Azure · v-atulyadav · Feb 21, 2024 · Sep 16, 2022 · Sep 20, 2022 · Sep 20, 2022
@@ -804,6 +804,54 @@
         {
             "Name": "TimeGenerated",
             "Type": "DateTime"
+        },
+        {
+            "Name": "_ItemId",
+            "Type": "String"
+        },
+        {
+            "Name": "starttime",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "endtime",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "targetusername_has",
+            "Type": "String"
+        },
+        {
+            "Name": "SourceSystem",
+            "Type": "String"
+        },
+        {
+            "Name": "Computer",
+            "Type": "String"
+        },
+        {
+            "Name": "MG",
+            "Type": "String"
+        },
+        {
+            "Name": "ManagementGroupName",
+            "Type": "String"
+        },
+        {
+            "Name": "Message",
+            "Type": "String"
+        },
+        {
+            "Name": "RawData",
+            "Type": "String"
+        },
+        {
+            "Name": "_ResourceId",
+            "Type": "String"
+        },
+        {
+            "Name": "TenantId",
+            "Type": "String"
         }
     ]
 }
@@ -35,7 +35,7 @@
             "displayName": "Authentication ASIM parser",
             "category": "ASIM",
             "FunctionAlias": "ASimAuthentication",
-            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))\n",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationPaloAltoCortexDataLake  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n  ASimAuthenticationVMwareCarbonBlackCloud  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))\n",
             "version": 1,
             "functionParameters": "disabled:bool=False"
           }

@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimAuthenticationPaloAltoCortexDataLake",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Authentication ASIM parser for Palo Alto Cortex Data Lake",
+            "category": "ASIM",
+            "FunctionAlias": "ASimAuthenticationPaloAltoCortexDataLake",
+            "query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n    \"0\", \"Low\",\n    \"1\", \"Low\",\n    \"2\", \"Low\",\n    \"3\", \"Low\",\n    \"4\", \"Low\",\n    \"5\", \"Low\",\n    \"6\", \"Medium\",\n    \"7\", \"Medium\",\n    \"8\", \"Medium\",\n    \"9\", \"High\",\n    \"10\", \"High\"\n];\nlet parser = (disabled: bool=false) {\n    CommonSecurityLog\n    | where not(disabled)\n        and DeviceVendor == \"Palo Alto Networks\" and DeviceProduct == \"LF\"\n        and DeviceEventClassID == \"AUTH\"\n    | parse-kv AdditionalExtensions as (PanOSSourceDeviceHost: string, PanOSSourceDeviceOSFamily: string, PanOSAuthenticationProtocol: string, PanOSAuthenticatedUserDomain: string, PanOSAuthenticatedUserName: string, PanOSAuthenticatedUserUUID: string, start: string, PanOSLogSource: string, PanOSRuleMatchedUUID: string, PanOSAuthenticationDescription: string, PanOSClientTypeName: string, PanOSConfigVersion: string, PanOSMFAVendor: string, PanOSSourceDeviceCategory: string, PanOSSourceDeviceModel: string, PanOSSourceDeviceProfile: string, PanOSSourceDeviceVendor: string, PanOSUserAgentString: string, PanOSCortexDataLakeTenantID: string, PanOSSessionID: string) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n    | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n    | invoke _ASIM_ResolveSrcFQDN('PanOSSourceDeviceHost')\n    | lookup EventSeverityLookup on LogSeverity\n    | extend\n        EventStartTime = todatetime(start),\n        SrcIpAddr = coalesce(SourceIP, DeviceCustomIPv6Address2),\n        TargetIpAddr = coalesce(DestinationIP, DeviceCustomIPv6Address3),\n        EventMessage = Message,\n        LogonMethod = case(\n                      FieldDeviceCustomNumber1 == 1, \"Username & Password\",\n                      FieldDeviceCustomNumber1 == 2, \"Multi factor authentication\",\n                      FieldDeviceCustomNumber1 == 3, \"Multi factor authentication\",\n                      \"\"\n        ),\n        AdditionalFields = bag_pack(\n                      \"FileName\",\n                      FileName,\n                      \"PanOSLogSource\",\n                      PanOSLogSource,\n                      \"PanOSRuleMatchedUUID\",\n                      PanOSRuleMatchedUUID,\n                      DeviceCustomNumber1Label,\n                      FieldDeviceCustomNumber1, \n                      DeviceCustomNumber2Label,\n                      FieldDeviceCustomNumber2,\n                      DeviceCustomString3Label,\n                      DeviceCustomString3,\n                      DeviceCustomString4Label,\n                      DeviceCustomString4,\n                      DeviceCustomString5Label,\n                      DeviceCustomString5,\n                      DeviceCustomString6Label,\n                      DeviceCustomString6,\n                      \"PanOSAuthenticationDescription\",\n                      PanOSAuthenticationDescription,\n                      \"PanOSClientTypeName\",\n                      PanOSClientTypeName,\n                      \"PanOSConfigVersion\",\n                      PanOSConfigVersion,\n                      \"PanOSMFAVendor\",\n                      PanOSMFAVendor,\n                      \"PanOSSourceDeviceCategory\",\n                      PanOSSourceDeviceCategory,\n                      \"PanOSSourceDeviceModel\",\n                      PanOSSourceDeviceModel,\n                      \"PanOSSourceDeviceProfile\",\n                      PanOSSourceDeviceProfile,\n                      \"PanOSSourceDeviceVendor\",\n                      PanOSSourceDeviceVendor\n                  )\n    | project-rename\n        DvcIpAddr = Computer,\n        EventUid = _ItemId,\n        DvcId = DeviceExternalID,\n        EventOriginalResultDetails = Message,\n        EventOriginalSeverity = LogSeverity,\n        EventOriginalType = DeviceEventClassID,\n        EventOriginalUid = ExtID,\n        EventProductVersion = DeviceVersion,\n        LogonProtocol = PanOSAuthenticationProtocol,\n        SrcDvcOs = PanOSSourceDeviceOSFamily,\n        TargetUsername = PanOSAuthenticatedUserName,\n        TargetUserId = PanOSAuthenticatedUserUUID,\n        TargetDomain = PanOSAuthenticatedUserDomain,\n        EventOriginalSubType = Activity,\n        HttpUserAgent =  PanOSUserAgentString,\n        TargetDvcScopeId = PanOSCortexDataLakeTenantID,\n        TargetSessionId = PanOSSessionID,\n        TargetDvc = DeviceCustomString1\n    | extend\n        Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n        EventEndTime = EventStartTime,\n        EventResult = iff(EventMessage has \"Invalid Certificate\", \"Failure\", \"Success\"),\n        Dst = TargetIpAddr,\n        Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n        TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n        User = TargetUsername,\n        IpAddr = SrcIpAddr,\n        DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n        TargetDomainType = case(\n                      array_length(split(DestinationUserName, \".\")) > 1, \"FQDN\",\n                      array_length(split(DestinationUserName, \"\\\\\")) > 1, \"Windows\",\n                      \"\"\n                  ),\n        TargetUserIdType = iff(isnotempty(TargetUserId), \"UID\", \"\"),\n        TargetUsernameType = _ASIM_GetUsernameType(TargetUsername)\n    | extend\n        EventSchema = \"Authentication\",\n        EventSchemaVersion = \"0.1.3\",\n        EventType = \"Logon\",\n        EventProduct = \"Cortex Data Lake\",\n        EventVendor = \"Palo Alto\"\n    | project-away\n        Source*,\n        Destination*,\n        Device*,\n        AdditionalExtensions,\n        CommunicationDirection,\n        EventOutcome,\n        PanOS*,\n        start,\n        EndTime,\n        FieldDevice*,\n        Flex*,\n        File*,\n        Old*,\n        MaliciousIP*,\n        OriginalLogSeverity,\n        Process*,\n        Protocol,\n        ReceivedBytes,\n        SentBytes,\n        Remote*,\n        Request*,\n        SimplifiedDeviceAction,\n        StartTime,\n        TenantId,\n        Threat*,\n        ExternalID,\n        ReportReferenceLink,\n        ReceiptTime,\n        Reason,\n        ApplicationProtocol,\n        Indicator*,\n        _ResourceId\n};\nparser(disabled=disabled)\n",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
@@ -0,0 +1,18 @@
+# Palo Alto Cortex Data Lake ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Palo Alto Cortex Data Lake.
+
+This ASIM parser supports normalizing Palo Alto Cortex Data Lake logs to the ASIM Authentication normalized schema. These events are captured through the Palo Alto Networks CDL data connector that ingests CDL logs into Microsoft Sentinel.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationPaloAltoCortexDataLake%2FASimAuthenticationPaloAltoCortexDataLake.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationPaloAltoCortexDataLake%2FASimAuthenticationPaloAltoCortexDataLake.json)
@@ -0,0 +1,18 @@
+# Salesforce Service Cloud ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Salesforce Service Cloud.
+
+This ASIM parser supports normalizing Salesforce sign in logs, stored in the  SalesforceServiceCloud_CL table, to the ASIM Authentication schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationSalesforceSC%2FASimAuthenticationSalesforceSC.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationSalesforceSC%2FASimAuthenticationSalesforceSC.json)