n , TargetDvcId = DvcId\n , TargetDvcScopeId = DvcScopeId\n , TargetDvcIdType = DvcDomainType\n , IpAddr = DvcIpAddr\n , TargetIpAddr = DvcIpAddr\n };\n parser (\n disabled = disabled,\n starttime = starttime, \n endtime = endtime,\n targetusername_has = targetusername_has\n )", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/README.md deleted file mode 100644 index ed4264f92c5..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# su ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for su. - -This ASIM parser supports filtering and normalizing Linux su elevation commands collected using Syslog to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSu%2FvimAuthenticationSu.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSu%2FvimAuthenticationSu.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json deleted file mode 100644 index 7dcb20bc3bb..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationSu", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Linux su", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationSu", - "query": "let parser = (\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n targetusername_has:string = \"*\", \n disabled:bool = false\n ) {\n let prefilter = (T:(SyslogMessage:string, TimeGenerated:datetime)) {\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (SyslogMessage has targetusername_has))\n };\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Sucessful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | invoke prefilter()\n | parse SyslogMessage with * \"for \" TargetUsername:string \" by \" ActorUsername:string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n };\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | invoke prefilter()\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SuSignInAuthorized (disabled = disabled)\n , SuDisconnect(disabled = disabled)\n | where targetusername_has=='*' or (TargetUsername has targetusername_has)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n EventVendor = 'Linux'\n , EventProduct = 'su'\n , DvcOs = 'Linux'\n , TargetDvcOs = 'Linux'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.2'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , ActorUsernameType = 'Simple'\n , TargetUsernameType = 'Simple'\n , EventSeverity = 'Informational'\n , ActingAppType = 'Process'\n , DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n , ActingAppId = tostring(ProcessID)\n | project-away Computer, ProcessID\n | project-rename \n EventUid = _ItemId\n , DvcScopeId = _SubscriptionId\n , DvcId = _ResourceId\n , DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n , Dvc = DvcHostname\n , Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n , TargetDomain = DvcDomain\n , TargetFQDN = DvcFQDN\n , TargetDomainType = DvcDomainType\n , TargetHostname = DvcHostname\n , TargetDvcId = DvcId\n , TargetDvcScopeId = DvcScopeId\n , TargetDvcIdType = DvcDomainType\n , IpAddr = DvcIpAddr\n , TargetIpAddr = DvcIpAddr\n};\nparser (\n disabled = disabled,\n starttime = starttime, \n endtime = endtime,\n targetusername_has = targetusername_has\n)", - "version": 1, - "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" - } - } - ] - } - ] -} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md deleted file mode 100644 index cb7cfd9ba2d..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md +++ /dev/null @@ -1,18 +0,0 @@ -# Vectra ASIM Authentication Normalization Parser - -ARM template for ASIM Authentication schema parser for Vectra. - -This ASIM parser supports filtering and normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Authentication schema. - - -The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. - -For more information, see: - -- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) -- [Deploy all of ASIM](https://aka.ms/DeployASIM) -- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) - -
- -[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVectraXDRAudit%2FvimAuthenticationVectraXDRAudit.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVectraXDRAudit%2FvimAuthenticationVectraXDRAudit.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json deleted file mode 100644 index c0e1080bac8..00000000000 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json +++ /dev/null @@ -1,46 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "parameters": { - "Workspace": { - "type": "string", - "metadata": { - "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." - } - }, - "WorkspaceRegion": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "The region of the selected workspace. The default value will use the Region selection above." - } - } - }, - "resources": [ - { - "type": "Microsoft.OperationalInsights/workspaces", - "apiVersion": "2017-03-15-preview", - "name": "[parameters('Workspace')]", - "location": "[parameters('WorkspaceRegion')]", - "resources": [ - { - "type": "savedSearches", - "apiVersion": "2020-08-01", - "name": "vimAuthenticationVectraXDRAudit", - "dependsOn": [ - "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" - ], - "properties": { - "etag": "*", - "displayName": "Authentication ASIM filtering parser for Vectra XDR Audit Logs Event", - "category": "ASIM", - "FunctionAlias": "vimAuthenticationVectraXDRAudit", - "query": "let parser = (disabled:bool = false, starttime:datetime=datetime(null), endtime:datetime=datetime(null))\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s in (\"login\",\"logout\") and (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime)\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, starttime=starttime, endtime=endtime)", - "version": 1, - "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null)" - } - } - ] - } - ] -} \ No newline at end of file From 2e1883edd5a5987e1b94a1b507a30863518aed05 Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Fri, 8 Dec 2023 16:55:10 +0530 Subject: [PATCH 33/38] updating test results --- .../ASimAuthenticationSalesforceSC.yaml | 1 + .../vimAuthenticationSalesforceSC.yaml | 1 + ...Salesforce_ASimAuthentication_DataTest.csv | 44 +++++++++---------- ...lesforce_ASimAuthentication_SchemaTest.csv | 3 +- .../Salesforce_vimAuthentication_DataTest.csv | 44 +++++++++---------- ...alesforce_vimAuthentication_SchemaTest.csv | 3 +- 6 files changed, 46 insertions(+), 50 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml index 9c6c6938930..bade6bc73e5 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml @@ -311,6 +311,7 @@ ParserQuery: | EventSchema = 'Authentication', EventSchemaVersion = '0.1.3', TargetAppName = "Salesforce Dot Com(SFDC)", + TargetAppType = "SaaS application", EventUid = _ItemId, EventOriginalType=event_type_s, SrcIpAddr = coalesce(SrcIpAddr, client_ip_s) diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml index 8a85961ad08..6a0ce569142 100644 --- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml +++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml @@ -331,6 +331,7 @@ ParserQuery: | EventSchema = 'Authentication', EventSchemaVersion = '0.1.3', TargetAppName = "Salesforce Dot Com(SFDC)", + TargetAppType = "SaaS application", EventUid = _ItemId, EventOriginalType=event_type_s, SrcIpAddr = coalesce(SrcIpAddr, client_ip_s) diff --git a/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_DataTest.csv b/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_DataTest.csv index 53b01c096da..b430a72af43 100644 --- a/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_DataTest.csv +++ b/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_DataTest.csv @@ -1,24 +1,22 @@ Result -"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [ActorUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [IpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [SrcIpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 30 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Salesforce Service Cloud""] (Schema:Authentication)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 30 records (100.0%) for field [TargetUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" -"(1) Warning: Empty value in 20 records (66.67%) in mandatory field [EventResult] (Schema:Authentication)" -"(2) Info: Empty value in 10 records (33.33%) in optional field [HttpUserAgent] (Schema:Authentication)" -"(2) Info: Empty value in 10 records (33.33%) in optional field [TargetUrl] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [ActorUserId] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [ActorUsername] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [DvcOsVersion] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [DvcOs] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [EventOriginalResultDetails] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [EventProductVersion] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [TargetOriginalUserType] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in recommended field [DvcAction] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in recommended field [EventSeverity] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in recommended field [Src] (Schema:Authentication)" -"(2) Info: Empty value in 30 records (100.0%) in optional field [LogonMethod] (Schema:Authentication)" -"(2) Info: Empty value in 30 records (100.0%) in optional field [LogonProtocol] (Schema:Authentication)" -"(2) Info: Empty value in 30 records (100.0%) in optional field [TargetUserType] (Schema:Authentication)" -"(2) Info: Empty value in 30 records (100.0%) in optional field [TargetUsername] (Schema:Authentication)" -"(2) Info: Empty value in 30 records (100.0%) in recommended field [EventResultDetails] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [ActorUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [IpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [SrcIpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 450 records (100.0%) for field [TargetUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" +"(1) Warning: Empty value in 300 records (66.67%) in mandatory field [EventResult] (Schema:Authentication)" +"(2) Info: Empty value in 150 records (33.33%) in optional field [HttpUserAgent] (Schema:Authentication)" +"(2) Info: Empty value in 150 records (33.33%) in optional field [TargetUrl] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [ActorUserId] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [ActorUsername] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [DvcOsVersion] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [DvcOs] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [EventOriginalResultDetails] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [EventProductVersion] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [TargetOriginalUserType] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in recommended field [DvcAction] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in recommended field [EventSeverity] (Schema:Authentication)" +"(2) Info: Empty value in 450 records (100.0%) in optional field [LogonMethod] (Schema:Authentication)" +"(2) Info: Empty value in 450 records (100.0%) in optional field [LogonProtocol] (Schema:Authentication)" +"(2) Info: Empty value in 450 records (100.0%) in optional field [TargetUserType] (Schema:Authentication)" +"(2) Info: Empty value in 450 records (100.0%) in optional field [TargetUsername] (Schema:Authentication)" +"(2) Info: Empty value in 450 records (100.0%) in recommended field [EventResultDetails] (Schema:Authentication)" diff --git a/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_SchemaTest.csv b/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_SchemaTest.csv index 0c8ab1874f7..85c33c4ddb7 100644 --- a/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_SchemaTest.csv +++ b/Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_SchemaTest.csv @@ -52,7 +52,6 @@ "(2) Info: Missing optional field [SrcPortNumber]" "(2) Info: Missing optional field [SrcRiskLevel]" "(2) Info: Missing optional field [TargetAppId]" -"(2) Info: Missing optional field [TargetAppType]" "(2) Info: Missing optional field [TargetDescription]" "(2) Info: Missing optional field [TargetDeviceType]" "(2) Info: Missing optional field [TargetDvcId]" @@ -65,7 +64,6 @@ "(2) Info: Missing optional field [TargetGeoLatitude]" "(2) Info: Missing optional field [TargetGeoLongitude]" "(2) Info: Missing optional field [TargetGeoRegion]" -"(2) Info: Missing optional field [TargetHostname]" "(2) Info: Missing optional field [TargetIpAddr]" "(2) Info: Missing optional field [TargetOriginalRiskLevel]" "(2) Info: Missing optional field [TargetPortNumber]" @@ -86,3 +84,4 @@ "(2) Info: extra unnormalized column [LogonProtocolOriginal]" "(2) Info: extra unnormalized column [TlsCipher]" "(2) Info: extra unnormalized column [TlsVersion]" +"(2) Info: extra unnormalized column [_ResourceId]" diff --git a/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_DataTest.csv b/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_DataTest.csv index 53b01c096da..b430a72af43 100644 --- a/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_DataTest.csv +++ b/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_DataTest.csv @@ -1,24 +1,22 @@ Result -"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [ActorUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [IpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 10 records (33.33%) for field [SrcIpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 30 records (100.0%) for field [EventProduct] of type [Enumerated]: [""Salesforce Service Cloud""] (Schema:Authentication)" -"(0) Error: 1 invalid value(s) (up to 10 listed) in 30 records (100.0%) for field [TargetUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" -"(1) Warning: Empty value in 20 records (66.67%) in mandatory field [EventResult] (Schema:Authentication)" -"(2) Info: Empty value in 10 records (33.33%) in optional field [HttpUserAgent] (Schema:Authentication)" -"(2) Info: Empty value in 10 records (33.33%) in optional field [TargetUrl] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [ActorUserId] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [ActorUsername] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [DvcOsVersion] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [DvcOs] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [EventOriginalResultDetails] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [EventProductVersion] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in optional field [TargetOriginalUserType] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in recommended field [DvcAction] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in recommended field [EventSeverity] (Schema:Authentication)" -"(2) Info: Empty value in 20 records (66.67%) in recommended field [Src] (Schema:Authentication)" -"(2) Info: Empty value in 30 records (100.0%) in optional field [LogonMethod] (Schema:Authentication)" -"(2) Info: Empty value in 30 records (100.0%) in optional field [LogonProtocol] (Schema:Authentication)" -"(2) Info: Empty value in 30 records (100.0%) in optional field [TargetUserType] (Schema:Authentication)" -"(2) Info: Empty value in 30 records (100.0%) in optional field [TargetUsername] (Schema:Authentication)" -"(2) Info: Empty value in 30 records (100.0%) in recommended field [EventResultDetails] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [ActorUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [IpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [SrcIpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)" +"(0) Error: 1 invalid value(s) (up to 10 listed) in 450 records (100.0%) for field [TargetUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)" +"(1) Warning: Empty value in 300 records (66.67%) in mandatory field [EventResult] (Schema:Authentication)" +"(2) Info: Empty value in 150 records (33.33%) in optional field [HttpUserAgent] (Schema:Authentication)" +"(2) Info: Empty value in 150 records (33.33%) in optional field [TargetUrl] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [ActorUserId] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [ActorUsername] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [DvcOsVersion] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [DvcOs] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [EventOriginalResultDetails] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [EventProductVersion] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in optional field [TargetOriginalUserType] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in recommended field [DvcAction] (Schema:Authentication)" +"(2) Info: Empty value in 300 records (66.67%) in recommended field [EventSeverity] (Schema:Authentication)" +"(2) Info: Empty value in 450 records (100.0%) in optional field [LogonMethod] (Schema:Authentication)" +"(2) Info: Empty value in 450 records (100.0%) in optional field [LogonProtocol] (Schema:Authentication)" +"(2) Info: Empty value in 450 records (100.0%) in optional field [TargetUserType] (Schema:Authentication)" +"(2) Info: Empty value in 450 records (100.0%) in optional field [TargetUsername] (Schema:Authentication)" +"(2) Info: Empty value in 450 records (100.0%) in recommended field [EventResultDetails] (Schema:Authentication)" diff --git a/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_SchemaTest.csv b/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_SchemaTest.csv index 0c8ab1874f7..85c33c4ddb7 100644 --- a/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_SchemaTest.csv +++ b/Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_SchemaTest.csv @@ -52,7 +52,6 @@ "(2) Info: Missing optional field [SrcPortNumber]" "(2) Info: Missing optional field [SrcRiskLevel]" "(2) Info: Missing optional field [TargetAppId]" -"(2) Info: Missing optional field [TargetAppType]" "(2) Info: Missing optional field [TargetDescription]" "(2) Info: Missing optional field [TargetDeviceType]" "(2) Info: Missing optional field [TargetDvcId]" @@ -65,7 +64,6 @@ "(2) Info: Missing optional field [TargetGeoLatitude]" "(2) Info: Missing optional field [TargetGeoLongitude]" "(2) Info: Missing optional field [TargetGeoRegion]" -"(2) Info: Missing optional field [TargetHostname]" "(2) Info: Missing optional field [TargetIpAddr]" "(2) Info: Missing optional field [TargetOriginalRiskLevel]" "(2) Info: Missing optional field [TargetPortNumber]" @@ -86,3 +84,4 @@ "(2) Info: extra unnormalized column [LogonProtocolOriginal]" "(2) Info: extra unnormalized column [TlsCipher]" "(2) Info: extra unnormalized column [TlsVersion]" +"(2) Info: extra unnormalized column [_ResourceId]" From d76775e11461f66c434bb986fd9f64ca973ff0f4 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Fri, 8 Dec 2023 11:28:30 +0000 Subject: [PATCH 34/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthenticationSalesforceSC.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json index 045571f5068..d2500cda5a3 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser for Salesforce Service Cloud", "category": "ASIM", "FunctionAlias": "ASimAuthenticationSalesforceSC", - "query": "let parser = (\ndisabled: bool=false\n) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\nlogin_type_s: string,\nlogin_sub_type_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nrequest_status_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string,\nwave_session_id_g: string\n)[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId\n};\nparser(disabled=disabled)", + "query": "let parser = (\ndisabled: bool=false\n) {\nlet SalesforceSchema = datatable(\napi_version_s: string,\nbrowser_type_s: string,\ncipher_suite_s: string,\nclient_ip_s: string,\ndelegated_user_id_s: string,\ndelegated_user_name_s: string,\nevent_type_s: string,\nlogin_key_s: string,\nlogin_status_s: string,\nlogin_type_s: string,\nlogin_sub_type_s: string,\norganization_id_s: string,\nplatform_type_s: string,\nrequest_id_s: string,\nrequest_status_s: string,\nsession_key_s: string,\nsource_ip_s: string,\ntimestamp_s: string,\ntls_protocol_s: string,\nuri_s: string,\nuser_id_s: string,\nuser_name_s: string,\nuser_type_s: string,\nwave_session_id_g: string\n)[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | where event_type_s in~ (SalesforceEventType)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n TargetAppType = \"SaaS application\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId\n};\nparser(disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } From 45bd8327675dbbca2e56b1a20380787ad90eafed Mon Sep 17 00:00:00 2001 From: vakohl <97222872+vakohl@users.noreply.github.com> Date: Fri, 8 Dec 2023 17:15:17 +0530 Subject: [PATCH 35/38] indentation fix on union parsers --- .../Parsers/ASimAuthentication.yaml | 44 +++++++++---------- .../Parsers/imAuthentication.yaml | 43 +++++++++--------- 2 files changed, 42 insertions(+), 45 deletions(-) diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml index efe1bdfa60f..353dd49738c 100644 --- a/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml @@ -12,7 +12,6 @@ References: Link: https://aka.ms/ASimAuthenticationDoc - Title: ASIM Link: https:/aka.ms/AboutASIM - Description: | This ASIM parser supports normalizing Authentication logs from all supported sources to the ASIM Authentication normalized schema.ParserName: ASimAuthentication ParserName: ASimAuthentication @@ -45,25 +44,24 @@ ParserQuery: | ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )), ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )), ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )) - - Parsers: - - _Im_Authentication_Empty - - _ASim_Authentication_AADManagedIdentitySignInLogs - - _ASim_Authentication_AADNonInteractiveUserSignInLogs - - _ASim_Authentication_AADServicePrincipalSignInLogs - - _ASim_Authentication_AWSCloudTrail - - _ASim_Authentication_BarracudaWAF - - _ASim_Authentication_CiscoASA - - _ASim_Authentication_CiscoISE - - _ASim_Authentication_CiscoMeraki - - _ASim_Authentication_M365Defender - - _ASim_Authentication_MD4IoT - - _ASim_Authentication_MicrosoftWindowsEvent - - _ASim_Authentication_OktaSSO - - _ASim_Authentication_PostgreSQL - - _ASim_Authentication_SigninLogs - - _ASim_Authentication_Sshd - - _ASim_Authentication_Su - - _ASim_Authentication_VectraXDRAudit - - _ASim_Authentication_SentinelOne - - _ASim_Authentication_SalesforceSC +Parsers: + - _Im_Authentication_Empty + - _ASim_Authentication_AADManagedIdentitySignInLogs + - _ASim_Authentication_AADNonInteractiveUserSignInLogs + - _ASim_Authentication_AADServicePrincipalSignInLogs + - _ASim_Authentication_AWSCloudTrail + - _ASim_Authentication_BarracudaWAF + - _ASim_Authentication_CiscoASA + - _ASim_Authentication_CiscoISE + - _ASim_Authentication_CiscoMeraki + - _ASim_Authentication_M365Defender + - _ASim_Authentication_MD4IoT + - _ASim_Authentication_MicrosoftWindowsEvent + - _ASim_Authentication_OktaSSO + - _ASim_Authentication_PostgreSQL + - _ASim_Authentication_SigninLogs + - _ASim_Authentication_Sshd + - _ASim_Authentication_Su + - _ASim_Authentication_VectraXDRAudit + - _ASim_Authentication_SentinelOne + - _ASim_Authentication_SalesforceSC diff --git a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml index e9cb127a6e7..07c48ca82a2 100644 --- a/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml +++ b/Parsers/ASimAuthentication/Parsers/imAuthentication.yaml @@ -53,25 +53,24 @@ ParserQuery: | , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) ))) }; Generic(starttime, endtime, targetusername_has) - - Parsers: - - _Im_Authentication_Empty - - _Im_Authentication_AADManagedIdentitySignInLogs - - _Im_Authentication_AADNonInteractiveUserSignInLogs - - _Im_Authentication_AADServicePrincipalSignInLogs - - _Im_Authentication_SigninLogs - - _Im_Authentication_AWSCloudTrail - - _Im_Authentication_OktaSSO - - _Im_Authentication_M365Defender - - _Im_Authentication_MicrosoftWindowsEvent - - _Im_Authentication_MD4IoT - - _Im_Authentication_PostgreSQL - - _Im_Authentication_Sshd - - _Im_Authentication_Su - - _Im_Authentication_CiscoASA - - _Im_Authentication_CiscoMeraki - - _Im_Authentication_CiscoISE - - _Im_Authentication_BarracudaWAF - - _Im_Authentication_VectraXDRAudit - - _Im_Authentication_SentinelOne - - _Im_Authentication_SalesforceSC +Parsers: + - _Im_Authentication_Empty + - _Im_Authentication_AADManagedIdentitySignInLogs + - _Im_Authentication_AADNonInteractiveUserSignInLogs + - _Im_Authentication_AADServicePrincipalSignInLogs + - _Im_Authentication_SigninLogs + - _Im_Authentication_AWSCloudTrail + - _Im_Authentication_OktaSSO + - _Im_Authentication_M365Defender + - _Im_Authentication_MicrosoftWindowsEvent + - _Im_Authentication_MD4IoT + - _Im_Authentication_PostgreSQL + - _Im_Authentication_Sshd + - _Im_Authentication_Su + - _Im_Authentication_CiscoASA + - _Im_Authentication_CiscoMeraki + - _Im_Authentication_CiscoISE + - _Im_Authentication_BarracudaWAF + - _Im_Authentication_VectraXDRAudit + - _Im_Authentication_SentinelOne + - _Im_Authentication_SalesforceSC From 46e0c30300cfd3fd9bf68a36388b8d883d840914 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Fri, 8 Dec 2023 11:48:08 +0000 Subject: [PATCH 36/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthentication.json | 2 +- .../ARM/FullDeploymentAuthentication.json | 863 ++++++++++++++++++ Parsers/ASimAuthentication/ARM/README.md | 17 + .../ARM/imAuthentication/README.md | 18 + .../imAuthentication/imAuthentication.json | 46 + .../README.md | 18 + .../vimAuthenticationAADManagedIdentity.json | 46 + .../README.md | 18 + .../vimAuthenticationAADNonInteractive.json | 46 + .../README.md | 18 + ...ticationAADServicePrincipalSignInLogs.json | 46 + .../vimAuthenticationAADSigninLogs/README.md | 18 + .../vimAuthenticationAADSigninLogs.json | 46 + .../vimAuthenticationAWSCloudTrail/README.md | 18 + .../vimAuthenticationAWSCloudTrail.json | 46 + .../vimAuthenticationBarracudaWAF/README.md | 18 + .../vimAuthenticationBarracudaWAF.json | 46 + .../ARM/vimAuthenticationCiscoASA/README.md | 18 + .../vimAuthenticationCiscoASA.json | 46 + .../ARM/vimAuthenticationCiscoISE/README.md | 18 + .../vimAuthenticationCiscoISE.json | 46 + .../vimAuthenticationCiscoMeraki/README.md | 18 + .../vimAuthenticationCiscoMeraki.json | 46 + .../ARM/vimAuthenticationEmpty/README.md | 18 + .../vimAuthenticationEmpty.json | 45 + .../vimAuthenticationM365Defender/README.md | 18 + .../vimAuthenticationM365Defender.json | 46 + .../README.md | 18 + .../vimAuthenticationMicrosoftMD4IoT.json | 46 + .../README.md | 18 + ...imAuthenticationMicrosoftWindowsEvent.json | 46 + .../ARM/vimAuthenticationOktaOSS/README.md | 18 + .../vimAuthenticationOktaOSS.json | 46 + .../ARM/vimAuthenticationPostgreSQL/README.md | 18 + .../vimAuthenticationPostgreSQL.json | 46 + .../vimAuthenticationSalesforceSC/README.md | 18 + .../vimAuthenticationSalesforceSC.json | 46 + .../vimAuthenticationSentinelOne/README.md | 18 + .../vimAuthenticationSentinelOne.json | 46 + .../ARM/vimAuthenticationSshd/README.md | 18 + .../vimAuthenticationSshd.json | 46 + .../ARM/vimAuthenticationSu/README.md | 18 + .../vimAuthenticationSu.json | 46 + .../vimAuthenticationVectraXDRAudit/README.md | 18 + .../vimAuthenticationVectraXDRAudit.json | 46 + 45 files changed, 2224 insertions(+), 1 deletion(-) create mode 100644 Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json create mode 100644 Parsers/ASimAuthentication/ARM/README.md create mode 100644 Parsers/ASimAuthentication/ARM/imAuthentication/README.md create mode 100644 Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSu/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index e7d0c515335..8bfcd57530a 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) ))\n\nParsers:\n - _Im_Authentication_Empty\n - _ASim_Authentication_AADManagedIdentitySignInLogs \n - _ASim_Authentication_AADNonInteractiveUserSignInLogs\n - _ASim_Authentication_AADServicePrincipalSignInLogs \n - _ASim_Authentication_AWSCloudTrail\n - _ASim_Authentication_BarracudaWAF\n - _ASim_Authentication_CiscoASA\n - _ASim_Authentication_CiscoISE\n - _ASim_Authentication_CiscoMeraki\n - _ASim_Authentication_M365Defender \n - _ASim_Authentication_MD4IoT \n - _ASim_Authentication_MicrosoftWindowsEvent \n - _ASim_Authentication_OktaSSO \n - _ASim_Authentication_PostgreSQL\n - _ASim_Authentication_SigninLogs \n - _ASim_Authentication_Sshd\n - _ASim_Authentication_Su\n - _ASim_Authentication_VectraXDRAudit\n - _ASim_Authentication_SentinelOne\n - _ASim_Authentication_SalesforceSC\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) ))\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json new file mode 100644 index 00000000000..f5b9accf65b --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -0,0 +1,863 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthentication", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationAADManagedIdentity", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationAADNonInteractive", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationAADServicePrincipalSignInLogs", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationAADSigninLogs", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationAWSCloudTrail", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationBarracudaWAF", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationBarracudaWAF/ASimAuthenticationBarracudaWAF.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationCiscoASA", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoASA/ASimAuthenticationCiscoASA.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationCiscoISE", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoISE/ASimAuthenticationCiscoISE.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationCiscoMeraki", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCiscoMeraki/ASimAuthenticationCiscoMeraki.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationM365Defender", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationMicrosoftMD4IoT", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationMicrosoftWindowsEvent", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationOktaOSS", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationPostgreSQL", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationPostgreSQL/ASimAuthenticationPostgreSQL.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationSalesforceSC", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationSentinelOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSentinelOne/ASimAuthenticationSentinelOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationSshd", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationSu", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationSudo", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationVectraXDRAudit", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationVectraXDRAudit/ASimAuthenticationVectraXDRAudit.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedimAuthentication", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationAADManagedIdentity", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationAADNonInteractive", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationAADServicePrincipalSignInLogs", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationAADSigninLogs", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationAWSCloudTrail", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationBarracudaWAF", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationCiscoASA", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationCiscoISE", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationCiscoMeraki", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationEmpty", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationM365Defender", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationMicrosoftMD4IoT", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationMicrosoftWindowsEvent", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationOktaOSS", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationPostgreSQL", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationSalesforceSC", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationSentinelOne", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationSshd", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationSu", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationVectraXDRAudit", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/README.md b/Parsers/ASimAuthentication/ARM/README.md new file mode 100644 index 00000000000..ece8022e885 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/README.md @@ -0,0 +1,17 @@ +# Advanced Security Information Model (ASIM) Authentication parsers + +This template deploys all ASIM Authentication parsers. + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/ASimAuthenticationARM) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://aka.ms/ASimAuthenticationARMgov) + +
diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/README.md b/Parsers/ASimAuthentication/ARM/imAuthentication/README.md new file mode 100644 index 00000000000..dd57a727410 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/README.md @@ -0,0 +1,18 @@ +# Source agnostic ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Source agnostic. + +This ASIM parser supports filtering and normalizing Authentication logs from all supported sources to the ASIM Authentication normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FimAuthentication%2FimAuthentication.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FimAuthentication%2FimAuthentication.json) diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json new file mode 100644 index 00000000000..51cf2df1818 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "imAuthentication", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser", + "category": "ASIM", + "FunctionAlias": "imAuthentication", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md new file mode 100644 index 00000000000..c64e0bb0867 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md @@ -0,0 +1,18 @@ +# AAD ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for AAD. + +This ASIM parser supports filtering and normalizing Azure Active Directory Managed Identity sign in logs, stored in the AADManagedIdentitySignInLogs table, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADManagedIdentity%2FvimAuthenticationAADManagedIdentity.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADManagedIdentity%2FvimAuthenticationAADManagedIdentity.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json new file mode 100644 index 00000000000..cb7cfa55e91 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationAADManagedIdentitySignInLogs", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for AAD managed identity sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs", + "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n , EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n , EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n , EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n };\nlet parser = (\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , targetusername_has:string=\"*\"\n , disabled:bool=false\n ) {\n AADManagedIdentitySignInLogs\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (ServicePrincipalName has targetusername_has))\n and not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId\n , TargetAppId = ResourceIdentity \n , TargetAppName = ResourceDisplayName\n , TargetUsername = ServicePrincipalName\n , TargetUserId = ServicePrincipalId\n , EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcIpAddr = IPAddress\n , EventUid = _ItemId\n , EventProductVersion = OperationVersion\n | extend \n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.3'\n , Dvc = 'Microsft/AAD'\n , LogonMethod = \"Managed Identity\"\n , TargetAppType = \"Resource\"\n , EventCount = int(1)\n , TargetUserType = 'Application'\n , TargetUsernameType = 'Simple'\n , TargetUserIdType = 'AADID'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n User = TargetUsername\n , LogonTarget = TargetAppName\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , Application = TargetAppName\n , Dst = TargetAppName\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , TargetSimpleUsername = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , targetusername_has = targetusername_has\n , disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md new file mode 100644 index 00000000000..5231f86118a --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md @@ -0,0 +1,18 @@ +# AAD ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for AAD. + +This ASIM parser supports filtering and normalizing Azure Active Directory Non Interactive sign in logs, stored in the AADNonInteractiveUserSignInLogs table, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADNonInteractive%2FvimAuthenticationAADNonInteractive.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADNonInteractive%2FvimAuthenticationAADNonInteractive.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json new file mode 100644 index 00000000000..b257b3e45c3 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationAADNonInteractiveUserSignInLogs", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for AAD non-interactive sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs", + "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n ];\nlet AADNIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n AADNonInteractiveUserSignInLogs | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchemaVersion='0.1.0'\n , EventCount=int(1)\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n , Location = todynamic(LocationDetails)\n , TargetAppId = ResourceIdentity \n , EventSubType = 'NonInteractive'\n , TargetUsernameType='UPN'\n , TargetUserIdType='AADID'\n , TargetAppName=ResourceDisplayName\n | extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , SrcDvcIpAddr=IPAddress\n | lookup FailedReason on ResultType\n | extend\n User=TargetUsername\n , LogonTarget=ResourceIdentity\n , Dvc=EventVendor\n // -- Entity identifier explicit aliases\n , TargetUserUpn = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nAADNIAuthentication(starttime, endtime, targetusername_has, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md new file mode 100644 index 00000000000..fa1659c75a6 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md @@ -0,0 +1,18 @@ +# AAD ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for AAD. + +This ASIM parser supports filtering and normalizing Azure Active Directory Service Principal sign in logs, stored in the AADServicePrincipalSignInLogs table, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADServicePrincipalSignInLogs%2FvimAuthenticationAADServicePrincipalSignInLogs.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADServicePrincipalSignInLogs%2FvimAuthenticationAADServicePrincipalSignInLogs.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json new file mode 100644 index 00000000000..241734fdde9 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationAADServicePrincipalSignInLogs", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for AAD service principal sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs", + "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n , EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n , EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n , EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , targetusername_has:string=\"*\"\n , disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (ServicePrincipalName has targetusername_has))\n and not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId\n , TargetAppId = ResourceIdentity \n , TargetAppName = ResourceDisplayName\n , TargetUsername = ServicePrincipalName\n , TargetUserId = ServicePrincipalId\n , EventOriginalUid = Id\n , TargetSessionId = CorrelationId\n , SrcIpAddr = IPAddress\n , EventUid = _ItemId\n , EventProductVersion = OperationVersion\n | extend \n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.3'\n , Dvc = 'Microsft/AAD'\n , LogonMethod = \"Service Principal\"\n , TargetAppType = \"Resource\"\n , EventCount = int(1)\n , TargetUserType = 'Service'\n , TargetUsernameType = 'Simple'\n , TargetUserIdType = 'AADID'\n | extend\n LocationDetails = todynamic(LocationDetails)\n | extend\n SrcGeoCity = tostring(LocationDetails.city)\n , SrcGeoCountry = Location\n , SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude)\n , SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude)\n , SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n User = TargetUsername\n , LogonTarget = TargetAppName\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , Application = TargetAppName\n , Dst = TargetAppName\n , Src = SrcIpAddr\n , IpAddr = SrcIpAddr\n , TargetSimpleUsername = TargetUsername\n , TargetUserAadId = TargetUserId\n};\nparser \n(\n starttime = starttime\n , endtime = endtime\n , targetusername_has = targetusername_has\n , disabled = disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md new file mode 100644 index 00000000000..bf5232202f5 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md @@ -0,0 +1,18 @@ +# AAD ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for AAD. + +This ASIM parser supports filtering and normalizing Azure Active Directory Interactive sign in logs, stored in the SigninLogs table, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADSigninLogs%2FvimAuthenticationAADSigninLogs.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADSigninLogs%2FvimAuthenticationAADSigninLogs.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json new file mode 100644 index 00000000000..23c08601506 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationSigninLogs", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for AAD interactive sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSigninLogs", + "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Member', 'Regular',\n 'Guest','Guest', \n '',''\n];\nlet AADSigninLogs=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nSigninLogs | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n// ************************************************************************* \n// \n// ************************************************************************* \n| extend\n EventVendor = 'Microsoft'\n , EventProduct = 'AAD'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n , EventStartTime = TimeGenerated\n , EventEndTime= TimeGenerated\n , EventType= 'Logon'\n , SrcDvcId=tostring(DeviceDetail.deviceId)\n , SrcDvcHostname =tostring(DeviceDetail.displayName)\n , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n // , SrcBrowser= tostring(DeviceDetail.browser)\n , Location = todynamic(LocationDetails)\n , TargetUsernameType='Upn'\n , TargetUserIdType='AADID'\n , SrcDvcIpAddr=IPAddress\n| extend\n SrcGeoCity=tostring(Location.city)\n , SrcGeoCountry=tostring(Location.countryOrRegion)\n , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n EventOriginalUid =Id\n , LogonMethod = AuthenticationRequirement\n , HttpUserAgent=UserAgent\n , TargetSessionId=CorrelationId\n , TargetUserId = UserId\n , TargetUsername=UserPrincipalName\n , TargetAppId = ResourceIdentity\n , TargetAppName=ResourceDisplayName\n | lookup UserTypeLookup on UserType\n | project-away UserType\n // ** Aliases\n | extend \n User=TargetUsername\n , LogonTarget=TargetAppName\n , Dvc=EventVendor\n // -- Entity identifier explicit aliases\n , TargetUserUpn = TargetUsername\n , TargetUserAadId = TargetUserId \n };\nAADSigninLogs(starttime, endtime, targetusername_has, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md new file mode 100644 index 00000000000..e1dfb41e1e6 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md @@ -0,0 +1,18 @@ +# AWS ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for AWS. + +This ASIM parser supports filtering and normalizing Amazon Web Service sign in logs, stored in the AWSCloudTrail table, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAWSCloudTrail%2FvimAuthenticationAWSCloudTrail.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAWSCloudTrail%2FvimAuthenticationAWSCloudTrail.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json new file mode 100644 index 00000000000..9f7d84f9423 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationAWSCloudTrail", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for AWS sign-in logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationAWSCloudTrail", + "query": "// -- Refer to https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-user-identity.html for details\nlet usertype_lookup = datatable (TargetOriginalUserType:string, TargetUserType:string) [\n // -- For console login, only IAMUser, Root and AssumedRole are relevant\n 'Root', 'Admin', \n 'IAMUser', 'Regular', \n 'AssumedRole', 'Service', \n 'Role' ,'Service', \n 'FederatedUser', 'Regular',\n 'Directory','Other',\n 'AWSAccount','Guest',\n 'AWSService', 'Application',\n 'Unknown', 'Other',\n ];\n let eventresultdetails_lookup = datatable (EventOriginalResultDetails:string, EventOriginalDetails:string) [\n 'No username found in supplied account', 'No such user',\n 'Failed authentication', ''\n ];\n let ASIM_GetUsernameType = (username:string) { \n case ( \n username contains \"@\" , \"UPN\"\n , username contains \"\\\\\", \"Windows\"\n , (username has \"CN=\" or username has \"OU=\" or username has \"DC=\"), \"DN\"\n , isempty(username), \"\"\n , \"Simple\"\n )\n };\n let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n targetusername_has:string=\"*\", \n disabled:bool=false\n ) {\n AWSCloudTrail \n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and not(disabled)\n and EventName == 'ConsoleLogin'\n and (targetusername_has=='*' or UserIdentityArn has targetusername_has or UserIdentityUserName has targetusername_has)\n // -- end pre-filtering\n | project-rename\n EventOriginalUid = AwsEventId,\n EventOriginalResultDetails = ErrorMessage,\n TargetOriginalUserType = UserIdentityType,\n EventProductVersion = EventVersion,\n SrcIpAddr = SourceIpAddress,\n TargeCloudRegion = AWSRegion,\n TargetUserScopeId = UserIdentityAccountId,\n HttpUserAgent = UserAgent,\n EventUid = _ItemId\n | extend\n TargetUsername = case (\n UserIdentityUserName == \"HIDDEN_DUE_TO_SECURITY_REASONS\", \"\",\n TargetOriginalUserType == 'IAMUser' , UserIdentityUserName,\n TargetOriginalUserType == 'Root' , 'root',\n TargetOriginalUserType == 'AssumedRole' , tostring(split(UserIdentityArn, '/')[-1]), // -- This is the AssuderRole session name, which typically represents a user. \n UserIdentityUserName\n )\n | where \n (targetusername_has=='*' or TargetUsername has targetusername_has)\n | extend\n EventVendor = 'AWS',\n Dvc = 'AWS',\n EventProduct = 'CloudTrail',\n EventCount = int(1),\n EventSchemaVersion = '0.1.3',\n EventSchema = 'Authentication',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n EventSubType = 'Interactive',\n TargetUserIdType = 'AWSId',\n LogonProtocol = 'HTTPS',\n TargetUserId = tostring(split(UserIdentityPrincipalid, ':')[0]),\n LogonMethod = iff (AdditionalEventData has '\"MFAUsed\": \"Yes\"', 'MFA',''),\n SrcDeviceType = iff (AdditionalEventData has '\"MobileVersion\":\"Yes\"', 'Mobile Device', 'Computer'),\n EventResult = iff (ResponseElements has 'Success', 'Success', 'Failure')\n | extend\n TargetUsernameType = ASIM_GetUsernameType (TargetUsername)\n | parse AdditionalEventData with * '\"LoginTo\":\"' TargetUrl:string '\"' *\n | lookup eventresultdetails_lookup on EventOriginalResultDetails\n | lookup usertype_lookup on TargetOriginalUserType \n | extend \n LogonTarget=tostring(split(TargetUrl,'?')[0]),\n EventSeverity = iff(EventResult == 'Failure', 'Low','Informational')\n // -- Specific idetifier aliases\n | extend \n TargetUserAWSId = TargetUserId\n // -- Aliases\n | extend\n User = TargetUsername,\n Dvc = EventVendor,\n Dst = LogonTarget,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away EventSource, EventTypeName, EventName, ResponseElements, AdditionalEventData, Session*, Category, ErrorCode, Aws*, ManagementEvent, OperationName, ReadOnly, RequestParameters, Resources, ServiceEventDetails, SharedEventId, SourceSystem, UserIdentity*, VpcEndpointId, APIVersion, RecipientAccountId, TenantId, EC2RoleDelivery\n };\n parser (\n starttime = starttime,\n endtime = endtime, \n targetusername_has = targetusername_has,\n disabled = disabled\n )\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md new file mode 100644 index 00000000000..653affdcc9f --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/README.md @@ -0,0 +1,18 @@ +# Barracuda WAF ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Barracuda WAF. + +This ASIM parser supports normalizing the Barracuda WAF logs to the ASIM authentication normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationBarracudaWAF%2FvimAuthenticationBarracudaWAF.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationBarracudaWAF%2FvimAuthenticationBarracudaWAF.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json new file mode 100644 index 00000000000..732f70611bb --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationBarracudaWAF/vimAuthenticationBarracudaWAF.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationBarracudaWAF", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n HostIP_s: string,\n host_s: string,\n LoginIP_s: string,\n Severity_s: string,\n LoginPort_d: real,\n AdminName_s: string,\n EventMessage_s: string,\n TimeTaken_d: real,\n TenantId: string,\n Message: string,\n SourceSystem: string,\n _ResourceId: string,\n RawData: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n SourceIP: string,\n TimeGenerated: datetime\n)[];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet EventTypeLookup = datatable (\n EventName_s: string,\n EventType_lookup: string,\n EventResult: string\n)\n [\n \"LOGIN\", \"Logon\", \"Success\",\n \"UNSUCCESSFUL_LOGIN\", \"Logoff\", \"Failure\",\n \"LOGOUT\", \"Logoff\", \"Success\"\n];\nlet EventResultDetailsLookup = datatable (\n Reason: string,\n EventResultDetails: string\n)\n [\n \"Invalid Username/Password\", \"Incorrect password\",\n \"Account Lockout\", \"User locked\",\n \"Expired or Disabled Accounts\", \"User disabled\",\n \"IP Blocking\", \"Logon violates policy\",\n \"Session Timeouts\", \"Session expired\",\n \"CAPTCHA Verification\", \"Other\"\n];\nlet parser = (\n starttime: datetime = datetime(null),\n endtime: datetime = datetime(null),\n targetusername_has: string = \"*\",\n disabled: bool = false) { \n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled)\n and (LogType_s == \"AUDIT\")\n and (EventName_s in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (AdminName_s has targetusername_has))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | lookup EventTypeLookup on EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | extend\n Dvc = UnitName_s,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(LoginPort_d),\n DvcIpAddr = HostIP_s,\n SrcIpAddr = LoginIP_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n severity,\n EventType_lookup,\n TenantId,\n Message,\n SourceSystem,\n _ResourceId,\n RawData,\n Computer,\n MG,\n ManagementGroupName,\n SourceIP,\n Reason;\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\"\n and (toupper(ProcessName) in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (DestinationUserName has targetusername_has))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | lookup EventResultDetailsLookup on Reason\n | extend ProcessName = toupper(ProcessName)\n | lookup EventTypeLookup on $left.ProcessName == $right.EventName_s\n | extend \n EventType = EventType_lookup,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | extend\n Dvc = DeviceName,\n EventCount = toint(1),\n EventProduct = \"WAF\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"Barracuda\"\n | extend\n SrcPortNumber = toint(SourcePort),\n DvcIpAddr = DeviceAddress,\n SrcIpAddr = SourceIP,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"), \n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n ThreatConfidence,\n EventType_lookup,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\n union isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n targetusername_has = targetusername_has,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md new file mode 100644 index 00000000000..98149d223ff --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/README.md @@ -0,0 +1,18 @@ +# Cisco Adaptive Security Appliance (ASA) ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Cisco Adaptive Security Appliance (ASA). + +This ASIM parser supports normalizing authentication events, collected from Cisco ASA devices, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoASA%2FvimAuthenticationCiscoASA.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoASA%2FvimAuthenticationCiscoASA.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json new file mode 100644 index 00000000000..f3a3cebc7aa --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoASA/vimAuthenticationCiscoASA.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationCiscoASA", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering for Cisco Device Logon Events", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoASA", + "query": "let parser = (\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , targetusername_has:string=\"*\"\n , disabled:bool=false\n) {\n let DeviceEventClassIDLookup = datatable (DeviceEventClassID:string, EventResultDetails:string, EventType:string, EventResult:string, DvcAction:string, EventSubType:string)\n [\n \"113004\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113005\", \"Incorrect password\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113006\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"113008\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113010\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113012\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"113019\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"113039\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"315011\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"502103\", \"\", \"Elevate\", \"Success\", \"Allowed\", \"AssumeRole\",\n \"605004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"605005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611101\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"611102\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"611103\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"713198\", \"Logon violates policy\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716002\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"716038\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"716039\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"716040\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"Remote\",\n \"722022\", \"\", \"Logon\", \"Success\", \"Allowed\", \"Remote\",\n \"722023\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722028\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"722037\", \"\", \"Logoff\", \"Success\", \"Allowed\", \"\",\n \"772002\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772003\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772004\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\",\n \"772005\", \"\", \"Logon\", \"Success\", \"Allowed\", \"\",\n \"772006\", \"Other\", \"Logon\", \"Failure\", \"Blocked\", \"\"\n ];\n let FilteredDeviceEventClassID = toscalar(\n DeviceEventClassIDLookup \n | summarize make_set(DeviceEventClassID)\n );\n let SeverityLookup = datatable (EventOriginalSeverity:string, EventSeverity:string)\n [\n \"1\", \"High\", // Alert,\n \"2\", \"High\", // Critical\n \"3\", \"Medium\", // Error\n \"4\", \"Low\", // Warning\n \"5\", \"Informational\", // Notification\n \"6\", \"Informational\", // Information\n \"7\", \"Informational\", // Debug\n ];\n let LogMessages = \n CommonSecurityLog \n | where not(disabled)\n | where\n (isnull(starttime) or TimeGenerated >= starttime) and\n (isnull(endtime) or TimeGenerated <= endtime) \n | where DeviceVendor =~ \"Cisco\"\n | where DeviceProduct == \"ASA\"\n | where (targetusername_has=='*' or (Message has targetusername_has))\n | where DeviceEventClassID in(FilteredDeviceEventClassID)\n | extend EventOriginalSeverity = tostring(split(Message,\"-\",1)[0])\n | lookup SeverityLookup on EventOriginalSeverity\n | project TimeGenerated, Type, Computer, _ItemId, DeviceEventClassID, Message, DeviceAddress, EventOriginalSeverity, EventSeverity\n | lookup DeviceEventClassIDLookup on DeviceEventClassID;\n union \n (\n LogMessages\n | where DeviceEventClassID == 113005\n | parse Message with * 'reason = ' EventOriginalResultDetails ' : server = ' TargetIpAddr ' ' * 'user = ' TargetUsername ' ' * 'user IP = ' SrcIpAddr\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 502103\n | parse Message with * \"Uname: \" TargetUsername \" \" *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(605004,605005)\n | parse Message with * 'from ' SrcIpAddr '/' SrcPortNumber:int \" to \" * \":\" TargetIpAddr '/' * 'user \"' TargetUsername '\"'\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(611101,611102)\n | parse Message with * 'IP address: ' SrcIpAddr ', Uname: ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 611103\n | parse Message with * ' Uname: ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113004\n | parse Message with * 'server = ' TargetIpAddr ' ' * 'user = ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113008,113012)\n | parse Message with * 'user = ' TargetUsername\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113019\n | parse Message with * 'Username = ' TargetUsername ', IP = ' SrcIpAddr ',' * \n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(113039,716002,716039,722022,722023,722028,722037)\n | parse Message with * '> User <' TargetUsername \"> IP <\" SrcIpAddr \">\" *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 315011\n | parse Message with * 'from ' SrcIpAddr ' ' * 'user \"' TargetUsername '\" ' * ' reason: \"' EventOriginalResultDetails '\" ' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | extend EventResultDetails = iif(EventOriginalResultDetails == \"Internal error\", \"Other\", EventResultDetails)\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113010\n | parse Message with * 'user ' TargetUsername ' from server' SrcIpAddr\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 113006\n | parse Message with * 'User ' TargetUsername ' locked' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716040\n | parse Message with * 'Denied ' TargetUsername ' login' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 713198\n | parse Message with * 'Failed: ' TargetUsername ' User' *\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID == 716038\n | parse Message with * 'User ' TargetUsername ' IP ' SrcIpAddr ' Authentication'*\n | where (targetusername_has=='*' or (TargetUsername has targetusername_has))\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772002)\n | parse Message with * 'user ' TargetUsername ', cause: ' EventOriginalResultDetails\n | project-away Message\n ),\n (\n LogMessages\n | where DeviceEventClassID in(772003,772004)\n | parse Message with * 'user ' TargetUsername ', IP ' SrcIpAddr ', cause: ' EventOriginalResultDetails\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772005)\n | parse Message with * 'user ' TargetUsername ' passed'\n | project-away Message\n ), \n (\n LogMessages\n | where DeviceEventClassID in(772006)\n | parse Message with * 'user ' TargetUsername ' failed'\n | project-away Message\n )\n | project-rename \n DvcHostname = Computer,\n EventUid = _ItemId,\n EventOriginalType = DeviceEventClassID,\n DvcIpAddr = DeviceAddress\n | extend \n EventSchemaVersion = \"0.1.3\",\n EventSchema = \"Authentication\",\n EventVendor = \"Cisco\",\n EventProduct = \"ASA\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n Dvc = DvcHostname,\n User = TargetUsername,\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dst = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n EventResultDetails = iif(TargetUsername == \"*****\", \"No such user or password\", EventResultDetails)\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , targetusername_has = targetusername_has\n , disabled = disabled\n) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md new file mode 100644 index 00000000000..ff0a2814501 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/README.md @@ -0,0 +1,18 @@ +# Cisco ISE ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Cisco ISE. + +This ASIM parser supports normalizing Cisco ISE events produced by the Microsoft Sentinel Cisco ISE connector to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoISE%2FvimAuthenticationCiscoISE.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoISE%2FvimAuthenticationCiscoISE.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json new file mode 100644 index 00000000000..b9cb22b3228 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoISE/vimAuthenticationCiscoISE.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationCiscoISE", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoISE", + "query": "let EventFieldsLookup=datatable(\n EventOriginalType: string,\n EventType: string,\n EventOriginalSeverity: string,\n EventResult: string,\n EventSeverity: string,\n EventResultDetails: string,\n EventMessage: string,\n EventOriginalResultDetails: string\n )[\n \"25104\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external REST ID store server succeeded\", \"Plain text password authentication in external REST ID store server succeeded\",\n \"25105\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external REST ID store server failed\", \"Plain text password authentication in external REST ID store server failed\",\n \"25106\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST ID Store server indicated plain text password authentication failure\", \"REST ID store server indicated plain text password authentication failure\",\n \"25112\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"REST database indicated plain text password authentication failure\", \"REST database indicated plain text password authentication failure\",\n \"51000\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"51001\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator authentication succeeded\", \"Administrator authentication succeeded\",\n \"51002\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Administrator logged off\", \"Administrator logged off\",\n \"51003\", \"Logoff\", \"NOTICE\", \"Success\", \"Informational\", \"Session expired\", \"Session Timeout\", \"Administrator had a session timeout\",\n \"51004\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Rejected administrator session from unauthorized client IP address\", \"An attempt to start an administration session from an unauthorized client IP address was rejected. Check the client's administration access setting.\",\n \"51005\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Administrator account is disabled\", \"Administrator authentication failed. Administrator account is disabled.\",\n \"51006\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Administrator authentication failed. Account is disabled due to inactivity\", \"Administrator authentication failed. Account is disabled due to inactivity.\",\n \"51007\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"User disabled\", \"Authentication failed. Account is disabled due to password expiration\", \"Authentication failed. Account is disabled due to password expiration\",\n \"51008\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Logon violates policy\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts\", \"Administrator authentication failed. Account is disabled due to excessive failed authentication attempts.\",\n \"51009\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed. ISE Runtime is not running\", \"Authentication failed. ISE Runtime is not running\",\n \"51020\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"No such user\", \"Administrator authentication failed. Login username does not exist.\", \"Administrator authentication failed. Login username does not exist.\",\n \"51021\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Incorrect password\", \"Administrator authentication failed. Wrong password.\", \"Administrator authentication failed. Wrong password.\",\n \"51022\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed. System Error\", \"Administrator authentication failed. System Error\",\n \"51106\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"60075\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Sponsor has successfully authenticated\", \"Sponsor has successfully authenticated\",\n \"60076\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Sponsor authentication has failed\", \"Sponsor authentication has failed; please see Failure Code for more details\",\n \"60077\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MyDevices user authentication has failed\", \"MyDevices user authentication has failed\",\n \"60078\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices user has successfully authenticated\", \"MyDevices user has successfully authenticated\",\n \"60080\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A SSH CLI user has successfully logged in\", \"A SSH CLI User has successfully logged in\",\n \"60081\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"A SSH CLI user has attempted unsuccessfully to login\", \"A SSH CLI user has attempted unsuccessfully to login\",\n \"60082\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User locked\", \"A SSH CLI user has attempted to login, however account is locked out\", \"A SSH CLI user has attempted to login, however account is locked out\",\n \"60135\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"MyDevices user SSO logout has failed\", \"MyDevices user SSO logout has failed\",\n \"60136\", \"Logoff\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Sponsor user SSO logout has failed\", \"Sponsor user SSO logout has failed\",\n \"60204\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"System root CLI account has successfully logged in\", \"System root CLI account has successfully logged in\",\n \"60205\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged in from console\", \"A CLI user has logged in from console\",\n \"60206\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"A CLI user has logged out from console\", \"A CLI user has logged out from console\",\n \"61012\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has authenticated against APIC successfully\", \"ISE has authenticated against APIC successfully\",\n \"61013\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to authenticate against APIC\", \"ISE failed to authenticate against APIC\",\n \"61014\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"ISE has refreshed authentication against APIC successfully\", \"ISE has refreshed authentication against APIC successfully\",\n \"61015\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"ISE failed to refresh authenticate against APIC\", \"ISE failed to refresh authenticate against APIC\",\n \"60507\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"ERS request rejected due to unauthorized user.\", \"ERS request was rejected because the user who sent the request is unauthorized.\",\n \"51025\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication for web services failed\", \"Authentication for web services failed.\",\n \"61076\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"Sponsor has been successfully logged out\", \"Sponsor has been successfully logged out\",\n \"61077\", \"Logoff\", \"INFO\", \"Success\", \"Informational\", \"\", \"MyDevices has been successfully logged out\", \"MyDevices has been successfully logged out\",\n \"10003\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user\", \"Internal error: Administrator authentication received blank Administrator name\", \"Internal error: AAC RT component received Administrator authentication request\",\n \"10004\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Incorrect password\", \"Internal error: Administrator authentication received blank Administrator password\", \"Internal error: AAC RT component received an Administrator authentication request with blank admin password\",\n \"10005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Administrator authenticated successfully\", \"Administrator authenticated successfully\",\n \"10006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Administrator authentication failed\", \"Administrator authentication failed\",\n \"10007\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Administrator authentication failed - DB Error\", \"Administrator authentication failed - DB Error\",\n \"22000\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication resulted in internal error\", \"Authentication resulted in internal error\",\n \"22004\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password\", \"Wrong password\",\n \"22028\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Authentication failed and the advanced options are ignored\", \"Authentication of the user failed and the advanced option settings specified in the identity portion of the relevant authentication policy were ignored. For PEAP, LEAP, EAP-FAST or RADIUS MSCHAP authentications, when authentication fails, ISE stops processing the request.\",\n \"22037\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Passed\", \"Authentication Passed, Skipping Attribute Retrieval\",\n \"22040\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Incorrect password\", \"Wrong password or invalid shared secret\", \"Wrong password or invalid shared secret\",\n \"22091\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level\", \"Authentication failed. User account is disabled due to excessive failed authentication attempts at global level.\",\n \"5400\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5401\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Authentication failed\", \"User authentication failed. See FailureReason for more information\",\n \"5412\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"TACACS+ authentication request ended with error\", \"TACACS+ authentication request ended with an error\",\n \"5418\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"Guest Authentication Failed\", \"Guest Authentication failed; please see Failure code for more details\",\n \"5447\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"MDM Authentication Passed\", \"MDM Authentication passed\",\n \"5448\", \"Logon\", \"NOTICE\", \"Failure\", \"Low\", \"Other\", \"MDM Authentication Failed\", \"MDM Authentication failed; please see Failure code for more details\",\n \"86010\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user or password\", \"Guest user authentication failed\", \"Guest user authentication failed. Please check your password and account permission\",\n \"86011\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"Guest user is not enabled\", \"Guest user authentication failed. User is not enabled. Please contact your system administrator\",\n \"86014\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"User disabled\", \"User is suspended\", \"User authentication failed. User account is suspended\",\n \"86020\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Guest Unknown Error\", \"User authentication failed. Please contact your System Administrator\",\n \"24015\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authenticating user against LDAP Server\", \"Authenticating user against LDAP Server\",\n \"24020\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against the LDAP Server failed\", \"User authentication against the LDAP Server failed. The user entered the wrong password or the user record in the LDAP Server is disabled or expired\",\n \"24021\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"User authentication ended with an error\", \"User authentication against LDAP Server ended with an error\",\n \"24022\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication succeeded\", \"User authentication against LDAP Server succeeded\",\n \"24050\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate with LDAP Identity Store because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"24054\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired\", \"The password has expired but there are remaining grace authentications. The user needs to change it\",\n \"24055\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that the user is authenticating for the first time after the password administrator set the password\", \"The user needs to change his password immediately\",\n \"24056\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against LDAP server detected that user password has expired and there are no more grace authentications\", \"The user needs to contact the password administrator in order to have its password reset\",\n \"24057\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against LDAP server detected that the password failure limit has been reached and the account is locked\", \"The user needs to retry later or contact the password administrator to reset the password\",\n \"24337\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication Ticket (TGT) request succeeded\", \"Authentication Ticket (TGT) request succeeded\",\n \"24338\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication Ticket (TGT) request failed\", \"Authentication Ticket (TGT) request failed\",\n \"24402\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"User authentication against Active Directory succeeded\", \"User authentication against Active Directory succeeded\",\n \"24403\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User authentication against Active Directory failed\", \"User authentication against Active Directory failed\",\n \"24406\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"User authentication against Active Directory failed since user has invalid credentials\", \"User authentication against Active Directory failed since user has invalid credentials\",\n \"24407\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"User authentication against Active Directory failed since user is required to change his password\", \"User authentication against Active Directory failed since user is required to change his password\",\n \"24408\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"User authentication against Active Directory failed since user has entered the wrong password\", \"User authentication against Active Directory failed since user has entered the wrong password\",\n \"24409\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"User authentication against Active Directory failed since the user's account is disabled\", \"User authentication against Active Directory failed since the user's account is disabled\",\n \"24410\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\", \"User authentication against Active Directory failed since user is considered to be in restricted logon hours\",\n \"24414\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"User authentication against Active Directory failed since the user's account has expired\", \"User authentication against Active Directory failed since the user's account has expired\",\n \"24415\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"User authentication against Active Directory failed since user's account is locked out\", \"User authentication against Active Directory failed since user's account is locked out\",\n \"24418\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since it is disabled in configuration\", \"Machine authentication against Active Directory failed since it is disabled in configuration\",\n \"24454\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Session expired\", \"User authentication against Active Directory failed because of a timeout error\", \"User authentication against Active Directory failed because of a timeout error\",\n \"24470\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Machine authentication against Active Directory is successful\", \"Machine authentication against Active Directory is successful.\",\n \"24484\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Password expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired\", \"Machine authentication against Active Directory has failed because the machine's password has expired.\",\n \"24485\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Machine authentication against Active Directory has failed because of wrong password\", \"Machine authentication against Active Directory has failed because of wrong password.\",\n \"24486\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled\", \"Machine authentication against Active Directory has failed because the machine's account is disabled.\",\n \"24487\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\", \"Machine authentication against Active Directory failed since machine is considered to be in restricted logon hours\",\n \"24489\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Account expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired\", \"Machine authentication against Active Directory has failed because the machine's account has expired.\",\n \"24490\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"User locked\", \"Machine authentication against Active Directory has failed because the machine's account is locked out\", \"Machine authentication against Active Directory has failed because the machine's account is locked out.\",\n \"24491\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials\", \"Machine authentication against Active Directory has failed because the machine has invalid credentials.\",\n \"24492\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"No such user or password\", \"Machine authentication against Active Directory has failed\", \"Machine authentication against Active Directory has failed.\",\n \"24496\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication rejected due to a white or black list restriction\", \"Authentication rejected due to a white or black list restriction\",\n \"24505\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"User authentication has succeeded\", \"User authentication against the RSA SecurID Server has succeeded.\",\n \"24508\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"User authentication failed\", \"User authentication against RSA SecurID Server failed\",\n \"24518\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"User canceled New PIN operation; User authentication against RSA SecurIDServer failed\", \"User canceled New PIN operation; User authentication against RSA SecurID Server failed\",\n \"24547\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Session expired\", \"RSA request timeout expired. RSA authentication session cancelled\", \"RSA request timeout expired. RSA authentication session cancelled.\",\n \"24612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Authentication against the RADIUS token server succeeded\", \"Authentication against the RADIUS token server succeeded.\",\n \"24613\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication against the RADIUS token server failed\", \"Authentication against the RADIUS token server failed.\",\n \"24614\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"No such user\", \"RADIUS token server authentication failure is translated as Unknown user failure\", \"RADIUS token server authentication failure is translated as Unknown user failure.\",\n \"24639\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Authentication passed via Passcode cache\", \"User record was found in Passcode cache, passcode matches the passcode on the authentication request. Authentication passed via Passcode cache.\",\n \"24704\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because identity credentials are ambiguous\", \"Authentication found several accounts matching to the given credentials (i.e identity name and password)\",\n \"24705\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because ISE server is not joined to required domains\", \"Authentication failed because ISE server is not joined to required domains\",\n \"24706\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because NTLM was blocked\", \"Authentication failed because NTLM was blocked\",\n \"24707\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Authentication failed because all identity names have been rejected\", \"Authentication failed all identity names has been rejected according AD Identity Store Advanced Settings\",\n \"24708\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"User not found in Active Directory. Some authentication domains were not available\", \"User not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24709\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user\", \"Host not found in Active Directory. Some authentication domains were not available\", \"Host not found in Active Directory. Some authentication domains were not available during identity resolution\",\n \"24712\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Logon violates policy\", \"Authentication failed because domain trust is restricted\", \"Authentication failed because domain trust is restricted\",\n \"24814\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"The responding provider was unable to successfully authenticate the principal\", \"The responding provider was unable to successfully authenticate the principal\",\n \"24853\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Plain text password authentication in external ODBC database succeeded\", \"Plain text password authentication in external ODBC database succeeded\",\n \"24854\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"Plain text password authentication in external ODBC database failed\", \"Plain text password authentication in external ODBC database failed\",\n \"24860\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"No such user or password\", \"ODBC database indicated plain text password authentication failure\", \"ODBC database indicated plain text password authentication failure\",\n \"24890\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Social Login operation failed\", \"Social Login operation failed. Check the message details for more information\",\n \"24716\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Active Directory Kerberos ticket authentication succeeded\", \"Active Directory Kerberos ticket authentication succeeded\",\n \"24717\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Active Directory Kerberos ticket authentication failed\", \"Active Directory Kerberos ticket authentication failed\",\n \"24719\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Incorrect password\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\", \"Active Directory Kerberos ticket authentication failed because of the ISE account password mismatch, integrity check failure or expired ticket\",\n \"89157\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"CMCS authentication failure\", \"ISE is unable to authenticate with the Cisco MDM Cloud Service\",\n \"89159\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"APNS authentication failure\", \"ISE is unable to authenticate with the Apple Push Notification System (APNS)\",\n \"89160\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"MDM User Authentication completed\", \"The User Authentication part of mobile device enrollment has completed\",\n \"33102\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Successful user login to ISE configuration mode\", \"ISE administrator logged in to ISE configuration mode\",\n \"33103\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"User login to ISE configuration mode failed\", \"Login to ISE configuration mode failed\",\n \"5200\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5201\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Authentication succeeded\", \"User authentication ended successfully\",\n \"5231\", \"Logon\", \"NOTICE\", \"Success\", \"Informational\", \"\", \"Guest Authentication Passed\", \"Guest Authentication Passed\",\n \"11002\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"Returned RADIUS Access-Accept\", \"Returned RADIUS Access-Accept - authentication succeeded\",\n \"11003\", \"Logon\", \"DEBUG\", \"Failure\", \"Low\", \"Other\", \"Returned RADIUS Access-Reject\", \"Returned RADIUS Access-Reject - authentication failed\",\n \"11039\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"RADIUS authentication request rejected due to critical logging error\", \"A RADIUS authentication request was rejected due to a critical logging error.\",\n \"11052\", \"Logon\", \"ERROR\", \"Failure\", \"Low\", \"Other\", \"Authentication request dropped due to unsupported port number\", \"An authentication request was dropped because it was received through an unsupported port number.\",\n \"11812\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication succeeded.\",\n \"11813\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication failed.\",\n \"11814\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-MSCHAP authentication succeeded\", \"EAP-MSCHAP authentication for the inner EAP method succeeded.\",\n \"11815\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-MSCHAP authentication failed\", \"EAP-MSCHAP authentication for the inner EAP method failed.\",\n \"11823\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MSCHAP authentication attempt failed\", \"EAP-MSCHAP authentication attempt failed.\",\n \"11824\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-MSCHAP authentication attempt passed\", \"EAP-MSCHAP authentication attempt passed.\",\n \"12005\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-MD5 authentication succeeded\", \"EAP-MD5 authentication succeeded.\",\n \"12006\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-MD5 authentication failed\", \"EAP-MD5 authentication failed.\",\n \"12208\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Client certificate was received but authentication failed\", \"ISE received client certificate during tunnel establishment or inside the tunnel but the authentication failed.\",\n \"12306\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"PEAP authentication succeeded\", \"PEAP authentication succeeded.\",\n \"12307\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"PEAP authentication failed\", \"PEAP authentication failed.\",\n \"12308\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Other\", \"Client sent Result TLV indicating failure\", \"Internal error, possibly in the supplicant: PEAP v0 authentication failed because client sent Result TLV indicating failure. Client indicates that it does not support Crypto-Binding TLV\",\n \"12506\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TLS authentication succeeded\", \"EAP-TLS authentication succeeded.\",\n \"12507\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TLS authentication failed\", \"EAP-TLS authentication failed.\",\n \"12528\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-TLS authentication succeeded\", \"EAP-TLS authentication for the inner EAP method succeeded.\",\n \"12529\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-TLS authentication failed\", \"EAP-TLS authentication for the inner EAP method failed.\",\n \"12612\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication succeeded\", \"EAP-GTC authentication has succeeded.\",\n \"12613\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication failed\", \"EAP-GTC authentication has failed.\",\n \"12614\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"Inner EAP-GTC authentication succeeded\", \"EAP-GTC authentication for the inner EAP method has succeeded.\",\n \"12615\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"Inner EAP-GTC authentication failed\", \"EAP-GTC authentication for the inner EAP method has failed.\",\n \"12623\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-GTC authentication attempt failed\", \"The EAP-GTC authentication attempt has failed.\",\n \"12624\", \"Logon\", \"DEBUG\", \"Success\", \"Informational\", \"\", \"EAP-GTC authentication attempt passed\", \"The EAP-GTC authentication attempt has passed.\",\n \"12705\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"LEAP authentication passed; Continuing protocol\", \"LEAP authentication passed. Continue LEAP protocol.\",\n \"12706\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication failed; Finishing protocol\", \"LEAP authentication has failed. Protocol finished with a failure.\",\n \"12707\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"LEAP authentication error; Finishing protocol\", \"A LEAP authentication error has occurred. Protocol finished with an error.\",\n \"12854\", \"Logon\", \"WARN\", \"Failure\", \"Low\", \"Incorrect password\", \"Cannot authenticate because password was not present or was empty\", \"ISE did not receive user password or received empty password. Plain password authentication cannot be performed with no password or empty password\",\n \"12975\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"EAP-TTLS authentication succeeded\", \"EAP-TTLS authentication succeeded.\",\n \"12976\", \"Logon\", \"INFO\", \"Failure\", \"Low\", \"Other\", \"EAP-TTLS authentication failed\", \"EAP-TTLS authentication failed.\",\n \"11700\", \"Logon\", \"INFO\", \"Success\", \"Informational\", \"\", \"5G AKA Authentication succeeded\", \"5G AKA Authentication succeeded.\"\n ];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | summarize make_set(EventOriginalType));\nlet CiscoISEAuthParser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\", \n disabled: bool=false) {\n Syslog\n | where not(disabled)\n // ************************** ******************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or SyslogMessage has targetusername_has)\n // ************************** *****************************\n | where ProcessName has_any (\"CISE\", \"CSCO\")\n | parse kind = regex SyslogMessage with @\"\\d{10}\\s\" EventOriginalType @\"\\s(NOTICE|INFO|WARN|WARNING|ERROR|FATAL|DEBUG)\"\n | where EventOriginalType in (EventOriginalTypeList)\n | lookup EventFieldsLookup on EventOriginalType \n | parse-kv SyslogMessage as (FailureReason: string, NetworkDeviceName: string, Protocol: string, DestinationIPAddress: string, DestinationPort: int, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string, ['Device Port']: int, ['cisco-av-pair=audit-session-id']: string, ['Caller-Station-ID']: string) with (pair_delimiter=',', kv_delimiter='=')\n | project-rename\n LogonProtocol=Protocol\n ,\n TargetIpAddr=DestinationIPAddress\n ,\n TargetPortNumber=DestinationPort\n ,\n TargetSessionId=[\"cisco-av-pair=audit-session-id\"]\n ,\n SrcPortNumber=['Device Port']\n | invoke _ASIM_ResolveSrcFQDN(\"['Caller-Station-ID']\")\n | extend\n EventStartTime = coalesce(EventTime, TimeGenerated)\n ,\n EventEndTime = coalesce(EventTime, TimeGenerated)\n | extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n | extend TargetUsername = coalesce(['User-Name'], UserName, User)\n | extend\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n ,\n SrcIpAddr = coalesce(['Device IP Address'], ['Remote-Address'], tostring(extract(@\"Caller-Station-ID=(\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3})\", 1, SyslogMessage)), \"\")\n | extend EventOriginalResultDetails = case(isnotempty(FailureReason), FailureReason, EventOriginalResultDetails)\n | extend DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n // ********************** **********************************\n | where (targetusername_has == '*' or TargetUsername has targetusername_has)\n // ********************** *********************************\n | extend \n EventVendor = \"Cisco\"\n ,\n EventProduct = \"ISE\"\n ,\n EventProductVersion = \"3.2\"\n ,\n EventCount = int(1)\n ,\n EventSchema = \"Authentication\"\n ,\n EventSchemaVersion = \"0.1.3\" \n // ************************* **********************\n | extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n ,\n IpAddr = SrcIpAddr\n ,\n Dst = TargetIpAddr\n ,\n Src = SrcIpAddr\n ,\n User = TargetUsername\n // ************************* ******************** \n | project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n FailureReason,\n NetworkDeviceName,\n ['User-Name'],\n UserName,\n User,\n ['Remote-Address'],\n ['Device IP Address'],\n ['Caller-Station-ID']\n};\nCiscoISEAuthParser(\n starttime=starttime, \n endtime=endtime,\n targetusername_has=targetusername_has, \n disabled=disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md new file mode 100644 index 00000000000..a36bf373a9a --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/README.md @@ -0,0 +1,18 @@ +# Cisco Meraki ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Cisco Meraki. + +This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Authentication normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoMeraki%2FvimAuthenticationCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCiscoMeraki%2FvimAuthenticationCiscoMeraki.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json new file mode 100644 index 00000000000..412ad7f6428 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCiscoMeraki/vimAuthenticationCiscoMeraki.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationCiscoMeraki", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCiscoMeraki", + "query": "let LogSubTypeList = dynamic([\"8021x_auth\", \"wpa_auth\", \"splash_auth\", \"8021x_deauth\", \"8021x_client_deauth\", \"wpa_deauth\", \"8021x_eap_failure\", \"8021x_eap_success\"]);\nlet EventResultDetailsLookup = datatable (reason: string, EventResultDetails: string)\n [\n \"0\", \"Other\",\n \"1\", \"Other\",\n \"2\", \"Password expired\",\n \"3\", \"Other\",\n \"4\", \"Session expired\",\n \"5\", \"Other\",\n \"6\", \"Other\",\n \"7\", \"Other\",\n \"8\", \"Other\",\n \"9\", \"Other\",\n \"10\", \"Logon violates policy\",\n \"11\", \"Logon violates policy\",\n \"12\", \"Other\",\n \"13\", \"Logon violates policy\",\n \"14\", \"Other\",\n \"15\", \"Other\",\n \"16\", \"Other\",\n \"17\", \"Other\",\n \"18\", \"Incorrect key\",\n \"19\", \"Incorrect key\",\n \"20\", \"Incorrect key\",\n \"21\", \"Other\",\n \"22\", \"Other\",\n \"23\", \"Other\",\n \"24\", \"Logon violates policy\",\n];\nlet EventFieldsLookup = datatable (\n LogSubType: string,\n EventResult: string,\n EventType: string,\n EventSeverity: string\n)\n [\n \"8021x_auth\", \"Success\", \"Logon\", \"Informational\",\n \"wpa_auth\", \"Success\", \"Logon\", \"Informational\",\n \"splash_auth\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_eap_success\", \"Success\", \"Logon\", \"Informational\",\n \"8021x_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_client_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"wpa_deauth\", \"Success\", \"Logoff\", \"Informational\",\n \"8021x_eap_failure\", \"Failure\", \"Logon\", \"Low\",\n \"disassociation\", \"Failure\", \"Logon\", \"Low\",\n];\nlet parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), targetusername_has: string='*') {\n union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n )\n | where not(disabled)\n and LogMessage has \"events\"\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n and targetusername_has == \"*\" or LogMessage has targetusername_has\n and (LogMessage has_any (LogSubTypeList) or LogMessage has_all (\"disassociation\",\"auth_neg_failed\"))\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1]),\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend EventEndTime = EventStartTime\n | where LogType == \"events\"\n | parse Substring with * \"type=\" LogSubType:string \" \" restOfMessage:string\n | where LogSubType in (LogSubTypeList) or (LogSubType == \"disassociation\" and Substring has \"auth_neg_failed\")\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | parse-kv Substring as(last_known_client_ip: string, ip: string, client_ip: string, client_mac: string, identity: string, reason: string, aid: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend TargetUsername = identity\n | extend TargetUsername = trim('\"', TargetUsername)\n | where (targetusername_has == \"*\" or TargetUsername has targetusername_has)\n | extend Dvc = DvcHostname, \n aid = trim('\"', aid)\n | extend\n SrcIpAddr = tostring(split(coalesce(last_known_client_ip, ip, client_ip), \" \")[0]),\n DvcMacAddr = client_mac,\n AdditionalFields = bag_pack(\"aid\", aid),\n EventOriginalType = LogType,\n EventOriginalSubType = LogSubType,\n TargetUsernameType = iff(isnotempty(TargetUsername), \"Simple\", \"\"),\n EventUid = _ResourceId\n | extend\n SrcIpAddr = trim('\"', SrcIpAddr),\n DvcMacAddr = trim('\"', DvcMacAddr),\n reason = trim('\"', reason)\n | extend\n DvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr,\n User = TargetUsername\n | lookup EventFieldsLookup on LogSubType\n | lookup EventResultDetailsLookup on reason\n | extend EventResultDetails = iff(tolong(reason) between (25 .. 65535), \"Other\", EventResultDetails)\n | extend\n EventCount=int(1),\n EventProduct=\"Meraki\",\n EventVendor=\"Cisco\",\n EventSchema=\"Authentication\",\n EventSchemaVersion=\"0.1.3\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n LogType,\n LogSubType,\n restOfMessage,\n reason,\n last_known_client_ip,\n client_ip,\n ip,\n client_mac,\n identity,\n aid,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, targetusername_has=targetusername_has)\n", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md new file mode 100644 index 00000000000..c828412636d --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md @@ -0,0 +1,18 @@ +# Microsoft Sentinel ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Microsoft Sentinel. + +This function returns an empty ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationEmpty%2FvimAuthenticationEmpty.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationEmpty%2FvimAuthenticationEmpty.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json new file mode 100644 index 00000000000..1bcaffc0c0e --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json @@ -0,0 +1,45 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationEmpty", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM schema function", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationEmpty", + "query": "let EmptyAuthenticationTable=datatable(\n EventProduct:string\n , EventProductVersion: string\n , EventVendor:string\n , EventCount:int\n , EventReportUrl:string\n , EventSchemaVersion:string\n , EventSchema:string\n , TimeGenerated:datetime\n , EventOriginalUid:string\n , EventOriginalType:string\n , EventOriginalSubType:string\n , EventMessage:string\n , EventResult:string\n , EventResultDetails:string\n , EventOriginalResultDetails:string\n , EventStartTime:datetime\n , EventEndTime:datetime\n , EventType:string\n , EventSubType:string\n , EventUid:string\n , EventSeverity:string\n , EventOriginalSeverity:string\n , EventOwner:string\n , ActorSessionId:string\n , TargetSessionId:string\n , ActorUserId:string\n , ActorUsername:string\n , ActorUserType:string\n , ActorUserIdType:string\n , ActorUsernameType:string\n , ActorScopeId:string\n , ActorOriginalUserType:string\n , TargetUserId:string\n , TargetUsername:string\n , TargetUserType:string\n , SrcDvcId:string\n , SrcDvcIdType:string\n , SrcDeviceType:string\n , SrcDvcOs:string\n , HttpUserAgent:string\n , SrcIsp:string\n , SrcGeoCity:string\n , SrcGeoCountry:string\n , SrcGeoRegion:string\n , SrcGeoLatitude:real\n , SrcGeoLongitude:real\n , SrcIpAddr:string\n , SrcPortNumber:string\n , SrcHostname:string\n , SrcDomain:string\n , SrcDomainType:string\n , SrcFQDN:string\n , SrcDescription:string\n , SrcDvcScopeId:string\n , SrcRiskLevel:int\n , SrcOriginalRiskLevel:string\n , ActingAppId:string\n , ActingAppName:string\n , ActingAppType:string\n , TargetAppId:string\n , TargetAppName:string\n , TargetAppType:string\n , TargetDvcId:string\n , TargetDvcIdType:string\n , TargetHostname:string\n , TargetDomain:string\n , TargetDomainType:string\n , TargetFQDN:string\n , TargetDescription:string\n , TargetDeviceType:string\n , TargetIpAddr:string\n , TargetDvcOs:string\n , TargetUrl:string\n , TargetPortNumber:int\n , TargetDvcScope:string\n , TargetDvcScopeId:string\n , TargetGeoCity:string\n , TargetGeoCountry:string\n , TargetGeoRegion:string\n , TargetGeoLatitude:real\n , TargetGeoLongitude:real\n , LogonMethod: string\t\n , LogonProtocol: string\t\n , TargetUserIdType: string\t\n , TargetUsernameType: string\t\n , UserScope:string\n , UserScopeId:string\n , TargetOriginalUserType:string\n , TargetUserSessionId:string\n , User: string\t\n , IpAddr: string\n , SrcDvcHostnameType: string\t\n , LogonTarget: string\n , Dvc: string\t\n , DvcId: string\n , DvcIpAddr: string\t\n , DvcHostname: string\n , DvcDomain:string\n , DvcDomainType:string\n , DvcFQDN:string\n , DvcDescription:string\n , DvcIdType:string\n , DvcMacAddr:string\n , DvcZone:string\n , DvcOs:string\n , DvcOsVersion:string\n , DvcAction:string\n , DvcOriginalAction:string\n , DvcScope:string\n , DvcScopeOd:string\n , AdditionalFields:dynamic\n , Type:string\n , Src:string\n , Dst:string\n , Rule:string\n , RuleName:string\n , RuleNumber:int\n , ThreatId:string\n , ThreatName:string\n , ThreatCategory:string\n , ThreatOriginalRiskLevel:string\n , ThreatOriginalConfidence:string\n , ThreatIsActive:bool\n , ThreatField:string\n , ThreatConfidence:int\n , ThreatRiskLevel:string\n , ThreatFirstReportedTime:datetime\n , ThreatLastReportedTime:datetime\n , Application:string\n )[];\nEmptyAuthenticationTable", + "version": 1 + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md new file mode 100644 index 00000000000..f9ed86e6a33 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md @@ -0,0 +1,18 @@ +# M365 Defender for EndPoint ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for M365 Defender for EndPoint. + +This ASIM parser supports filtering and normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationM365Defender%2FvimAuthenticationM365Defender.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationM365Defender%2FvimAuthenticationM365Defender.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json new file mode 100644 index 00000000000..8f32ff85fde --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/vimAuthenticationM365Defender.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationM365Defender", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for M365 Defender Device Logon Events", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationM365Defender", + "query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Interactive', 'Interactive',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'Network', 'Remote',\n 'Batch', 'Service',\n 'Service', 'Service',\n 'Unknown', '',\n 'RemoteInteractive', 'RemoteInteractive',\n 'CachedInteractive', 'Interactive'\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonSuccess', 'Success',\n 'LogonFailed', 'Failure',\n 'LogonAttempted', 'NA'\n];\nlet parser = (\n starttime:datetime=datetime(null)\n , endtime:datetime=datetime(null)\n , targetusername_has:string=\"*\"\n , disabled:bool=false\n) {\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (AccountName has targetusername_has))\n // -- end prefilter\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n TargetDvcOs = \"Linux\"\n , ActorUsernameType = \"Simple\"\n , TargetUsernameType = \"Simple\"\n | project-rename \n ActorUsername = InitiatingProcessAccountName\n , ActingProcessName = InitiatingProcessFolderPath\n , TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n // -- prefilter\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and (targetusername_has=='*' or (AccountName has targetusername_has) or (isnotempty(AccountDomain) and AccountDomain has targetusername_has))\n // -- end prefilter\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n TargetDvcOs = \"Windows\"\n , TargetUserIdType = 'SID'\n , ActorUserIdType = 'SID'\n , ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n )\n , TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ) \n , TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n , ActorUsernameType = iff (InitiatingProcessAccountDomain == '','Simple', 'Windows')\n , ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName)\n | project-rename \n ActorUserId = InitiatingProcessAccountSid\n , TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId\n , ActorUserSid = ActorUserId\n , TargetWindowsUsername = TargetUsername\n , ActorWindowsUsername = ActorUsername\n , ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n EventOriginalResultDetails = FailureReason \n , EventOriginalType = LogonType\n , EventUid = _ItemId\n , LogonProtocol = Protocol\n , TargetDvcId = DeviceId\n , SrcHostname = RemoteDeviceName\n , ActingProcessCommandLine = InitiatingProcessCommandLine\n , ActingProcessCreationTime = InitiatingProcessCreationTime\n , ActingProcessMD5 = InitiatingProcessMD5\n , ActingProcessSHA1 = InitiatingProcessSHA1 \n , ActingProcessSHA256 = InitiatingProcessSHA256\n , ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel\n , ActingProcessTokenElevation = InitiatingProcessTokenElevation\n , ParentProcessName = InitiatingProcessParentFileName\n , ParentProcessCreationTime = InitiatingProcessParentCreationTime\n //??, ActingProcessName = InitiatingProcessFolderPath \n , ActorUserUpn = InitiatingProcessAccountUpn\n , ActorUserAadId = InitiatingProcessAccountObjectId\n , SrcPortNumber = RemotePort\n | extend \n EventCount = int(1)\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventSchemaVersion = '0.1.3'\n , EventType = 'Logon'\n , EventVendor = 'Microsoft'\n , EventProduct = 'M365 Defender for EndPoint'\n , EventSchema = 'Authentication'\n , TargetDvcIdType = 'MDEid'\n , ActingProcessId = tostring (InitiatingProcessId)\n , ParentProcessId = tostring (InitiatingProcessParentId)\n , EventOriginalUid = tostring (ReportId)\n , TargetSessionId = tostring (LogonId)\n , SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP)\n | extend\n Hash = coalesce(\n ActingProcessSHA256\n , ActingProcessSHA1\n , ActingProcessMD5\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetFQDN = FQDN\n , TargetHostname = ExtractedHostname\n , TargetDomainType = DomainType\n , TargetDomain = Domain \n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n TargetDvcMDEid = TargetDvcId\n , DvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n User = TargetUsername \n , Prcess = ActingProcessName\n , IpAddr = SrcIpAddr\n , ActingAppName = ActingProcessName\n , ActingAppType = \"Process\"\n , Dvc = coalesce (TargetFQDN, TargetHostname)\n , Src = coalesce (SrcIpAddr, SrcHostname)\n // -- Alias Dvc to Target\n , DvcFQDN = TargetFQDN\n , DvcHostname = TargetHostname\n , DvcDomain = TargetDomain\n , DvcDomainType = TargetDomainType\n , DvcId = TargetDvcId\n , DvcIdType = TargetDvcIdType\n , DvcOs = TargetDvcOs\n | extend \n LogonTarget = Dvc\n , Dst = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n starttime = starttime\n , endtime = endtime\n , targetusername_has = targetusername_has\n , disabled = disabled\n) ", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md new file mode 100644 index 00000000000..e7dac30911f --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md @@ -0,0 +1,18 @@ +# Microsoft Defender for IoT ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Microsoft Defender for IoT. + +This ASIM parser supports filtering and normalizing Microsoft Defender for IoT endpoint logs to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftMD4IoT%2FvimAuthenticationMicrosoftMD4IoT.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftMD4IoT%2FvimAuthenticationMicrosoftMD4IoT.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json new file mode 100644 index 00000000000..b238fc2ebbe --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationMD4IoT", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Microsoft Defender for IoT endpoint logs", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationMD4IoT", + "query": "let Authentication_MD4IoT=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false)\n {\n SecurityIoTRawEvent | where not(disabled)\n | where RawEventName == \"Login\"\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or EventDetails has targetusername_has)\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventDetails = todynamic(EventDetails)\n //\n | extend\n EventOriginalUid = tostring(EventDetails.OriginalEventId), \n EventProduct = 'Microsoft Defender for IoT',\n EventCount=int(1),\n EventVendor = 'Microsoft', \n EventSchemaVersion = '0.1.0', \n EventStartTime = todatetime(EventDetails.TimestampUTC), \n EventEndTime = todatetime(TimeGenerated), \n EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'), \n EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success') \n //\n | extend\n ActingProcessId = tostring(EventDetails.ProcessId), \n ActingProcessName = tostring(EventDetails.Executable), // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"), // -- Intermediate fix\n TargetUsernameType = \"Simple\",\n TargetUsername = tostring(EventDetails.UserName)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (targetusername_has=='*' or TargetUsername has targetusername_has)\n // ************************************************************************* \n // \n // *************************************************************************\n | extend SrcIpAddr = tostring(EventDetails.RemoteAddress) \n | project-rename\n DvcHostname = DeviceId, \n EventProductVersion = AgentVersion, // -- Not available in Windows\n _ResourceId = AssociatedResourceId, \n _SubscriptionId = AzureSubscriptionId \n //\n // -- aliases\n | extend \n User = TargetUsername, \n Process = ActingProcessName, \n Dvc = DvcHostname,\n SrcDvcIpAddr = SrcIpAddr,\n IpAddr = SrcIpAddr\n };\n Authentication_MD4IoT(starttime, endtime, targetusername_has, disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md new file mode 100644 index 00000000000..b1129481c95 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md @@ -0,0 +1,18 @@ +# Windows Security Events ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Windows Security Events. + +This ASIM parser supports filtering and normalizing Windows Authentication events (4624, 4625, 4634, and 4647), collected either by the Log Analytics Agent or the Azure Monitor Agent, into either the WindowsEvent (WEF) or SecurityEvent tables, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftWindowsEvent%2FvimAuthenticationMicrosoftWindowsEvent.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftWindowsEvent%2FvimAuthenticationMicrosoftWindowsEvent.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json new file mode 100644 index 00000000000..c21a982381c --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationMicrosoftWindowsEvent", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Windows Security Events", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationMicrosoftWindowsEvent", + "query": "let LogonEvents=dynamic([4624,4625]);\nlet LogoffEvents=dynamic([4634,4647]);\nlet LogonTypes=datatable(LogonType:int, EventSubType:string)[\n 2, 'Interactive',\n 3, 'Network',\n 4, 'Batch',\n 5, 'Service',\n 7, 'Unlock',\n 8, 'NetworkCleartext',\n 9, 'NewCredentials',\n 10, 'RemoteInteractive',\n 11, 'CachedInteractive'];\n// https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000\nlet LogonStatus=datatable \n (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[\n '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',\n '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',\n '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',\n '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',\n '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',\n '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',\n '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',\n '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',\n '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',\n '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',\n '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',\n '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',\n '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',\n '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',\n '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',\n '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',\n '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',\n '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',\n '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',\n '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',\n '0x80090308', 'SEC_E_INVALID_TOKEN','Other',\n '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',\n '0xc0000008', 'STATUS_INVALID_HANDLE','Other',\n '0xc0000017', 'STATUS_NO_MEMORY','Other',\n '0xc0000022', 'STATUS_ACCESS_DENIED','Other',\n '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',\n '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',\n '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',\n '0xc000006d', 'STATUS_LOGON_FAILURE','Other',\n '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',\n '0xc0000073', 'STATUS_NONE_MAPPED','Other',\n '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',\n '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',\n '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',\n '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',\n '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',\n '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',\n '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',\n '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',\n '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',\n '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];\n let WinLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){ \n WindowsEvent | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or EventData.TargetUserName has targetusername_has)\n // ************************************************************************* \n // \n // ************************************************************************* \n | where Provider == 'Microsoft-Windows-Security-Auditing'\n | where EventID in (LogonEvents) or EventID in (LogoffEvents)\n | extend LogonProtocol = tostring(EventData.AuthenticationPackageName),\n SrcDvcIpAddr = tostring(EventData.IpAddress),\n TargetPortNumber = toint(EventData.IpPort),\n LogonGuid = tostring(EventData.LogonGuid),\n LogonType = toint(EventData.LogonType),\n ActingProcessCreationTime = EventData.ProcessCreationTime,\n ActingProcessId = tostring(toint(EventData.ProcessId)),\n ActingProcessName = tostring(EventData.ProcessName),\n Status = tostring(EventData.Status),\n ActorSessionId = tostring(EventData.SubjectLogonId),\n ActorUsername = tostring(iff (EventData.SubjectDomainName in ('-',''), EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @\"\\\" , EventData.SubjectUserName))),\n ActorUserId = tostring(EventData.SubjectUserSid),\n SubStatus = tostring(EventData.SubStatus),\n TargetDomainName = tostring(EventData.TargetDomainName),\n TargetSessionId = tostring(EventData.TargetLogonId),\n TargetUserId = tostring(EventData.TargetUserSid),\n TargetUsername = tostring(iff (EventData.TargetDomainName in ('-',''), EventData.TargetUserName, strcat(EventData.TargetDomainName, @\"\\\" , EventData.TargetUserName)))\n // *************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n // *************** ********************************** \n | extend \n SrcDvcHostname = tostring(EventData.WorkstationName),\n EventProduct = \"Security Events\"\n | extend EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n // -- creating EventMessage matching EventMessage in SecurityEvent table\n | extend EventMessage = case(EventID == 4634, \"4634 - An account was logged off.\", \n EventID == 4625, \"4625 - An account failed to log on.\",\n EventID == 4624 ,\"4624 - An account was successfully logged on.\",\n \"4647 - User initiated logoff.\"),\n EventResult = iff(EventID == 4625, 'Failure', 'Success')\n | project-rename \n TargetDvcHostname = Computer\n , EventOriginalUid = EventOriginId\n , EventOriginalType=EventID\n | extend EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , ActorUserIdType='SID'\n , TargetUserIdType='SID'\n , EventVendor='Microsoft' \n , EventStartTime =TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon') \n , ActorUsernameType= iff(EventData.SubjectDomainName in ('-',''),'Simple', 'Windows' ) \n , TargetUsernameType=iff (TargetDomainName in ('-',''), 'Simple', 'Windows')\n , SrcDvcOs = 'Windows'\n , EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n , LogonTarget=TargetDvcHostname\n , Dvc=SrcDvcHostname\n };\nlet SecEventLogon =(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\n SecurityEvent | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or TargetUserName has targetusername_has)\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventID in (LogonEvents) or \n EventID in (LogoffEvents)\n | project-rename \n EventMessage = Activity\n , ActorSessionId=SubjectLogonId\n , TargetSessionId=TargetLogonId\n , ActorUserId=SubjectUserSid\n , TargetUserId =TargetUserSid\n , SrcDvcHostname = WorkstationName\n , TargetDvcHostname = Computer\n , EventOriginalUid = EventOriginId\n , LogonProtocol=AuthenticationPackageName\n , SrcDvcIpAddr=IpAddress\n , EventOriginalType=EventID\n | extend EventResult = iff(EventOriginalType == 4625, 'Failure', 'Success')\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventProduct = \"Security Events\"\n , ActorUserIdType='SID'\n , TargetUserIdType='SID'\n , EventVendor='Microsoft' \n , EventStartTime =TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon')\n , ActorUsername = iff (SubjectDomainName in ('-',''), SubjectUserName, SubjectAccount)\n , ActorUsernameType= iff(SubjectDomainName in ('-',''),'Simple', 'Windows' )\n , TargetUsername = iff (TargetDomainName in ('-',''), trim(@'\\\\',TargetUserName), trim(@'\\\\',TargetAccount))\n , TargetUsernameType=iff (TargetDomainName in ('-',''), 'Simple', 'Windows')\n , SrcDvcOs = 'Windows'\n , EventStatus= iff(SubStatus=='0x0',Status,SubStatus)\n | project-away TargetUserName, AccountType\n | extend\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n , TargetUserType = _ASIM_GetWindowsUserType (TargetUsername, TargetUserId)\n | lookup LogonStatus on EventStatus\n | lookup LogonTypes on LogonType\n /// ** Aliases \n | extend\n User=TargetUsername\n , LogonTarget=TargetDvcHostname\n , Dvc=SrcDvcHostname\n };\nunion isfuzzy=true SecEventLogon(starttime, endtime, targetusername_has, disabled)\n , WinLogon(starttime, endtime, targetusername_has, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/README.md new file mode 100644 index 00000000000..058ff8c30c9 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/README.md @@ -0,0 +1,18 @@ +# Okta ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Okta. + +This ASIM parser supports normalizing Okta sign in logs, stored in the Okta_CL table and in OktaV2_CL table, to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationOktaOSS%2FvimAuthenticationOktaOSS.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationOktaOSS%2FvimAuthenticationOktaOSS.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json new file mode 100644 index 00000000000..e80f251aaee --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationOktaSSO", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Okta", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationOktaSSO", + "query": "let OktaSignin = (starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false)\n{\n let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED', 'DENY']);\n let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n let emptyTable = datatable(TimeGenerated:datetime)[];\n // https://developer.okta.com/docs/reference/api/event-types/#catalog\n let OktaV1 = union isfuzzy=true emptyTable, Okta_CL \n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | extend \n outcome_result_s=column_ifexists('outcome_result_s', \"\"),\n eventType_s=column_ifexists('eventType_s', \"\"),\n legacyEventType_s=column_ifexists('legacyEventType_s', \"\"),\n client_geographicalContext_geolocation_lat_d = column_ifexists('client_geographicalContext_geolocation_lat_d', \"\"),\n client_geographicalContext_geolocation_lon_d = column_ifexists('client_geographicalContext_geolocation_lon_d', \"\"),\n actor_alternateId_s = column_ifexists('actor_alternateId_s', \"\") \n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (actor_alternateId_s has targetusername_has))\n // ************************************************************************* \n // \n // ************************************************************************* \n | where eventType_s in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventVendor='Okta'\n , EventSchema = 'Authentication'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success', outcome_result_s in (OktaFailedOutcome), 'Failure', 'Partial')\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n , EventSubType=legacyEventType_s\n , EventMessage=column_ifexists('displayMessage_s', \"\")\n , EventOriginalResultDetails=column_ifexists('outcome_reason_s', \"\")\n , EventOriginalUid = column_ifexists('uuid_g', \"\")\n , TargetUserIdType='OktaId'\n , TargetUsernameType='UPN'\n , TargetSessionId=column_ifexists('authenticationContext_externalSessionId_s', \"\")\n , TargetUserId=column_ifexists('actor_id_s', \"\")\n , TargetUsername=column_ifexists('actor_alternateId_s', \"\")\n , TargetUserType=column_ifexists('actor_type_s', \"\")\n , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n , SrcDvcOs=column_ifexists('client_userAgent_os_s', \"\")\n , SrcIsp=column_ifexists('securityContext_isp_s', \"\")\n , SrcGeoCity=column_ifexists('client_geographicalContext_city_s', \"\")\n , SrcGeoCountry=column_ifexists('client_geographicalContext_country_s', \"\")\n , SrcIpAddr = column_ifexists('client_ipAddress_s', \"\")\n , ActingAppName=column_ifexists('client_userAgent_browser_s', \"\")\n , ActingAppType=\"Browser\"\n , LogonMethod=column_ifexists('authenticationContext_credentialType_s', \"\")\n , HttpUserAgent=column_ifexists('client_userAgent_rawUserAgent_s', \"\")\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n , IpAddr=SrcIpAddr\n | project-away *_s,*_d,*_b,*_g,*_t;\n let OktaV2 = union isfuzzy=true emptyTable, OktaV2_CL\n | extend EventOriginalType=column_ifexists('EventOriginalType', \"\") \n , OriginalActorAlternateId = column_ifexists('OriginalActorAlternateId', \"\")\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (OriginalActorAlternateId has targetusername_has))\n // ************************************************************************* \n // \n // ************************************************************************* \n | where EventOriginalType in (OktaSigninEvents)\n | extend \n EventProduct='Okta'\n , EventSchema = 'Authentication'\n , EventVendor='Okta'\n , EventCount=int(1)\n , EventSchemaVersion='0.1.0'\n , EventStartTime=TimeGenerated\n , EventEndTime=TimeGenerated\n , EventType=iff(EventOriginalType hassuffix 'start', 'Logon', 'Logoff') \n , TargetSessionId=column_ifexists('ActorSessionId', \"\")\n , TargetUserId= column_ifexists('ActorUserId', \"\")\n , TargetUsername=column_ifexists('ActorUsername', \"\")\n , TargetUserType=column_ifexists('ActorUserType', \"\")\n , TargetUserIdType=column_ifexists('ActorUserIdType', \"\")\n , TargetUsernameType=column_ifexists('ActorUsernameType', \"\")\n , SrcIpAddr = column_ifexists('SrcIpAddr', \"\")\n //** extend non-normalized fields to be projected-away \n , ActorDetailEntry, ActorDisplayName, AuthenticationContextAuthenticationProvider, AuthenticationContextAuthenticationStep\n , AuthenticationContextCredentialProvider, AuthenticationContextInterface, AuthenticationContextIssuerId, AuthenticationContextIssuerType\n , DebugData, DvcAction, OriginalActorAlternateId, OriginalClientDevice, OriginalOutcomeResult, OriginalSeverity, OriginalTarget\n , OriginalUserId, OriginalUserType, Request, SecurityContextAsNumber, SecurityContextAsOrg, SecurityContextDomain, SecurityContextIsProxy\n , TransactionDetail, TransactionId, TransactionType\n // ** Aliases\n | extend \n User=TargetUsername\n , Dvc=EventVendor\n , IpAddr=SrcIpAddr\n | project-away ActorDetailEntry, ActorDisplayName, AuthenticationContextAuthenticationProvider, AuthenticationContextAuthenticationStep\n , AuthenticationContextCredentialProvider, AuthenticationContextInterface, AuthenticationContextIssuerId, AuthenticationContextIssuerType\n , DebugData, DvcAction, OriginalActorAlternateId, OriginalClientDevice, OriginalOutcomeResult, OriginalSeverity, OriginalTarget\n , OriginalUserId, OriginalUserType, Request, SecurityContextAsNumber, SecurityContextAsOrg, SecurityContextDomain, SecurityContextIsProxy\n , TransactionDetail, TransactionId, TransactionType;\n union isfuzzy=true OktaV1, OktaV2\n};\nOktaSignin(starttime, endtime, targetusername_has, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/README.md new file mode 100644 index 00000000000..50d3ac9150b --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/README.md @@ -0,0 +1,18 @@ +# PostgreSQL ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for PostgreSQL. + +This ASIM parser supports filtering and normalizing PostgreSQL sign in logs to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationPostgreSQL%2FvimAuthenticationPostgreSQL.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationPostgreSQL%2FvimAuthenticationPostgreSQL.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json new file mode 100644 index 00000000000..85e9ff9b864 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationPostgreSQL/vimAuthenticationPostgreSQL.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationPostgreSQL", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for PostgreSQL", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationPostgreSQL", + "query": "let PostgreSQLSignInAuthorized=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or RawData has targetusername_has)\n// ************************************************************************* \n// \n// ************************************************************************* \n | where RawData has 'connection authorized'\n | extend\n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData)\n , EventOriginalRestultDetails = 'Connection authorized'\n// ********************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n// ********************** *********************************\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure1=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or RawData has targetusername_has)\n// ************************************************************************* \n// \n// *************************************************************************\n | where RawData has 'authentication failed'\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'for user\\s\"(.*?)\"', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'User authentication failed'\n// ********************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n// ********************** **********************************\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure2=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or RawData has targetusername_has)\n// ************************************************************************* \n// \n// *************************************************************************\n | where RawData has_all ('role', 'does', 'not', 'exist')\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'role\\s\"(.*?)\"\\sdoes', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'Role does not exist'\n// ********************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n// ********************** **********************************\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLAuthFailure3=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or RawData has targetusername_has)\n// ************************************************************************* \n// \n// *************************************************************************\n | where RawData has_all ('no', 'entry', 'user')\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Failure'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logon'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user\\s\"(.*?)\",', 1, RawData)\n , SrcIpAddr = extract(@'host\\s\"(.*?)\",', 1, RawData)\n , EventResultDetails = 'No such user or password'\n , EventOriginalRestultDetails = 'No entry for user'\n// ********************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n// ********************** **********************************\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nlet PostgreSQLDisconnect=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\", disabled:bool=false){\nPostgreSQL_CL | where not(disabled)\n// ************************************************************************* \n// \n// *************************************************************************\n| where \n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or RawData has targetusername_has)\n// ************************************************************************* \n// \n// *************************************************************************\n | where RawData has 'disconnection'\n | extend \n EventVendor = 'PostgreSQL'\n , EventProduct = 'PostgreSQL'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.1'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , EventType = 'Logoff'\n , DvcHostname = Computer\n , DvcIpAddr = extract(@'\\d{1,3}\\.\\d{1.3}\\.\\d{1,3}\\.\\d{1,3}', 1, Computer)\n , TargetUsernameType = 'Simple'\n , TargetUsername = extract(@'user=(.*?)\\sdatabase', 1, RawData)\n , SrcIpAddr = extract(@'host=\\[?(.*?)\\]?', 1, RawData)\n , EventResultDetails = 'Session expired'\n , EventOriginalRestultDetails = 'User session closed'\n// ********************** **********************************\n | where (targetusername_has=='*' or TargetUsername has targetusername_has)\n// ********************** **********************************\n// ************************ \n// \n// ************************\n| extend\n User=TargetUsername\n , Dvc=Computer\n// ************************ \n// \n// ************************\n | project-away Computer, MG, ManagementGroupName, RawData, SourceSystem, TenantId\n };\nunion isfuzzy=false PostgreSQLSignInAuthorized(starttime, endtime, targetusername_has, disabled)\n , PostgreSQLAuthFailure1(starttime, endtime, targetusername_has, disabled)\n , PostgreSQLAuthFailure2(starttime, endtime, targetusername_has, disabled)\n , PostgreSQLAuthFailure3(starttime, endtime, targetusername_has, disabled)\n , PostgreSQLDisconnect(starttime, endtime, targetusername_has, disabled)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md new file mode 100644 index 00000000000..d8f007d0480 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md @@ -0,0 +1,18 @@ +# Salesforce Service Cloud ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Salesforce Service Cloud. + +This ASIM parser supports filtering and normalizing the Salesforce Service Cloud logs stored in 'SalesforceServiceCloud_CL' table to the ASIM authentication normalized schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSalesforceSC%2FvimAuthenticationSalesforceSC.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSalesforceSC%2FvimAuthenticationSalesforceSC.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json new file mode 100644 index 00000000000..e318959649a --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationSalesforceSC", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication filtering parser for Salesforce Service Cloud", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSalesforceSC", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n targetusername_has: string=\"*\",\n disabled: bool=false\n ) {\n let SalesforceSchema = datatable(\n api_version_s: string,\n browser_type_s: string,\n cipher_suite_s: string,\n client_ip_s: string,\n delegated_user_id_s: string,\n delegated_user_name_s: string,\n event_type_s: string,\n login_key_s: string,\n login_status_s: string,\n login_type_s: string,\n login_sub_type_s: string,\n organization_id_s: string,\n platform_type_s: string,\n request_id_s: string,\n request_status_s: string,\n session_key_s: string,\n source_ip_s: string,\n timestamp_s: string,\n tls_protocol_s: string,\n uri_s: string,\n user_id_s: string,\n user_name_s: string,\n user_type_s: string,\n wave_session_id_g: string\n)[];\n let EventResultLookup = datatable (\n login_status_s: string,\n DvcAction: string,\n EventResultDetails: string,\n EventResult: string,\n EventSeverity: string\n)[\n \"LOGIN_CHALLENGE_ISSUED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_CHALLENGE_PENDING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_DATA_DOWNLOAD_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_END_SESSION_TXN_SECURITY_POLICY\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_API_TOO_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ASYNC_USER_CREATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_AVANTGO_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_NO_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CLIENT_REQ_UPDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_FROZEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_CSS_PW_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_DUPLICATE_USERNAME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_EXPORT_RESTRICTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HT_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_HTP_METHD_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INSECURE_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_GATEWAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_ID_FIELD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_INVALID_PASSWORD\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_LOGINS_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUST_USE_API_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_MUTUAL_AUTHENTICATION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NETWORK_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_HT_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_NETWORK_INFO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_NO_SET_COOKIES\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OFFLINE_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_CLOSED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_DOMAIN_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IN_MAINTENANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_IS_DOT_ORG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_LOCKOUT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SIGNING_UP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_ORG_SUSPENDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_OUTLOOK_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PAGE_REQUIRES_LOGIN\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PASSWORD_LOCKOUT\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_PORTAL_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RATE_EXCEEDED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_DOMAIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_RESTRICTED_TIME\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SESSION_TIMEOUT\", \"Blocked\", \"Session expired\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_PWD_INVALID\", \"Blocked\", \"Incorrect password\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_SVC_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SSO_URL_INVALID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_STORE_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_INSTANCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SWITCH_SFDC_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYNCOFFLINE_DISBLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_SYSTEM_DOWN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_API_ONLY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_FROZEN\", \"Blocked\", \"User locked\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_INACTIVE\", \"Blocked\", \"User disabled\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_NON_MOBILE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USER_STORE_ACCESS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_USERNAME_EMPTY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ERROR_WIRELESS_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_LIGHTNING_LOGIN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_NO_ERROR\", \"Allowed\", \"\", \"Success\", \"Informational\",\n \"LOGIN_OAUTH_API_DISABLED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_CONSUMER_DELETED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_DS_NOT_EXPECTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_EXCEED_GET_AT_LMT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_CHALLENGE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_CODE_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DEVICE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_DSIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_IP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_NONCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_SIG_METHOD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERIFIER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_MISSING_DS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CALLBACK_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_CONSUMER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NO_TOKEN\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_NONCE_REPLAY\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_MISSING\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_PACKAGE_OLD\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_OAUTH_UNEXPECTED_PARAM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_ORG_TRIAL_EXP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_READONLY_CANNOT_VALIDATE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_AUDIENCE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_CONFIG\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_FORMAT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_IN_RES_TO\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ISSUER\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_RECIPIENT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SESSION_LEVEL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SIGNATURE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SITE_URL\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_STATUS\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_SUB_CONFIRM\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_TIMESTAMP\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_USERNAME\", \"Blocked\", \"No such user\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_INVALID_VERSION\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISMATCH_CERT\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_ORG_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_MISSING_PORTAL_ID\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_PROVISION_ERROR\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_REPLAY_ATTEMPTED\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_SAML_SITE_INACTIVE\", \"Blocked\", \"Other\", \"Failure\", \"Informational\",\n \"LOGIN_TWOFACTOR_REQ\", \"Blocked\", \"Logon violates policy\", \"Failure\", \"Informational\"\n];\n let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);\n let EventTypeLookup = datatable(event_type_s: string, EventType: string)[\n \"Login\", \"Logon\",\n \"LoginAs\", \"Logon\",\n \"Logout\", \"Logoff\"\n];\n let DvcOsLookup = datatable(\n platform_type_s: string,\n DvcOs: string,\n DvcOsVersion: string\n)[\n \"1000\", \"Windows\", \"\",\n \"1008\", \"Windows\", \"2003\",\n \"1013\", \"Windows\", \"8.1\",\n \"1015\", \"Windows\", \"10\",\n \"2003\", \"Macintosh/Apple\", \"OSX\",\n \"4000\", \"Linux\", \"\",\n \"5005\", \"Android\", \"\",\n \"5006\", \"iPhone\", \"\",\n \"5007\", \"iPad\", \"\",\n \"5200\", \"Android\", \"10.0\"\n];\n let LogonMethodLookup = datatable(\n LoginType_s: string,\n LogonMethodOriginal: string,\n LogonMethod: string\n)[\n \"7\", \"AppExchange\", \"Other\",\n \"A\", \"Application\", \"Other\",\n \"s\", \"Certificate-based login\", \"PKI\",\n \"k\", \"Chatter Communities External User\", \"Other\",\n \"n\", \"Chatter Communities External User Third Party SSO\", \"Other\",\n \"r\", \"Employee Login to Community\", \"Other\",\n \"z\", \"Lightning Login\", \"Username & Password\",\n \"l\", \"Networks Portal API Only\", \"Other\",\n \"6\", \"Remote Access Client\", \"Other\",\n \"i\", \"Remote Access 2.0\", \"Other\",\n \"I\", \"Other Apex API\", \"Other\",\n \"R\", \"Partner Product\", \"Other\",\n \"w\", \"Passwordless Login\", \"Passwordless\",\n \"3\", \"Customer Service Portal\", \"Other\",\n \"q\", \"Partner Portal Third-Party SSO\", \"Other\",\n \"9\", \"Partner Portal\", \"Other\",\n \"5\", \"SAML Idp Initiated SSO\", \"Other\",\n \"m\", \"SAML Chatter Communities External User SSO\", \"Other\",\n \"b\", \"SAML Customer Service Portal SSO\", \"Other\",\n \"c\", \"SAML Partner Portal SSO\", \"Other\",\n \"h\", \"SAML Site SSO\", \"Other\",\n \"8\", \"SAML Sfdc Initiated SSO\", \"Other\",\n \"E\", \"SelfService\", \"Other\",\n \"j\", \"Third Party SSO\", \"Other\"\n];\n let LogonProtocolLookup = datatable(\n LoginSubType_s: string,\n LogonProtocolOriginal: string,\n LogonProtocol: string\n)[\n \"uiup\", \"UI Username-Password\", \"Basic Auth\",\n \"oauthpassword\", \"OAuth Username-Password\", \"OAuth\",\n \"oauthtoken\", \"OAuth User-Agent\", \"OAuth\",\n \"oauthhybridtoken\", \"OAuth User-Agent for Hybrid Apps\", \"OAuth\",\n \"oauthtokenidtoken\", \"OAuth User-Agent with ID Token\", \"OAuth\",\n \"oauthclientcredential\", \"OAuth Client Credential\", \"OAuth\",\n \"oauthcode\", \"OAuth Web Server\", \"OAuth\",\n \"oauthhybridauthcode\", \"OAuth Web Server for Hybrid Apps\", \"OAuth\",\n];\n let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[\n \"S\", \"Success\",\n \"F\", \"Failure\",\n \"A\", \"Failure\",\n \"R\", \"Success\",\n \"N\", \"Failure\",\n \"U\", \"NA\"\n];\n let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[\n \"CsnOnly\", \"Other\",\n \"CspLitePortal\", \"Other\",\n \"CustomerSuccess\", \"Other\",\n \"Guest\", \"Anonymous\",\n \"PowerCustomerSuccess\", \"Other\",\n \"PowerPartner\", \"Other\",\n \"SelfService\", \"Other\",\n \"Standard\", \"Regular\",\n \"A\", \"Application\",\n \"b\", \"Other\",\n \"C\", \"Other\",\n \"D\", \"Other\",\n \"F\", \"Other\",\n \"G\", \"Anonymous\",\n \"L\", \"Other\",\n \"N\", \"Service\",\n \"n\", \"Other\",\n \"O\", \"Other\",\n \"o\", \"Other\",\n \"P\", \"Other\",\n \"p\", \"Other\",\n \"S\", \"Regular\",\n \"X\", \"Admin\"\n];\n union isfuzzy=true\n SalesforceSchema,\n SalesforceServiceCloud_CL \n | where not(disabled)\n | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))\n // -- Pre filtering\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has == '*' or (user_name_s has targetusername_has))\n and event_type_s in~ (SalesforceEventType)\n // -- end pre-filtering\n | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s\n | lookup EventResultLookup on login_status_s\n | lookup EventTypeLookup on event_type_s\n | lookup LogonMethodLookup on LoginType_s\n | lookup LogonProtocolLookup on LoginSubType_s\n | lookup TempEventResultLookup on request_status_s\n | lookup DvcOsLookup on platform_type_s\n | lookup UserTypeLookup on user_type_s\n | project-rename\n EventProductVersion = api_version_s,\n EventOriginalResultDetails = login_status_s,\n TargetUserId = user_id_s,\n SrcIpAddr = source_ip_s,\n EventOriginalUid = request_id_s,\n TlsCipher = cipher_suite_s,\n TlsVersion = tls_protocol_s,\n HttpUserAgent= browser_type_s,\n TargetUserScopeId = organization_id_s,\n TargetUrl = uri_s,\n TargetOriginalUserType = user_type_s,\n ActorUsername = delegated_user_name_s,\n ActorUserId = delegated_user_id_s,\n TargetUsername = user_name_s\n | extend\n EventVendor = 'Salesforce',\n EventProduct='Service Cloud',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n TargetAppName = \"Salesforce Dot Com(SFDC)\",\n TargetAppType = \"SaaS application\",\n EventUid = _ItemId,\n EventOriginalType=event_type_s,\n SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)\n | extend\n TargetSessionId = coalesce(session_key_s, login_key_s),\n TargetUserScope = \"Salesforce Organization\",\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SaleforceId\", \"\"),\n ActorUserIdType = iff(isnotempty(ActorUserId), \"SaleforceId\", \"\"),\n TargetUsernameType = iff(isnotempty(TargetUsername), \"UPN\", \"\"),\n ActorUsernameType = iff(isnotempty(ActorUsername), \"UPN\", \"\"),\n User = coalesce(TargetUsername, TargetUserId),\n Src = SrcIpAddr,\n IpAddr = SrcIpAddr,\n Dvc = EventProduct,\n EventResult = coalesce(EventResult, TempEventResult),\n Application = TargetAppName,\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated\n | project-away\n *_s,\n *_t,\n *_g,\n TenantId,\n SourceSystem,\n Computer,\n MG,\n ManagementGroupName,\n Message,\n RawData,\n TempEventResult,\n _ItemId\n};\nparser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/README.md new file mode 100644 index 00000000000..06591e801cc --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/README.md @@ -0,0 +1,18 @@ +# SentinelOne ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for SentinelOne. + +This ASIM parser supports normalizing SentinelOne logs to the ASIM Authentication normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSentinelOne%2FvimAuthenticationSentinelOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSentinelOne%2FvimAuthenticationSentinelOne.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json new file mode 100644 index 00000000000..3a121387dac --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSentinelOne/vimAuthenticationSentinelOne.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationSentinelOne", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for SentinelOne", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSentinelOne", + "query": "let EventResultDetailsLookup = datatable (comments_s: string, EventResultDetails: string)\n[\n \"invalid 2FA code\", \"Incorrect password\",\n \"IP/User mismatch\", \"No such user or password\",\n \"invalid password\", \"Incorrect password\",\n \"user temporarily locked 2FA attempt\", \"User locked\",\n \"no active site\", \"Other\"\n];\nlet EventFieldsLookup = datatable (\n activityType_d: real,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string\n)\n[\n 27, \"Logon\", \"Success\", \"User Logged In\",\n 33, \"Logoff\", \"Success\", \"User Logged Out\",\n 133, \"Logon\", \"Failure\", \"Existing User Login Failure\",\n 134, \"Logon\", \"Failure\", \"Unknown User Login\",\n 139, \"Logon\", \"Failure\", \"User Failed to Start an Unrestricted Session\",\n 3629, \"Logon\", \"Success\", \"Login Using Saved 2FA Recovery Code\"\n];\nlet EventTypeLookup = datatable (alertInfo_eventType_s: string, EventType: string)\n [\n \"WINLOGONATTEMPT\", \"Logon\",\n \"WINLOGOFFATTEMPT\", \"Logoff\"\n];\nlet EventSubTypeLookup = datatable (alertInfo_loginType_s: string, EventSubType: string)\n[\n \"BATCH\",\"System\",\n \"CACHED_INTERACTIVE\", \"Interactive\",\n \"CACHED_REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"CACHED_UNLOCK\", \"System\",\n \"INTERACTIVE\", \"Interactive\",\n \"NETWORK_CLEAR_TEXT\", \"Remote\",\n \"NETWORK_CREDENTIALS\", \"Remote\",\n \"NETWORK\", \"Remote\",\n \"REMOTE_INTERACTIVE\", \"RemoteInteractive\",\n \"SERVICE\", \"Service\",\n \"SYSTEM\", \"System\",\n \"UNLOCK\", \"System\"\n];\nlet DeviceTypeLookup = datatable (agentDetectionInfo_machineType_s: string, SrcDeviceType: string)\n[\n \"desktop\", \"Computer\",\n \"server\", \"Computer\",\n \"laptop\", \"Computer\",\n \"kubernetes node\", \"Other\",\n \"unknown\", \"Other\"\n];\nlet ThreatConfidenceLookup_undefined = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_undefined: int\n)\n[\n \"FALSE_POSITIVE\", 5,\n \"Undefined\", 15,\n \"SUSPICIOUS\", 25,\n \"TRUE_POSITIVE\", 33 \n];\nlet ThreatConfidenceLookup_suspicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_suspicious: int\n)\n[\n \"FALSE_POSITIVE\", 40,\n \"Undefined\", 50,\n \"SUSPICIOUS\", 60,\n \"TRUE_POSITIVE\", 67 \n];\nlet ThreatConfidenceLookup_malicious = datatable(\n alertInfo_analystVerdict_s: string,\n ThreatConfidence_malicious: int\n)\n[\n \"FALSE_POSITIVE\", 75,\n \"Undefined\", 80,\n \"SUSPICIOUS\", 90,\n \"TRUE_POSITIVE\", 100 \n];\n let TargetUserTypesList = dynamic([\"Regular\", \"Machine\", \"Admin\", \"System\", \"Application\", \"Service Principal\", \"Service\", \"Anonymous\"]);\n let parser = (disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), targetusername_has: string='*') {\n let alldata = SentinelOne_CL\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime);\n let activitydata = alldata\n | where event_name_s == \"Activities.\"\n and activityType_d in (27, 33, 133, 134, 139, 3629)\n | parse-kv DataFields_s as (ipAddress: string, username: string, userScope: string, accountName: string, fullScopeDetails: string, fullScopeDetailsPath: string, role: string, scopeLevel: string, source: string, sourceType: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n | where targetusername_has == \"*\" or username has targetusername_has\n | lookup EventFieldsLookup on activityType_d\n | lookup EventResultDetailsLookup on comments_s\n | extend \n SrcIpAddr = iff(ipAddress == \"null\", \"\", ipAddress),\n EventOriginalType = tostring(toint(activityType_d)),\n TargetUsername = username,\n TargetUserScope = userScope,\n AdditionalFields = bag_pack(\n \"accountName\", accountName,\n \"fullScopeDetails\", fullScopeDetails,\n \"fullScopeDetailsPath\", fullScopeDetailsPath,\n \"scopeLevel\", scopeLevel,\n \"source\", source,\n \"sourceType\", sourceType\n ),\n TargetOriginalUserType = role,\n TargetUserType = case(\n role in (TargetUserTypesList), role,\n role == \"null\", \"\",\n \"Other\"\n )\n | project-rename\n EventStartTime = createdAt_t,\n TargetUserId = userId_s,\n EventOriginalUid = activityUuid_g,\n EventMessage = primaryDescription_s\n | extend TargetUserIdType = iff(isnotempty(TargetUserId), \"Other\", \"\");\n let alertdata = alldata\n | where event_name_s == \"Alerts.\"\n and alertInfo_eventType_s in (\"WINLOGONATTEMPT\", \"WINLOGOFFATTEMPT\")\n and (targetusername_has == \"*\" or alertInfo_loginsUserName_s has targetusername_has)\n | lookup EventTypeLookup on alertInfo_eventType_s\n | lookup EventSubTypeLookup on alertInfo_loginType_s\n | lookup DeviceTypeLookup on agentDetectionInfo_machineType_s;\n let undefineddata = alertdata\n | where ruleInfo_treatAsThreat_s == \"UNDEFINED\"\n | lookup ThreatConfidenceLookup_undefined on alertInfo_analystVerdict_s;\n let suspiciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Suspicious\"\n | lookup ThreatConfidenceLookup_suspicious on alertInfo_analystVerdict_s;\n let maliciousdata = alertdata\n | where ruleInfo_treatAsThreat_s == \"Malicious\"\n | lookup ThreatConfidenceLookup_malicious on alertInfo_analystVerdict_s;\n let alertdatawiththreatfield = union undefineddata, suspiciousdata, maliciousdata\n | invoke _ASIM_ResolveDvcFQDN('agentDetectionInfo_name_s')\n | invoke _ASIM_ResolveSrcFQDN('alertInfo_loginAccountDomain_s')\n | extend\n EventResult = iff(alertInfo_loginIsSuccessful_s == \"true\", \"Success\", \"Failure\"),\n EventSeverity = iff(ruleInfo_severity_s == \"Critical\", \"High\", ruleInfo_severity_s),\n ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious)\n | project-rename\n EventStartTime = alertInfo_createdAt_t,\n SrcIpAddr = alertInfo_srcMachineIp_s,\n ActingAppName = sourceProcessInfo_name_s,\n DvcId = agentDetectionInfo_uuid_g,\n DvcOs = agentDetectionInfo_osName_s,\n DvcOsVersion = agentDetectionInfo_osRevision_s,\n EventOriginalSeverity = ruleInfo_severity_s,\n EventOriginalType = alertInfo_eventType_s,\n EventOriginalSubType = alertInfo_loginType_s,\n RuleName = ruleInfo_name_s,\n TargetUserId = alertInfo_loginAccountSid_s,\n TargetUsername = alertInfo_loginsUserName_s,\n ThreatOriginalConfidence = ruleInfo_treatAsThreat_s\n | extend\n Rule = RuleName,\n ActingAppType = iff(isnotempty(ActingAppName), \"Process\", \"\"),\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUserType = _ASIM_GetUserType(TargetUsername, TargetUserId),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"SID\", \"\");\n union activitydata, alertdatawiththreatfield\n | extend\n EventCount = int(1),\n EventProduct = \"SentinelOne\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"SentinelOne\",\n EventSchema = \"Authentication\"\n | extend\n Dvc = coalesce(DvcHostname, EventProduct),\n EventEndTime = EventStartTime,\n EventUid = _ItemId,\n User = TargetUsername,\n TargetHostname = SrcHostname,\n TargetDomain = SrcDomain,\n TargetDomainType = SrcDomainType,\n TargetFQDN = SrcFQDN,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project-away\n *_b,\n *_d,\n *_g,\n *_s,\n *_t,\n ipAddress,\n username,\n accountName,\n fullScopeDetails,\n fullScopeDetailsPath,\n role,\n scopeLevel,\n source,\n sourceType,\n userScope,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId,\n _ItemId,\n _ResourceId,\n ThreatConfidence_*\n };\n parser(disabled=disabled, starttime=starttime, endtime=endtime, targetusername_has=targetusername_has)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/README.md new file mode 100644 index 00000000000..8ab78d3b8de --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/README.md @@ -0,0 +1,18 @@ +# OpenSSH ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for OpenSSH. + +This ASIM parser supports filtering and normalizing OpenSSH server (sshd) sign in logs, collected using Syslog to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSshd%2FvimAuthenticationSshd.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSshd%2FvimAuthenticationSshd.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json new file mode 100644 index 00000000000..0f4e835fd08 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationSshd", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for OpenSSH sshd", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSshd", + "query": "let parser = (\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n targetusername_has:string = \"*\", \n disabled:bool = false\n ) {\n let prefilter = (T:(SyslogMessage:string, TimeGenerated:datetime)) {\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (SyslogMessage has targetusername_has))\n };\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Successful login\n let SSHDAccepted=(disabled:bool=false) { \n // -- Parse events with the format \"Accepted password for from port ssh2\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Accepted'\n | invoke prefilter()\n | parse SyslogMessage with \"Accepted password for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | extend\n EventResult = 'Success'\n , EventSeverity = 'Informational'\n , EventType = 'Logon'\n , EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - incorrect password\n let SSHDFailed=(disabled:bool=false) {\n // -- Parse events with the format Failed (password|none|publickey) for from port ssh2[: RSA :]\"\n // -- Or a number of such events message repeated times: [ ]\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and (\n SyslogMessage startswith 'Failed' \n or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed')\n )\n | invoke prefilter()\n | parse SyslogMessage with * \"Failed \" * \" for \" TargetUsername:string \" from \" SrcIpAddr:string \" port\" SrcPortNumber:int *\n | parse SyslogMessage with \"message repeated\" EventCount:int \" times:\" * \n | extend\n EventResult = 'Failure'\n , EventSeverity = 'Low' \n , EventType = 'Logon'\n , LogonMethod = iff (SyslogMessage has 'publickey', 'PKI', 'Username & password')\n , EventResultDetails = iff (SyslogMessage has 'publickey', 'Incorrect key', 'Incorrect password')\n , EventCount = toint(coalesce(EventCount,1))\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Logoff - Timeout\n let SSHDTimeout=(disabled:bool=false) {\n // -- Parse events with the format \"Timeout, client not responding from user yanivsh 131.107.174.198 port 7623\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Timeout'\n | invoke prefilter()\n | parse-where SyslogMessage with * \"user \" TargetUsername:string \" \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | extend\n EventSeverity = 'Informational'\n , EventType = 'Logoff'\n , EventResult = 'Success'\n , EventCount = int(1)\n | project-away SyslogMessage, ProcessName\n };\n //\n // -- Failed login - invalid user\n let SSHDInvalidUser=(disabled:bool=false) {\n // -- Parse events with the format \"Invalid user [] from port \"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith 'Invalid user'\n | invoke prefilter()\n | parse SyslogMessage with \"Invalid user \" TargetUsername:string \" from \" SrcIpAddr:string \" port \" SrcPortNumber:int\n | parse SyslogMessage with \"Invalid user from \" SrcIpAddrNoUser:string \" port \" SrcPortNumberNoUser:int\n | extend\n EventResult = 'Failure'\n , EventSeverity = 'Low'\n , EventType = 'Logon'\n , EventResultDetails = 'No such user'\n , EventCount = int(1)\n , SrcIpAddr = coalesce(SrcIpAddr, SrcIpAddrNoUser)\n , SrcPortNumber = coalesce(SrcPortNumber, SrcPortNumberNoUser)\n | project-away SyslogMessage, ProcessName, SrcIpAddrNoUser, SrcPortNumberNoUser\n };\n //\n // -- Blocked intrusion attempts\n let SSHDABreakInAttemptMappingFailed=(disabled:bool=false) {\n // -- Parse events with the format \"reverse mapping checking getaddrinfo for [] failed - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"reverse mapping checking getaddrinfo for\"\n | invoke prefilter()\n | parse SyslogMessage with * \" for \" Src \" [\" SrcIpAddr \"]\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Reverse mapping failed\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptMappingMismatch=(disabled:bool=false) {\n // -- Parse events with the format \"Address 61.70.128.48 maps to host-61-70-128-48.static.kbtelecom.net, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT!\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage has \"but this does not map back to the address\"\n | invoke prefilter()\n | parse SyslogMessage with \"Address \" SrcIpAddr:string \" maps to \" Src:string \", but this\" *\n | invoke _ASIM_ResolveSrcFQDN ('Src')\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Address to host to address mapping does not map back to address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName, Src\n };\n let SSHDABreakInAttemptNastyPtr=(disabled:bool=false) {\n // -- Parse events with the format \"Nasty PTR record \"\" is set up for , ignoring\"\n SyslogProjects | where not(disabled)\n | where ProcessName == \"sshd\" and SyslogMessage startswith \"Nasty PTR record\"\n | invoke prefilter()\n | parse SyslogMessage with * \"set up for \" SrcIpAddr:string \", ignoring\"\n | extend\n EventResult = 'Failure'\n , EventType = 'Logon'\n , DvcAction = 'Block'\n , TargetUsername = ''\n , EventSeverity = 'Medium'\n , EventCount = int(1)\n , EventResultDetails = 'Logon violates policy'\n , RuleName = \"Nasty PTR record set for IP Address\"\n | extend\n Rule = RuleName\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SSHDAccepted (disabled=disabled)\n , SSHDFailed (disabled=disabled)\n , SSHDInvalidUser (disabled=disabled)\n , SSHDTimeout (disabled=disabled)\n , SSHDABreakInAttemptMappingFailed (disabled=disabled)\n , SSHDABreakInAttemptMappingMismatch (disabled=disabled)\n , SSHDABreakInAttemptNastyPtr (disabled=disabled)\n | where targetusername_has=='*' or (TargetUsername has targetusername_has)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend \n EventVendor = 'OpenBSD'\n , EventProduct = 'OpenSSH'\n , DvcOs = 'Linux'\n , TargetDvcOs = 'Linux'\n , LogonProtocol = 'ssh'\n , TargetAppName = 'sshd'\n , TargetAppType = 'Service'\n , EventSubType = 'Remote'\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.2'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , TargetUsernameType = 'Simple'\n , DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n , TargetAppId = tostring(ProcessID)\n | project-away Computer, ProcessID\n | project-rename \n EventUid = _ItemId\n , DvcScopeId = _SubscriptionId\n , DvcId = _ResourceId\n , DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n , Dvc = DvcHostname\n , Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n , TargetDomain = DvcDomain\n , TargetFQDN = DvcFQDN\n , TargetDomainType = DvcDomainType\n , TargetHostname = DvcHostname\n , TargetDvcId = DvcId\n , TargetDvcScopeId = DvcScopeId\n , TargetDvcIdType = DvcDomainType\n , IpAddr = DvcIpAddr\n , TargetIpAddr = DvcIpAddr\n };\n parser (\n disabled = disabled,\n starttime = starttime, \n endtime = endtime,\n targetusername_has = targetusername_has\n )", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/README.md new file mode 100644 index 00000000000..ed4264f92c5 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/README.md @@ -0,0 +1,18 @@ +# su ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for su. + +This ASIM parser supports filtering and normalizing Linux su elevation commands collected using Syslog to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSu%2FvimAuthenticationSu.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSu%2FvimAuthenticationSu.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json new file mode 100644 index 00000000000..7dcb20bc3bb --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationSu", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Linux su", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationSu", + "query": "let parser = (\n starttime:datetime = datetime(null), \n endtime:datetime = datetime(null),\n targetusername_has:string = \"*\", \n disabled:bool = false\n ) {\n let prefilter = (T:(SyslogMessage:string, TimeGenerated:datetime)) {\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and (targetusername_has=='*' or (SyslogMessage has targetusername_has))\n };\n let SyslogProjects = Syslog | project TimeGenerated, Computer, SyslogMessage, ProcessName, ProcessID, HostIP, Type, _ItemId, _ResourceId, _SubscriptionId;\n //\n // -- Sucessful SU\n // Parses the event \"Successful su for by \"\n let SuSignInAuthorized=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | invoke prefilter()\n | parse SyslogMessage with * \"for \" TargetUsername:string \" by \" ActorUsername:string\n | extend\n EventType = 'Elevation'\n | project-away SyslogMessage, ProcessName\n };\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user \"\n let SuDisconnect=(disabled:bool=false) {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | invoke prefilter()\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n EventType = 'Logoff'\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SuSignInAuthorized (disabled = disabled)\n , SuDisconnect(disabled = disabled)\n | where targetusername_has=='*' or (TargetUsername has targetusername_has)\n | invoke _ASIM_ResolveDvcFQDN ('Computer')\n | extend\n EventVendor = 'Linux'\n , EventProduct = 'su'\n , DvcOs = 'Linux'\n , TargetDvcOs = 'Linux'\n , EventCount = int(1)\n , EventSchema = 'Authentication'\n , EventSchemaVersion = '0.1.2'\n , EventResult = 'Success'\n , EventStartTime = TimeGenerated\n , EventEndTime = TimeGenerated\n , ActorUsernameType = 'Simple'\n , TargetUsernameType = 'Simple'\n , EventSeverity = 'Informational'\n , ActingAppType = 'Process'\n , DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\")\n , ActingAppId = tostring(ProcessID)\n | project-away Computer, ProcessID\n | project-rename \n EventUid = _ItemId\n , DvcScopeId = _SubscriptionId\n , DvcId = _ResourceId\n , DvcIpAddr = HostIP\n //\n // -- Aliases\n | extend\n User = TargetUsername\n , Dvc = DvcHostname\n , Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr)\n , TargetDomain = DvcDomain\n , TargetFQDN = DvcFQDN\n , TargetDomainType = DvcDomainType\n , TargetHostname = DvcHostname\n , TargetDvcId = DvcId\n , TargetDvcScopeId = DvcScopeId\n , TargetDvcIdType = DvcDomainType\n , IpAddr = DvcIpAddr\n , TargetIpAddr = DvcIpAddr\n};\nparser (\n disabled = disabled,\n starttime = starttime, \n endtime = endtime,\n targetusername_has = targetusername_has\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*',disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md new file mode 100644 index 00000000000..cb7cfd9ba2d --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/README.md @@ -0,0 +1,18 @@ +# Vectra ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Vectra. + +This ASIM parser supports filtering and normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Authentication schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVectraXDRAudit%2FvimAuthenticationVectraXDRAudit.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVectraXDRAudit%2FvimAuthenticationVectraXDRAudit.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json new file mode 100644 index 00000000000..c0e1080bac8 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVectraXDRAudit/vimAuthenticationVectraXDRAudit.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationVectraXDRAudit", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM filtering parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationVectraXDRAudit", + "query": "let parser = (disabled:bool = false, starttime:datetime=datetime(null), endtime:datetime=datetime(null))\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s in (\"login\",\"logout\") and (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime)\n | extend\n EventCount = int(1),\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\"),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventStartTime = event_timestamp_t,\n EventType = case(event_action_s==\"login\", \"Logon\", event_action_s==\"logout\", \"Logoff\",\"\"),\n EventVendor = 'Vectra',\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"VectraUserId\",\n ActorUsernameType = \"UPN\",\n EventUid = tostring(toint(id_d))\n | project-rename\n DvcIpAddr = source_ip_s,\n ActorOriginalUserType = user_type_s,\n ActorUsername = username_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend\n User = ActorUsername,\n Dvc = DvcIpAddr\n | project-away\n *_d, *_s, event_timestamp_t, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, starttime=starttime, endtime=endtime)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null)" + } + } + ] + } + ] +} \ No newline at end of file From eef1e8e08ba6444ba1cea47b4fdd2eadf905956b Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Mon, 8 Jan 2024 12:08:40 +0000 Subject: [PATCH 37/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthentication.json | 2 +- ...imAuthenticationCrowdStrikeFalconHost.json | 46 +++++++++++++++++++ .../README.md | 18 ++++++++ .../ARM/FullDeploymentAuthentication.json | 40 ++++++++++++++++ .../imAuthentication/imAuthentication.json | 2 +- .../README.md | 18 ++++++++ ...imAuthenticationCrowdStrikeFalconHost.json | 46 +++++++++++++++++++ 7 files changed, 170 insertions(+), 2 deletions(-) create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index 8bfcd57530a..c75f91e369d 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) ))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json new file mode 100644 index 00000000000..c1a489f023d --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationCrowdStrikeFalconHost", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n [\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n | where (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n | where DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\")\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n EventStartTime = todatetime(DeviceCustomDate1),\n EventCount = int(1),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename\n TargetIpAddr = DestinationTranslatedAddress,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalSubType = DeviceEventClassID,\n EventOriginalType = DeviceEventCategory,\n EventProductVersion = DeviceVersion,\n EventOriginalResultDetails = EventOutcome,\n TargetUsername = DestinationUserName,\n TargetAppName = ProcessName\n | extend\n EventEndTime = EventStartTime,\n DvcIpAddr = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n | extend\n User = TargetUsername,\n Dst = TargetIpAddr,\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Application = TargetAppName\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n IndicatorThreatType,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/README.md new file mode 100644 index 00000000000..235a414ef7a --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/README.md @@ -0,0 +1,18 @@ +# CrowdStrike Falcon Endpoint Protection ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for CrowdStrike Falcon Endpoint Protection. + +This ASIM parser supports normalizing CrowdStrike Falcon Endpoint Protection logs to the ASIM Authentication normalized schema. These events are captured through CrowdStrike Falcon Endpoint Protection data connector which allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCrowdStrikeFalconHost%2FASimAuthenticationCrowdStrikeFalconHost.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationCrowdStrikeFalconHost%2FASimAuthenticationCrowdStrikeFalconHost.json) diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json index f5b9accf65b..394fa15ce42 100644 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -218,6 +218,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationCrowdStrikeFalconHost", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationCrowdStrikeFalconHost/ASimAuthenticationCrowdStrikeFalconHost.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -638,6 +658,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationCrowdStrikeFalconHost", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json index 51cf2df1818..15fc2ecae29 100644 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imAuthentication", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, targetusername_has_any=targetusername_has, disabled=(imAuthenticationDisabled or('ExcludevimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/README.md new file mode 100644 index 00000000000..5e5fc595a56 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/README.md @@ -0,0 +1,18 @@ +# CrowdStrike Falcon Endpoint Protection ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for CrowdStrike Falcon Endpoint Protection. + +This ASIM parser supports normalizing CrowdStrike Falcon Endpoint Protection logs to the ASIM Authentication normalized schema. These events are captured through CrowdStrike Falcon Endpoint Protection data connector which allows you to easily connect your CrowdStrike Falcon Event Stream with Microsoft Sentinel. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCrowdStrikeFalconHost%2FvimAuthenticationCrowdStrikeFalconHost.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationCrowdStrikeFalconHost%2FvimAuthenticationCrowdStrikeFalconHost.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json new file mode 100644 index 00000000000..4442857e5ef --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationCrowdStrikeFalconHost/vimAuthenticationCrowdStrikeFalconHost.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationCrowdStrikeFalconHost", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for CrowdStrike Falcon Endpoint Protection", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationCrowdStrikeFalconHost", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Informational\",\n \"1\", \"Informational\",\n \"2\", \"Low\",\n \"3\", \"Medium\",\n \"4\", \"High\",\n \"5\", \"High\"\n];\nlet parser = ( \n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]),\n eventresultdetails_in: dynamic=dynamic([]),\n eventresult: string='*',\n targetusername_has_any: string='*',\n targetappname_has_any: dynamic=dynamic([]),\n actorusername_has_any: string='*',\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n srchostname_has_any: dynamic=dynamic([]),\n targetipaddr_has_any_prefix: dynamic=dynamic([]),\n dvcipaddr_has_any_prefix: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool = false\n ) {\n CommonSecurityLog\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (DeviceVendor == \"CrowdStrike\" and DeviceProduct == \"FalconHost\")\n and (DeviceEventCategory == \"AuthActivityAuditEvent\" and DeviceEventClassID in (\"userAuthenticate\", \"twoFactorAuthenticate\"))\n and array_length(eventresultdetails_in) == 0\n and actorusername_has_any == '*'\n and array_length(srchostname_has_any) == 0\n and array_length(srcipaddr_has_any_prefix) == 0\n and (array_length(targetipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DestinationTranslatedAddress, targetipaddr_has_any_prefix))\n and array_length(dvchostname_has_any) == 0\n and (targetusername_has_any == '*' or DestinationUserName has targetusername_has_any)\n and (array_length(targetappname_has_any) == 0 or ProcessName has_any (targetappname_has_any)) \n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DestinationTranslatedAddress, dvcipaddr_has_any_prefix))\n | extend\n EventResult = iff(EventOutcome == \"true\", \"Success\", \"Failure\"),\n EventType = \"Logon\"\n | where (eventresult == '*' or eventresult =~ EventResult)\n and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(DeviceCustomDate1),\n EventCount = int(1),\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventProduct = \"FalconHost\",\n EventVendor = \"CrowdStrike\"\n | project-rename \n TargetIpAddr = DestinationTranslatedAddress,\n EventUid = _ItemId,\n EventOriginalSeverity = LogSeverity,\n EventOriginalSubType = DeviceEventClassID,\n EventOriginalType = DeviceEventCategory,\n EventProductVersion = DeviceVersion,\n EventOriginalResultDetails = EventOutcome,\n TargetUsername = DestinationUserName,\n TargetAppName = ProcessName\n | extend\n EventEndTime = EventStartTime,\n DvcIpAddr = TargetIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n TargetAppType = iff(isnotempty(TargetAppName), \"Service\", \"\"),\n LogonMethod = iff(EventOriginalSubType =~ \"userAuthenticate\", \"Username and Password\", \"Two Factor Authentication\")\n | extend\n User = TargetUsername,\n Dst = TargetIpAddr,\n Dvc = coalesce(DvcIpAddr, EventProduct),\n Application = TargetAppName\n | project-away \n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n Computer,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n Activity,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n IndicatorThreatType,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n _ResourceId,\n ExtID,\n Message\n};\nparser(\n starttime = starttime,\n endtime = endtime,\n eventtype_in = eventtype_in,\n eventresultdetails_in = eventresultdetails_in,\n eventresult = eventresult,\n targetusername_has_any = targetusername_has_any,\n targetappname_has_any = targetappname_has_any,\n actorusername_has_any = actorusername_has_any,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n srchostname_has_any = srchostname_has_any,\n targetipaddr_has_any_prefix = targetipaddr_has_any_prefix,\n dvcipaddr_has_any_prefix = dvcipaddr_has_any_prefix,\n dvchostname_has_any = dvchostname_has_any,\n disabled = disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',targetusername_has_any:string='*',targetappname_has_any:dynamic=dynamic([]),actorusername_has_any:string='*',srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),targetipaddr_has_any_prefix:dynamic=dynamic([]),dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file From f51ec31d24bae821955223cd06ccb83dc14887d3 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Tue, 20 Feb 2024 09:52:38 +0000 Subject: [PATCH 38/38] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ASimAuthentication.json | 2 +- ...mAuthenticationPaloAltoCortexDataLake.json | 46 +++++++++++ .../README.md | 18 +++++ ...mAuthenticationVMwareCarbonBlackCloud.json | 46 +++++++++++ .../README.md | 18 +++++ .../ARM/FullDeploymentAuthentication.json | 80 +++++++++++++++++++ .../imAuthentication/imAuthentication.json | 2 +- .../README.md | 18 +++++ ...mAuthenticationPaloAltoCortexDataLake.json | 46 +++++++++++ .../README.md | 18 +++++ ...mAuthenticationVMwareCarbonBlackCloud.json | 46 +++++++++++ 11 files changed, 338 insertions(+), 2 deletions(-) create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/README.md create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/README.md create mode 100644 Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json index c75f91e369d..daa067633d9 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuthentication", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json new file mode 100644 index 00000000000..41c1bbc7b6d --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationPaloAltoCortexDataLake", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(start),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1, \"Username & Password\",\n FieldDeviceCustomNumber1 == 2, \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3, \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUsername = PanOSAuthenticatedUserName,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvc = DeviceCustomString1\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n EventResult = iff(EventMessage has \"Invalid Certificate\", \"Failure\", \"Success\"),\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDomainType = case(\n array_length(split(DestinationUserName, \".\")) > 1, \"FQDN\",\n array_length(split(DestinationUserName, \"\\\\\")) > 1, \"Windows\",\n \"\"\n ),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventType = \"Logon\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n _ResourceId\n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/README.md new file mode 100644 index 00000000000..88dfbc0db33 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/README.md @@ -0,0 +1,18 @@ +# Palo Alto Cortex Data Lake ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Palo Alto Cortex Data Lake. + +This ASIM parser supports normalizing Palo Alto Cortex Data Lake logs to the ASIM Authentication normalized schema. These events are captured through the Palo Alto Networks CDL data connector that ingests CDL logs into Microsoft Sentinel. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationPaloAltoCortexDataLake%2FASimAuthenticationPaloAltoCortexDataLake.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationPaloAltoCortexDataLake%2FASimAuthenticationPaloAltoCortexDataLake.json) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json new file mode 100644 index 00000000000..cfd10c5c9e3 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuthenticationVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "ASimAuthenticationVMwareCarbonBlackCloud", + "query": "let parser = (disabled: bool=false) {\n CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where description_s has_any (\"logged in\", \"login\",\"second factor authentication\") and description_s !has \"connector\"\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\")\n | extend\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"VMware\",\n EventType = \"Logon\",\n EventResultDetails = case(\n EventResult == \"Failure\" and description_s has (\"locked\"),\n \"User locked\",\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n \"Incorrect password\",\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n \"MFA not satisfied\",\n \"\"\n ),\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n | project-rename\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n TargetUsername = loginName_s,\n SrcIpAddr = clientIp_s,\n EventUid=_ItemId,\n EventOwner = orgName_s\n | extend\n IpAddr = SrcIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId \n};\nparser(disabled=disabled)\n", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/README.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/README.md new file mode 100644 index 00000000000..6196e530ca5 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Authentication normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationVMwareCarbonBlackCloud%2FASimAuthenticationVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationVMwareCarbonBlackCloud%2FASimAuthenticationVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json index 394fa15ce42..6248dbadcc6 100644 --- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json @@ -318,6 +318,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationPaloAltoCortexDataLake", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -438,6 +458,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuthenticationVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -778,6 +818,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationPaloAltoCortexDataLake", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -878,6 +938,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuthenticationVMwareCarbonBlackCloud", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json index 15fc2ecae29..b5702db7f0b 100644 --- a/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json +++ b/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json @@ -35,7 +35,7 @@ "displayName": "Authentication ASIM filtering parser", "category": "ASIM", "FunctionAlias": "imAuthentication", - "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, targetusername_has_any=targetusername_has, disabled=(imAuthenticationDisabled or('ExcludevimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n", + "query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\") {\n let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\n let imAuthenticationDisabled=toscalar('ExcludeimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \n union isfuzzy=true\n vimAuthenticationEmpty\n , vimAuthenticationAADManagedIdentitySignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationAADServicePrincipalSignInLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )))\n , vimAuthenticationSigninLogs (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSigninLogs' in (DisabledParsers) )))\n , vimAuthenticationAWSCloudTrail (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationAWSCloudTrail' in (DisabledParsers) )))\n , vimAuthenticationOktaSSO (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationOktaSSO' in (DisabledParsers) )))\n , vimAuthenticationM365Defender (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationM365Defender' in (DisabledParsers) )))\n , vimAuthenticationMicrosoftWindowsEvent (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )))\n , vimAuthenticationMD4IoT (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationMD4IoT' in (DisabledParsers) )))\n , vimAuthenticationPostgreSQL (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationPostgreSQL' in (DisabledParsers) )))\n , vimAuthenticationSshd (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSshd' in (DisabledParsers) )))\n , vimAuthenticationSu (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSu' in (DisabledParsers) )))\n , vimAuthenticationCiscoASA (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoASA' in (DisabledParsers) )))\n , vimAuthenticationCiscoMeraki (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoMeraki' in (DisabledParsers) )))\n , vimAuthenticationCiscoISE (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))\n , vimAuthenticationBarracudaWAF (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))\n , vimAuthenticationVectraXDRAudit (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))\n , vimAuthenticationSalesforceSC (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))\n , vimAuthenticationPaloAltoCortexDataLake (starttime, endtime, targetusername_has_any=targetusername_has, disabled=(imAuthenticationDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))\n , vimAuthenticationSentinelOne (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))\n , vimAuthenticationCrowdStrikeFalconHost (starttime=starttime, endtime=endtime, targetusername_has_any=targetusername_has, disabled=(imAuthenticationDisabled or('ExcludevimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )))\n , vimAuthenticationVMwareCarbonBlackCloud (starttime=starttime, endtime=endtime, targetusername_has_any=targetusername_has, disabled=(imAuthenticationDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))\n};\nGeneric(starttime, endtime, targetusername_has)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),targetusername_has:string='*'" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/README.md new file mode 100644 index 00000000000..6743dba8464 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/README.md @@ -0,0 +1,18 @@ +# Palo Alto Cortex Data Lake ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for Palo Alto Cortex Data Lake. + +This ASIM parser supports normalizing Palo Alto Cortex Data Lake logs to the ASIM Authentication normalized schema. These events are captured through the Palo Alto Networks CDL data connector that ingests CDL logs into Microsoft Sentinel. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationPaloAltoCortexDataLake%2FvimAuthenticationPaloAltoCortexDataLake.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationPaloAltoCortexDataLake%2FvimAuthenticationPaloAltoCortexDataLake.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json new file mode 100644 index 00000000000..5f3de72285f --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationPaloAltoCortexDataLake", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationPaloAltoCortexDataLake", + "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\"\n];\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n eventresultdetails_in: dynamic=dynamic([]), \n eventresult: string='*', \n targetusername_has_any: dynamic=dynamic([]), \n targetappname_has_any: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n srchostname_has_any: dynamic=dynamic([]), \n targetipaddr_has_any_prefix: dynamic=dynamic([]), \n dvcipaddr_has_any_prefix: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool = false) {\n CommonSecurityLog\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"LF\"\n and DeviceEventClassID == \"AUTH\"\n and array_length(eventresultdetails_in) == 0\n and array_length(targetappname_has_any) == 0\n and array_length(actorusername_has_any) == 0 \n and (array_length(targetusername_has_any) == 0 or AdditionalExtensions has_any(targetusername_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n and (array_length(srchostname_has_any) == 0 or AdditionalExtensions has_any(srchostname_has_any))\n and (array_length(targetipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DestinationIP, targetipaddr_has_any_prefix))\n and (array_length(dvcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(Computer, dvcipaddr_has_any_prefix))\n and (array_length(dvchostname_has_any) == 0 or DeviceName has_any(dvchostname_has_any))\n | extend\n EventResult = iff(Message has \"Invalid Certificate\", \"Failure\", \"Success\"),\n EventType = \"Logon\"\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (eventresult == '*' or EventResult has eventresult)\n | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | where (array_length(targetusername_has_any) == 0 or PanOSAuthenticatedUserName has_any(targetusername_has_any))\n and (array_length(srchostname_has_any) == 0 or PanOSSourceDeviceHost has_any(srchostname_has_any))\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n | lookup EventSeverityLookup on LogSeverity\n | extend\n EventStartTime = todatetime(start),\n SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n EventMessage = Message,\n LogonMethod = case(\n FieldDeviceCustomNumber1 == 1, \"Username & Password\",\n FieldDeviceCustomNumber1 == 2, \"Multi factor authentication\",\n FieldDeviceCustomNumber1 == 3, \"Multi factor authentication\",\n \"\"\n ),\n AdditionalFields = bag_pack(\n \"FileName\",\n FileName,\n \"PanOSLogSource\",\n PanOSLogSource,\n \"PanOSRuleMatchedUUID\",\n PanOSRuleMatchedUUID,\n DeviceCustomNumber1Label,\n FieldDeviceCustomNumber1, \n DeviceCustomNumber2Label,\n FieldDeviceCustomNumber2,\n DeviceCustomString3Label,\n DeviceCustomString3,\n DeviceCustomString4Label,\n DeviceCustomString4,\n DeviceCustomString5Label,\n DeviceCustomString5,\n DeviceCustomString6Label,\n DeviceCustomString6,\n \"PanOSAuthenticationDescription\",\n PanOSAuthenticationDescription,\n \"PanOSClientTypeName\",\n PanOSClientTypeName,\n \"PanOSConfigVersion\",\n PanOSConfigVersion,\n \"PanOSMFAVendor\",\n PanOSMFAVendor,\n \"PanOSSourceDeviceCategory\",\n PanOSSourceDeviceCategory,\n \"PanOSSourceDeviceModel\",\n PanOSSourceDeviceModel,\n \"PanOSSourceDeviceProfile\",\n PanOSSourceDeviceProfile,\n \"PanOSSourceDeviceVendor\",\n PanOSSourceDeviceVendor\n )\n | project-rename\n DvcIpAddr = Computer,\n EventUid = _ItemId,\n DvcId = DeviceExternalID,\n EventOriginalResultDetails = Message,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n LogonProtocol = PanOSAuthenticationProtocol,\n SrcDvcOs = PanOSSourceDeviceOSFamily,\n TargetUsername = PanOSAuthenticatedUserName,\n TargetUserId = PanOSAuthenticatedUserUUID,\n TargetDomain = PanOSAuthenticatedUserDomain,\n EventOriginalSubType = Activity,\n HttpUserAgent = PanOSUserAgentString,\n TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n TargetSessionId = PanOSSessionID,\n TargetDvc = DeviceCustomString1\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetDomainType = case(\n array_length(split(DestinationUserName, \".\")) > 1, \"FQDN\",\n array_length(split(DestinationUserName, \"\\\\\")) > 1, \"Windows\",\n \"\"\n ),\n TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n | extend\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventProduct = \"Cortex Data Lake\",\n EventVendor = \"Palo Alto\"\n | project-away\n Source*,\n Destination*,\n Device*,\n AdditionalExtensions,\n CommunicationDirection,\n EventOutcome,\n PanOS*,\n start,\n EndTime,\n FieldDevice*,\n Flex*,\n File*,\n Old*,\n MaliciousIP*,\n OriginalLogSeverity,\n Process*,\n Protocol,\n ReceivedBytes,\n SentBytes,\n Remote*,\n Request*,\n SimplifiedDeviceAction,\n StartTime,\n TenantId,\n Threat*,\n ExternalID,\n ReportReferenceLink,\n ReceiptTime,\n Reason,\n ApplicationProtocol,\n Indicator*,\n _ResourceId\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n eventresultdetails_in=eventresultdetails_in, \n eventresult=eventresult, \n targetusername_has_any=targetusername_has_any, \n targetappname_has_any=targetappname_has_any, \n actorusername_has_any=actorusername_has_any, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n srchostname_has_any=srchostname_has_any, \n targetipaddr_has_any_prefix=targetipaddr_has_any_prefix, \n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, \n dvchostname_has_any=dvchostname_has_any, \n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',targetusername_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),targetipaddr_has_any_prefix:dynamic=dynamic([]),dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/README.md b/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/README.md new file mode 100644 index 00000000000..925a7a9dc0f --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/README.md @@ -0,0 +1,18 @@ +# VMware Carbon Black Cloud ASIM Authentication Normalization Parser + +ARM template for ASIM Authentication schema parser for VMware Carbon Black Cloud. + +This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Authentication normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVMwareCarbonBlackCloud%2FvimAuthenticationVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVMwareCarbonBlackCloud%2FvimAuthenticationVMwareCarbonBlackCloud.json) diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json new file mode 100644 index 00000000000..5a16ab906d4 --- /dev/null +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuthenticationVMwareCarbonBlackCloud", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud", + "category": "ASIM", + "FunctionAlias": "vimAuthenticationVMwareCarbonBlackCloud", + "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n eventtype_in: dynamic=dynamic([]), \n eventresultdetails_in: dynamic=dynamic([]), \n eventresult: string='*', \n targetusername_has_any: dynamic=dynamic([]), \n targetappname_has_any: dynamic=dynamic([]), \n actorusername_has_any: dynamic=dynamic([]), \n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n srchostname_has_any: dynamic=dynamic([]), \n targetipaddr_has_any_prefix: dynamic=dynamic([]), \n dvcipaddr_has_any_prefix: dynamic=dynamic([]), \n dvchostname_has_any: dynamic=dynamic([]), \n disabled: bool = false\n ) {\n CarbonBlackAuditLogs_CL\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and (description_s has_any (\"logged in\", \"login\",\"second factor authentication\") and description_s !has \"connector\")\n and array_length(targetappname_has_any) == 0\n and array_length(actorusername_has_any) == 0\n and array_length(srchostname_has_any) == 0\n and array_length(targetipaddr_has_any_prefix) == 0\n and array_length(dvcipaddr_has_any_prefix) == 0\n and array_length(dvchostname_has_any) == 0\n and (array_length(targetusername_has_any) == 0 or loginName_s has_any(targetusername_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(clientIp_s, srcipaddr_has_any_prefix))\n | extend\n EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n EventType = \"Logon\"\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n and (eventresult == '*' or EventResult has eventresult)\n | extend EventResultDetails = case(\n EventResult == \"Failure\" and description_s has (\"locked\"),\n \"User locked\",\n EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n \"Incorrect password\",\n EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n \"MFA not satisfied\",\n \"\"\n )\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n | extend\n EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n AdditionalFields = bag_pack(\"flagged\", flagged_b),\n EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\"),\n EventCount = int(1),\n EventProduct = \"Carbon Black Cloud\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.3\",\n EventVendor = \"VMware\",\n EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n | project-rename\n EventMessage = description_s,\n EventOriginalUid = eventId_g,\n TargetUsername = loginName_s,\n SrcIpAddr = clientIp_s,\n EventUid=_ItemId,\n EventOwner = orgName_s\n | extend\n IpAddr = SrcIpAddr,\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n Dvc = EventProduct,\n EventEndTime = EventStartTime,\n User = TargetUsername,\n Src = SrcIpAddr\n | project-away\n *_s,\n *_d,\n *_b,\n _ResourceId,\n Computer,\n MG,\n ManagementGroupName,\n RawData,\n SourceSystem,\n TenantId \n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in, \n eventresultdetails_in=eventresultdetails_in, \n eventresult=eventresult, \n targetusername_has_any=targetusername_has_any, \n targetappname_has_any=targetappname_has_any, \n actorusername_has_any=actorusername_has_any, \n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n srchostname_has_any=srchostname_has_any, \n targetipaddr_has_any_prefix=targetipaddr_has_any_prefix, \n dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, \n dvchostname_has_any=dvchostname_has_any, \n disabled=disabled\n)\n", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',targetusername_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),targetipaddr_has_any_prefix:dynamic=dynamic([]),dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file