diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json index 8dbc5797a66..e145f4fa36c 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json @@ -35,7 +35,7 @@ "displayName": "Audit event ASIM parser", "category": "ASIM", "FunctionAlias": "ASimAuditEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers)))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers)))\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json new file mode 100644 index 00000000000..8edc835dcb5 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuditEventBarracudaWAF", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n ChangeType_s: string,\n CommandName_s: string,\n Severity_s: string,\n LoginIP_s: string,\n NewValue_s: string,\n HostIP_s: string,\n host_s: string,\n OldValue_s: string,\n EventMessage_s: string,\n AdminName_s: string,\n ObjectType_s: string,\n ObjectName_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string\n)[];\nlet EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (disabled: bool=false) {\n let BarracudaCustom = \n (union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) \n and LogType_s == \"AUDIT\" \n and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason: string\n | extend Reason = trim('\"', Reason)\n | extend\n EventResultDetails = Reason,\n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup EventTypeLookup on ChangeType_s\n | lookup ObjectTypeLookup on ObjectType_s\n | extend\n EventType = EventType_lookup,\n EventResult = \"Success\", \n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = UnitName_s, \n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s) - tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s))),\n Operation = CommandName_s,\n DvcIpAddr = HostIP_s,\n NewValue = NewValue_s,\n SrcIpAddr = LoginIP_s,\n EventMessage = EventMessage_s,\n OldValue = OldValue_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n Object = ObjectName_s \n | extend\n Src = SrcIpAddr,\n EventEndTime = EventStartTime,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue \n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\n | project-away\n *_d,\n *_s,\n EventType_lookup,\n _ResourceId,\n Reason,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem\n );\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor startswith \"Barracuda\"\n and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\" \n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason: string \n | extend Reason = trim('\"', Reason)\n | extend \n EventResultDetails = Reason,\n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\n | extend\n EventResult = \"Success\", \n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n EventType = EventType_lookup,\n Dvc = DeviceName, \n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime) - tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime))),\n Operation = ProcessName,\n DvcIpAddr = DeviceAddress,\n NewValue = DeviceCustomString1,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n OldValue = DeviceCustomString2,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n Object = FileName,\n ThreatConfidence = toint(ThreatConfidence) \n | extend\n Src = SrcIpAddr,\n EventEndTime = EventStartTime,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue \n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value), \"Other\", \"\")\n | project-away\n EventType_lookup,\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Reason,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\n union isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n};\nparser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/README.md new file mode 100644 index 00000000000..6c7e2211e69 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/README.md @@ -0,0 +1,18 @@ +# Barracuda WAF ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Barracuda WAF. + +This ASIM parser supports normalizing Barracuda WAF to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventBarracudaWAF%2FASimAuditEventBarracudaWAF.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventBarracudaWAF%2FASimAuditEventBarracudaWAF.json) diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json new file mode 100644 index 00000000000..0f110d63c3d --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuditEventCiscoISE", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventType: string,\nEventResult: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nObject: string,\nOperation: string,\nEventMessage: string\n)[\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"];\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n| summarize make_set(EventOriginalType));\nlet CiscoISEAuditParser=(disabled: bool=false) {\nSyslog\n| where not(disabled)\n| where ProcessName has_any (\"CISE\", \"CSCO\")\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n| where EventOriginalType in (EventOriginalTypeList)\n| lookup EventFieldsLookup on EventOriginalType \n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n| project-rename SrcIpAddr=['Remote-Address'], TargetIpAddr =['Device IP Address']\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n| extend \n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer))\n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"AuditEvent\"\n , EventSchemaVersion = \"0.1.0\"\n , ObjectType = \"Configuration Atom\"\n , TargetAppName = \"ISE\"\n , TargetAppType = \"Service\"\n// ***************** ********************\n| extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , Application = TargetAppName\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = ActorUsername\n// ***************** *******************\n| project-away\n TenantId,\n SourceSystem,\n MG,\n Computer,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n SyslogMessage,\n HostIP,\n ProcessName,\n ProcessID,\n _ResourceId,\n NetworkDeviceName,\n ['User-Name'],\n UserName\n};\nCiscoISEAuditParser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/README.md new file mode 100644 index 00000000000..bd6326f0e29 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/README.md @@ -0,0 +1,18 @@ +# Cisco ISE ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Cisco ISE. + +This ASIM parser supports normalizing administrative activity in the Cisco ISE events to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventCiscoISE%2FASimAuditEventCiscoISE.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventCiscoISE%2FASimAuditEventCiscoISE.json) diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json new file mode 100644 index 00000000000..34cb308683e --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuditEventCiscoMeraki", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventCiscoMeraki", + "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool=false) {\nlet allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | extend Epoch = tostring(Parser[0]),\n Device = tostring(Parser[1])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | lookup EventFieldsLookup on TempOperation\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n };\n parser(disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/README.md new file mode 100644 index 00000000000..33cbb39492e --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/README.md @@ -0,0 +1,18 @@ +# Cisco Meraki ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Cisco Meraki. + +This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Audit Event normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventCiscoMeraki%2FASimAuditEventCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventCiscoMeraki%2FASimAuditEventCiscoMeraki.json) diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json index 276b8925954..ddb5229ec61 100644 --- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json @@ -35,7 +35,7 @@ "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events", "category": "ASIM", "FunctionAlias": "ASimAuditEventMicrosoftWindowsEvents", - "query": "let parser = (disabled:bool = false) {\n union \n (\n union \n (\n SecurityEvent\n | where not(disabled)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type\n | where EventID == 1102\n ),\n (\n Event\n | where not(disabled)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type\n | where EventID == 1102\n )\n | parse-kv EventData as \n (\n SubjectUserSid:string,\n SubjectUserName:string,\n SubjectDomainName:string,\n SubjectLogonId:string\n ) \n with (regex=@'<(\\w+)>([^<]*)<')\n | project-away EventData\n ),\n (\n WindowsEvent \n | where not(disabled)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type\n | where EventID == 1102\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n | project-away EventData\n )\n | project-rename\n ActorUserId = SubjectUserSid,\n DvcHostname = Computer,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId\n | extend\n EventCount = int(1),\n EventType = \"Delete\",\n Operation = \"Delete Logs\",\n Object = \"Logs\",\n EventResult = \"Success\",\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Windows',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n ActorUserIdType = 'SID',\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n EventOriginalType = tostring(EventID)\n // Aliases\n | extend \n User=ActorUsername,\n ActorUserSid = ActorUserId,\n Dvc = DvcHostname\n | project-away Subject*, EventID\n};\nparser (disabled=disabled)", + "query": "let parser = (disabled:bool = false) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([1102,4698,4699,4700,4701,4702,4929,5025,5027,5028,5029,5030,5034,5035,5037,7035,7036,7040,7045,2009,5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698,4699,4700,4701,4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025,5027,5028,5029,5030,5034,5035,5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035,7036,7040,7045,2009]); \n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]); \n // EventID Lookup\n let EventIDLookup = datatable(EventID:int, Operation:string, EventType:string, Object:string, ObjectType:string, EventResult:string)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let ParsedEvents =\n union (\n union (\n // SecurityEvents\n SecurityEvent\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n ),\n (\n // Event\n Event\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n )\n | parse-kv EventData as \n (\n SubjectUserSid:string,\n SubjectUserName:string,\n SubjectDomainName:string,\n SubjectLogonId:string,\n TaskName:string,\n TaskContent:string,\n TaskContentNew:string,\n ClientProcessId:string,\n DestinationDRA:string,\n SourceDRA:string,\n SourceAddr:string,\n ObjectDN:string,\n AttributeValue:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | project-away EventData\n ),\n // WindowsEvents\n (\n WindowsEvent\n | where not(disabled)\n | where EventID in(ParsedEventIds)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId),\n TaskName = tostring(EventData.TaskName),\n TaskContent = tostring(EventData.TaskContent),\n TaskContentNew = tostring(EventData.TaskContentNew),\n ClientProcessId = tostring(EventData.ClientProcessId),\n DestinationDRA = tostring(EventData.DestinationDRA),\n SourceDRA = tostring(EventData.SourceDRA),\n SourceAddr = tostring(EventData.SourceAddr),\n ObjectDN = tostring(EventData.ObjectDN),\n AttributeValue = tostring(EventData.AttributeValue)\n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n | extend \n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union EventLog, ScheduledTask, ActiveDirectoryReplica, WindowsFirewall, ServiceEvent, DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Windows',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\",\"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n};\nparser (disabled=disabled)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json new file mode 100644 index 00000000000..a2877c13e19 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "ASimAuditEventVectraXDRAudit", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "ASimAuditEventVectraXDRAudit", + "query": "let parser = (disabled:bool = false)\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = \"Other\",\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)", + "version": 1, + "functionParameters": "disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/README.md new file mode 100644 index 00000000000..1005b443ef8 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/README.md @@ -0,0 +1,18 @@ +# Vectra ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Vectra. + +This ASIM parser supports normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventVectraXDRAudit%2FASimAuditEventVectraXDRAudit.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventVectraXDRAudit%2FASimAuditEventVectraXDRAudit.json) diff --git a/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json b/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json index a283b752c7d..0bf4ba63e0f 100644 --- a/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json @@ -58,6 +58,66 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuditEventBarracudaWAF", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuditEventCiscoISE", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuditEventCiscoMeraki", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -98,6 +158,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimAuditEventVectraXDRAudit", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -138,6 +218,66 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuditEventBarracudaWAF", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuditEventCiscoISE", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuditEventCiscoMeraki", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -197,6 +337,26 @@ } } } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimAuditEventVectraXDRAudit", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } } ], "outputs": {} diff --git a/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json b/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json index 988230b7fec..e4fc3534ff3 100644 --- a/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json +++ b/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json @@ -35,7 +35,7 @@ "displayName": "Audit event ASIM filtering parser.", "category": "ASIM", "FunctionAlias": "imAuditEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers)))\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),pack:bool=False" } diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/README.md new file mode 100644 index 00000000000..6144e7a853b --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/README.md @@ -0,0 +1,18 @@ +# Barracuda WAF ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Barracuda WAF. + +This ASIM parser supports normalizing Barracuda WAF to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventBarracudaWAF%2FvimAuditEventBarracudaWAF.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventBarracudaWAF%2FvimAuditEventBarracudaWAF.json) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json new file mode 100644 index 00000000000..6f496a385fe --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventBarracudaWAF/vimAuditEventBarracudaWAF.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuditEventBarracudaWAF", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Barracuda WAF", + "category": "ASIM", + "FunctionAlias": "vimAuditEventBarracudaWAF", + "query": "let barracudaSchema = datatable(\n LogType_s: string,\n UnitName_s: string,\n EventName_s: string,\n DeviceReceiptTime_s: string,\n ChangeType_s: string,\n CommandName_s: string,\n Severity_s: string,\n LoginIP_s: string,\n NewValue_s: string,\n HostIP_s: string,\n host_s: string,\n OldValue_s: string,\n EventMessage_s: string,\n AdminName_s: string,\n ObjectType_s: string,\n ObjectName_s: string,\n TimeTaken_d: real,\n _ResourceId: string,\n RawData: string,\n SourceIP: string,\n Message: string,\n Computer: string,\n MG: string,\n ManagementGroupName: string,\n TenantId: string,\n SourceSystem: string,\n TimeGenerated: datetime\n)[];\nlet EventTypeLookup = datatable (\n ChangeType_s: string,\n EventType_lookup: string\n)\n [\n \"SET\", \"Set\",\n \"ADD\", \"Create\",\n \"DEL\", \"Delete\",\n \"NONE\", \"Other\",\n \"\", \"Other\"\n];\nlet SeverityLookup = datatable (severity: int, EventSeverity: string)\n [\n 0, \"High\", \n 1, \"High\", \n 2, \"High\", \n 3, \"Medium\",\n 4, \"Low\",\n 5, \"Low\", \n 6, \"Informational\",\n 7, \"Informational\" \n];\nlet ObjectTypeLookup = datatable (ObjectType_s: string, ObjectType: string)[\n \"global\", \"Other\",\n \"Services\", \"Service\",\n \"web_firewall_policy\", \"Policy Rule\",\n \"service\", \"Service\",\n \"json_url_profile\", \"Other\",\n \"server\", \"Service\",\n \"header_acl\", \"Directory Service Object\",\n \"virtual_ip_config_address\", \"Configuration Atom\",\n \"aps_req_rewrite_policy\", \"Policy Rule\",\n \"aps_url_acl\", \"Directory Service Object\",\n \"websocket_security_policy\", \"Policy Rule\",\n \"aps_ftp_acl\", \"Directory Service Object\",\n \"user_system_ip\", \"Configuration Atom\",\n \"syslog_server\", \"Service\",\n \"attack_action\", \"Configuration Atom\",\n \"global_adr\", \"Configuration Atom\",\n \"aps_content_protection\", \"Other\"\n];\nlet parser = (\n disabled: bool=false,\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n eventresult: string='*',\n newvalue_has_any: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]))\n {\n let BarracudaCustom = \n union isfuzzy=true\n barracudaSchema,\n barracuda_CL\n | where not(disabled) \n and LogType_s == \"AUDIT\" \n and EventName_s !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\")\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(LoginIP_s, srcipaddr_has_any_prefix))\n | extend\n Operation = CommandName_s,\n EventResult = \"Success\"\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or NewValue_s has_any (newvalue_has_any))\n | parse trim(@'[^\\w(\")]+', EventMessage_s) with * \"Reason=\" Reason:string\n | extend Reason = trim(@'(\")', Reason)\n | extend\n EventResultDetails = Reason\n | lookup EventTypeLookup on ChangeType_s\n | extend EventType = EventType_lookup\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | extend \n severity = toint(Severity_s)\n | lookup SeverityLookup on severity\n | lookup ObjectTypeLookup on ObjectType_s\n | extend\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = UnitName_s,\n DvcIpAddr = HostIP_s,\n NewValue = NewValue_s,\n SrcIpAddr = LoginIP_s,\n EventMessage = EventMessage_s,\n OldValue = OldValue_s,\n DvcHostname = host_s,\n ActorUsername = AdminName_s,\n Object = ObjectName_s,\n EventStartTime = iff(isnotempty(TimeTaken_d), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)-tolong(TimeTaken_d)), unixtime_milliseconds_todatetime(tolong(DeviceReceiptTime_s)))\n | extend\n Src = SrcIpAddr,\n ActorUsernameType = iff(isnotempty(ActorUsername), \"Simple\", \"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue,\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value),\"Other\",\"\")\n | project-away\n *_d,\n *_s,\n EventType_lookup,\n Reason,\n _ResourceId,\n severity,\n RawData,\n SourceIP,\n Message,\n Computer,\n MG,\n ManagementGroupName,\n TenantId,\n SourceSystem;\n let BarracudaCEF = \n CommonSecurityLog\n | where not(disabled) and DeviceVendor startswith \"Barracuda\" and (DeviceProduct == \"WAF\" or DeviceProduct == \"WAAS\")\n | where DeviceEventCategory == \"AUDIT\" \n and (toupper(ProcessName) !in (\"LOGIN\", \"LOGOUT\", \"UNSUCCESSFUL_LOGIN\"))\n | where (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n | extend\n Operation = ProcessName,\n EventResult = \"Success\"\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or DeviceCustomString1 has_any (newvalue_has_any))\n | parse trim(@'[^\\w(\")]+', Message) with * \"Reason=\" Reason:string \n | extend Reason = trim(@'(\")', Reason)\n | extend \n EventResultDetails = Reason\n | lookup EventTypeLookup on $left.EventOutcome == $right.ChangeType_s\n | extend EventType = EventType_lookup\n | where array_length(eventtype_in) == 0 or EventType in (eventtype_in)\n | extend \n severity = toint(LogSeverity)\n | lookup SeverityLookup on severity\n | lookup ObjectTypeLookup on $left.FileType == $right.ObjectType_s\n | extend\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventVendor = \"Barracuda\",\n EventProduct = \"WAF\",\n EventCount = toint(1)\n | extend\n Dvc = DeviceName, \n Operation = ProcessName,\n DvcIpAddr = DeviceAddress,\n NewValue = DeviceCustomString1,\n SrcIpAddr = SourceIP,\n EventMessage = Message,\n OldValue = DeviceCustomString2,\n DvcHostname = DeviceName,\n ActorUsername = DestinationUserName,\n Object = FileName,\n ThreatConfidence = toint(ThreatConfidence),\n EventStartTime = iff(isnotempty(FlexNumber2), unixtime_milliseconds_todatetime(tolong(ReceiptTime)-tolong(FlexNumber2)), unixtime_milliseconds_todatetime(tolong(ReceiptTime)))\n | extend\n Src = SrcIpAddr,\n ActorUsernameType = iff(isnotempty(ActorUsername),\"Simple\",\"\"),\n ActorUserType = iff(isnotempty(ActorUsername), \"Admin\", \"\"),\n User = ActorUsername,\n Value = NewValue,\n EventEndTime = EventStartTime\n | extend\n IpAddr = SrcIpAddr,\n ValueType = iff(isnotempty(Value),\"Other\",\"\")\n | project-away\n EventType_lookup,\n ThreatConfidence,\n CommunicationDirection,\n AdditionalExtensions,\n Device*,\n Source*,\n Destination*,\n Activity,\n LogSeverity,\n ApplicationProtocol,\n ProcessID,\n ExtID,\n Protocol,\n Reason,\n ReceiptTime,\n SimplifiedDeviceAction,\n OriginalLogSeverity,\n ProcessName,\n EndTime,\n ExternalID,\n File*,\n ReceivedBytes,\n Message,\n Old*,\n EventOutcome,\n Request*,\n StartTime,\n Field*,\n Flex*,\n Remote*,\n Malicious*,\n severity,\n ThreatSeverity,\n IndicatorThreatType,\n ThreatDescription,\n _ResourceId,\n SentBytes,\n ReportReferenceLink,\n Computer,\n TenantId;\n union isfuzzy = true \n BarracudaCustom,\n BarracudaCEF\n };\n parser(\n disabled=disabled,\n starttime=starttime,\n endtime=endtime,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n eventtype_in=eventtype_in,\n eventresult=eventresult,\n newvalue_has_any=newvalue_has_any,\n operation_has_any=operation_has_any\n )", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',newvalue_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([])" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/README.md new file mode 100644 index 00000000000..94af9bbc8b5 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/README.md @@ -0,0 +1,18 @@ +# Cisco ISE ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Cisco ISE. + +This ASIM parser supports normalizing administrative activity in the Cisco ISE events to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventCiscoISE%2FvimAuditEventCiscoISE.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventCiscoISE%2FvimAuditEventCiscoISE.json) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json new file mode 100644 index 00000000000..67a6342fc9d --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoISE/vimAuditEventCiscoISE.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuditEventCiscoISE", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Cisco ISE", + "category": "ASIM", + "FunctionAlias": "vimAuditEventCiscoISE", + "query": "let EventFieldsLookup=datatable(\nEventOriginalType: int,\nEventType: string,\nEventResult: string,\nEventOriginalSeverity: string,\nEventSeverity: string,\nObject: string,\nOperation: string,\nEventMessage: string\n)[\n\"52000\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Added configuration\", \"Added configuration\",\n\"52001\", \"Set\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Changed configuration\", \"Changed configuration\",\n\"52002\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deleted configuration\", \"Deleted configuration\",\n\"52003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deregister Node\", \"One of the ISE instances in the deployment has been de-registered.\",\n\"52004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Register Node\", \"A new ISE instance has been registered and has joined the deployment.\",\n\"52005\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Activate Node\", \"An ISE instance has been activated to receive updates from the Primary node.\",\n\"52006\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Deactivate ISE Node\", \"An ISE instance has been deactivated and will no longer receive updates from the Primary node.\",\n\"52007\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Force Full replication\", \"A Force Full replication has been issued for an ISE instance.\",\n\"52008\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Replacement Register Handler\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52009\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Promote Node\", \"A Secondary node has been promoted to be the Primary node of the deployment.\",\n\"52013\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Hardware Replacement\", \"A new ISE instance has joined the deployment through hardware replacement.\",\n\"52015\", \"Enable\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Target\", \"Enable LogCollector Target\", \"Enable the deployment Log Collector target.\",\n\"52016\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"LogCollector Node\", \"Select LogCollector Node\", \"The Log Collector node for the deployment has been selected.\",\n\"52017\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Apply software update\", \"Apply a software update to the selected ISE instances.\",\n\"52030\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Full replication succeeded\", \"Full replication was completed successfully\",\n\"52031\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Full replication failed\", \"Failed to complete full replication\",\n\"52033\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"Registration with the primary node was completed successfully\",\n\"52035\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"Failed to perform the full replication requested by the primary instance\",\n\"52038\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Registration succeeded\", \"The ISE instance was successfully joined to a distributed ISE deployment\",\n\"52039\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Registration failed\", \"The ISE instance was unable to join a distributed deployment\",\n\"52042\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Primary instance\", \"Demotion succeeded\", \"Demotion of the existing primary instance was completed successfully\",\n\"52043\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Primary instance\", \"Demotion failed\", \"Demotion of the existing primary instance failed\",\n\"52045\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Secondary instance\", \"Promotion succeeded\", \"Promotion of the secondary instance was completed successfully\",\n\"52046\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Secondary instance\", \"Promotion failed\", \"Promotion of a secondary instance failed\",\n\"52072\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Deregister succeeded\", \"Deregistration was completed successfully\",\n\"52073\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Deregister failed\", \"Deregistration failed\",\n\"52078\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the deployment\",\n\"52079\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary instance\", \"Delete node succeeded\", \"The ISE primary instance successfully deleted the secondary instance in inactive mode\",\n\"52080\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Delete node failed\", \"Failed to delete the ISE secondary instance in inactive mode from the primary instance\",\n\"52082\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary instance\", \"Backup failed\", \"An immediate backup for the secondary instance failed\",\n\"52084\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE primary instance\", \"Backup succeeded\", \"An immediate backup for the primary instance was completed successfully\",\n\"52085\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE primary instance\", \"Backup failed\", \"An immediate backup for the primary failed\",\n\"52091\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Update bundle\", \"Software update failed\", \"Software update download of update bundle failed\",\n\"52092\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE instance\", \"Software update succeeded\", \"The software update was completed successfully\",\n\"52093\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE instance\", \"Software update failed\", \"The software update failed\",\n\"57000\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Log file(s)\", \"Deleted rolled-over local log file(s)\", \"Deleted rolled-over local log file(s)\",\n\"58001\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process started\", \"An ISE process has started\",\n\"58002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process stopped\", \"An ISE process has stopped\",\n\"58003\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes started\", \"All ISE processes have started\",\n\"58004\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE processes\", \"ISE processes stopped\", \"All ISE processes have stopped\",\n\"58005\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE process\", \"ISE process was restarted by watchdog service\", \"The watchdog service has restarted an ISE process\",\n\"60000\", \"Install\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch installation completed successfully on the node\", \"Patch installation completed successfully on the node\",\n\"60001\", \"Install\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch installation failed on the node\", \"Patch installation failed on the node\",\n\"60002\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Patch rollback completed successfully on the node\", \"Patch rollback completed successfully on the node\",\n\"60003\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Patch rollback failed on the node\", \"Patch rollback failed on the node\",\n\"60050\", \"Create\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node added to deployment successfully\", \"Node added to deployment successfully\",\n\"60051\", \"Create\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to add node to deployment\", \"Failed to add node to deployment\",\n\"60052\", \"Delete\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node removed from deployment\", \"Node removed from deployment\",\n\"60053\", \"Delete\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to remove node from deployment\", \"Failed to remove node from deployment\",\n\"60054\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node updated successfully\", \"Node updated successfully\",\n\"60055\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Node\", \"Failed to update node\", \"Failed to update node\",\n\"60056\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Cluster\", \"The runtime status of the node group has changed\", \"There is a change in the cluster state\",\n\"60057\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"PSN node\", \"A PSN node went down\", \"One of the PSN nodes in the node group has gone down\",\n\"60058\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Heartbeat System\", \"The initial status of the heartbeat system\", \"The initial status of the heartbeat system\",\n\"60059\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Node\", \"Node has successfully registered with MnT\", \"Node has successfully registered with MnT\",\n\"60060\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\", \"The ISE Administrator invoked OCSP Clear Cache operation for all Policy Service nodes\",\n\"60061\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"Policy Service nodes\", \"OCSP Clear Cache operation completed successfully\", \"OCSP Clear Cache operation completed successfully on all Policy Service nodes\",\n\"60062\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"Policy Service nodes\", \"OCSP Clear Cache operation terminated with error\", \"OCSP Clear Cache clear operation terminated with error on one or more Policy Service nodes\",\n\"60063\", \"Other\", \"Success\", \"NOTICE\", \"Informational\", \"ISE secondary node\", \"Replication to node completed successfully\", \"Replication of data to secondary node completed successfully\",\n\"60064\", \"Other\", \"Failure\", \"NOTICE\", \"Low\", \"ISE secondary node\", \"Replication to node failed\", \"Replication of data to secondary node failed\",\n\"60068\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - manual download initiated\", \"The Profiler Feed Service has begun the check and download of new and/or updated Profiles in response to Administrator's request\",\n\"60069\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - Profiles Downloaded\", \"The Profiler Feed Service has downloaded new and/or updated Profiles\",\n\"60070\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Profiler Feed Service\", \"Profiler Feed Service - No Profiles Downloaded\", \"The Profiler Feed Service found no new and/or updated Profiles to download\",\n\"60083\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"Syslog Server\", \"Syslog Server configuration change\", \"Syslog Server configuration change has occurred\",\n\"60084\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI user\", \"ADEOS CLI user configuration change\", \"Configuration change occurred for ADEOS CLI user\",\n\"60085\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Repository\", \"ADEOS Repository configuration change\", \"Configuration change occurred for ADEOS repository\",\n\"60086\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SSH Service\", \"ADEOS SSH Service configuration change\", \"Configuration change occurred for ADEOS SSH Service\",\n\"60087\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS Maximum SSH CLI sessions\", \"ADEOS Maximum SSH CLI sessions configuration change\", \"Configuration change occurred for ADEOS Maximum CLI sessions\",\n\"60088\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS SNMP agent\", \"ADEOS SNMP agent configuration change\", \"Configuration change occurred for ADEOS SNMP agent\",\n\"60089\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler policy configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler policy\",\n\"60090\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI kron scheduler\", \"ADEOS CLI kron scheduler occurence configuration change\", \"Configuration change occurred for ADEOS CLI kron scheduler occurence\",\n\"60091\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI pre-login banner\", \"ADEOS CLI pre-login banner configuration change\", \"Configuration change occurred for ADEOS CLI pre-login banner\",\n\"60092\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ADEOS CLI post-login banner\", \"ADEOS CLI post-login banner configuration change\", \"Configuration change occurred for ADEOS CLI post-login banner\",\n\"60094\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Backup has completed successfully\", \"ISE Backup has completed successfully\",\n\"60095\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Backup has failed\", \"ISE Backup has failed\",\n\"60097\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Log Backup has completed successfully\", \"ISE Log Backup has completed successfully\",\n\"60098\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Log Backup has failed\", \"ISE Log Backup has failed\",\n\"60100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE Restore has completed successfully\", \"ISE Restore has completed successfully\",\n\"60101\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE Restore has failed\", \"ISE Restore has failed\",\n\"60102\", \"Install\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application installation completed successfully\", \"Application installation completed successfully\",\n\"60103\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application installation failed\", \"Application installation failed\",\n\"60105\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application remove completed successfully\", \"Application remove completed successfully\",\n\"60106\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application remove failed\", \"Application remove failed\",\n\"60107\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application upgrade failed\", \"Application upgrade failed\",\n\"60111\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application patch remove has completed successfully\", \"Application patch remove has completed successfully\",\n\"60112\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch remove has failed\", \"Application patch remove has failed\",\n\"60113\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server reload has been initiated\", \"ISE server reload has been initiated\",\n\"60114\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE server\", \"ISE server shutdown has been initiated\", \"ISE server shutdown has been initiated\",\n\"60118\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used delete CLI to delete file\", \"ADEOS CLI user has used delete CLI to delete file\",\n\"60119\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"File\", \"ADEOS CLI user has used copy CLI to copy file\", \"ADEOS CLI user has used copy CLI to copy file\",\n\"60120\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"Directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\", \"ADEOS CLI user has used mkdir CLI to create a directory\",\n\"60121\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied out running system configuration\", \"ADEOS CLI user has copied out running system configuration\",\n\"60122\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has copied in system configuration\", \"ADEOS CLI user has copied in system configuration\",\n\"60123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"System Config\", \"ADEOS CLI user has saved running system configuration\", \"ADEOS CLI user has saved running system configuration\",\n\"60126\", \"Install\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Application patch installation failed\", \"Application patch installation failed\",\n\"60128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file in from ADEOS CLI\", \"Failure occurred trying to copy file in from ADEOS CLI\",\n\"60129\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"File\", \"Failure occurred trying to copy file out from ADEOS CLI\", \"Failure occurred trying to copy file out from ADEOS CLI\",\n\"60130\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE Backup\", \"ISE Scheduled Backup has been configured\", \"ISE Scheduled Backup has been configured\",\n\"60131\", \"Create\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been created from web UI\", \"ISE Support bundle has been created from web UI\",\n\"60132\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE Support bundle\", \"ISE Support bundle has been deleted from web UI\", \"ISE Support bundle has been deleted from web UI\",\n\"60133\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE Support bundle\", \"ISE Support bundle generation from web UI has failed\", \"ISE Support bundle generation from web UI has failed\",\n\"60153\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Certificate\", \"Certificate has been exported\", \"Certificate has been exported\",\n\"60166\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate will expire soon\", \"Certificate Expiration warning\",\n\"60167\", \"Other\", \"\", \"WARN\", \"Informational\", \"Certificate\", \"Certificate has expired\", \"Certificate has expired\",\n\"60172\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Alarm(s) has/have been acknowledged\", \"These alarms are acknowledged and will not be displayed on the Dashboard\",\n\"60173\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Outdated alarms are purged\", \"Only latest 15000 alarms would be retained and rest of them are purged\",\n\"60187\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Application upgrade succeeded\", \"Application upgrade succeeded\",\n\"60189\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Terminal Session timeout has been modified\", \"Configuration change occurred for ADEOS CLI Terminal Session timeout\",\n\"60193\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"RSA key configuration has been modified\", \"Configuration change occurred for ADEOS CLI RSA key\",\n\"60194\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Host key configuration has been modified\", \"Configuration change occurred for ADEOS CLI host key\",\n\"60197\", \"Disable\", \"Success\", \"NOTICE\", \"Informational\", \"Certificate\", \"Revoked ISE CA issued Certificate.\", \"Certificate issued to Endpoint by ISE CA is revoked by Administrator\",\n\"60198\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"MnT\", \"MnT purge event occurred\", \"MnT purge event occurred\",\n\"60199\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"An IP-SGT mapping was deployed successfully\", \"An IP-SGT mapping was deployed successfully to a TrustSec device\",\n\"60200\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"An IP-SGT mapping has failed deploying\", \"An IP-SGT mapping has failed deploying to a TrustSec device\",\n\"60201\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"IP-SGT deployment to TrustSec device was successful\", \"IP-SGT deployment to TrustSec device was successful\",\n\"60202\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"IP-SGT deployment to TrustSec device failed\", \"IP-SGT deployment to TrustSec device failed\",\n\"60207\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Logging loglevel configuration has been modified\", \"Configuration change occurred for ADEOS CLI logging loglevel\",\n\"60208\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Root CA certificate has been replaced\", \"Root CA certificate has been replaced\",\n\"60209\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service enabled\", \"CA service enabled\",\n\"60210\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"CA service\", \"CA service disabled\", \"CA service disabled\",\n\"60213\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were replaced by import operation\", \"CA keys were replaced by import operation\",\n\"60214\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"CA keys were exported\", \"CA keys were exported\",\n\"60215\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were marked expired\", \"Endpoint certs were marked expired by daily scheduled job\",\n\"60216\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Endpoint certs were purged\", \"Endpoint certs were purged by daily scheduled job\",\n\"60451\", \"Enable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is enabled on this deployment\", \"Telemetry is enabled on this deployment\",\n\"60452\", \"Disable\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Telemetry is disabled on this deployment\", \"Telemetry is disabled on this deployment\",\n\"61002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SGT from IEPG\", \"ISE has learned a new SGT from IEPG\",\n\"61003\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new EEPG to APIC\", \"ISE has propagated a new EEPG to APIC.\",\n\"61004\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SXP mapping from APIC endpoint\", \"ISE has learned a new SXP mapping from APIC endpoint\",\n\"61005\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\", \"ISE has propagated a new endpoint(SXP mapping) to APIC\",\n\"61006\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SGT\", \"ISE has removed an SGT due to deleted IEPG\", \"ISE has removed an SGT due to deleted IEPG\",\n\"61007\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed EEPG from APIC due to SGT deletion\", \"ISE has removed EEPG from APIC due to SGT deletion\",\n\"61008\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\", \"ISE has removed an SXP mapping due to endpoint deletion on APIC\",\n\"61009\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\", \"ISE has removed endpoint APIC due to SXP mapping removal a new SXP mapping to APIC\",\n\"61016\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EPG subscriber against APIC\", \"ISE failed to refresh EPG subscriber against APIC\",\n\"61017\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh endpoint subscriber against APIC\", \"ISE failed to refresh endpoint subscriber against APIC\",\n\"61018\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh EEPG subscriber against APIC\", \"ISE failed to refresh EEPG subscriber against APIC\",\n\"61020\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\", \"ISE failed to refresh L3EXTOUT subscriber against APIC\",\n\"61022\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to propagate SGT to EEPG\", \"ISE has failed to propagate SGT to EEPG\",\n\"61023\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to learn IEPG from APIC\", \"ISE has failed to learn IEPG from APIC\",\n\"61024\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"ISE has failed to parse VRF for EPG\", \"ISE has failed to parse VRF for EPG\",\n\"61030\", \"Other\", \"Failure\", \"INFO\", \"Low\", \"ISE instance\", \"TrustSec deploy verification was canceled.\", \"TrustSec deployment verification process was canceled as a new TrustSec deploy started.\",\n\"61033\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"TrustSec deployment verification process succeeded.\", \"ISE trustsec configuration was successfully deployed to all network access devices.\",\n\"61034\", \"Other\", \"\", \"INFO\", \"Low\", \"ISE instance\", \"Maximum resource limit reached.\", \"Maximum resource limit reached.\",\n\"61051\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Synflood-limit configured\", \"Synflood-limit configured\",\n\"61052\", \"Set\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Rate-limit configured\", \"Rate-limit configured\",\n\"61100\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from ACI\", \"ISE has learned a new tenant from ACI\",\n\"61101\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"ISE has removed ACI tenant\", \"ISE has removed ACI tenant\",\n\"61102\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn new tenant from ACI in ISE\", \"Failed to learn new tenant from ACI in ISE\",\n\"61103\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to remove ACI tenant in ISE\", \"Failed to remove ACI tenant in ISE\",\n\"61104\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new tenant from SDA\", \"ISE has learned a new tenant from SDA\",\n\"61105\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new VN info\", \"IISE has learned a new VN info\",\n\"61106\", \"Create\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to create VN info in ISE\", \"Failed to create VN info in ISE\",\n\"61107\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"VN info is updated in ISE\", \"VN info is updated in ISE\",\n\"61108\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to update VN info in ISE\", \"Failed to update VN info in ISE\",\n\"61109\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI tenant\", \"VN info is deleted in ISE\", \"VN info is deleted in ISE\",\n\"61110\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to deleted VN info in ISE\", \"Failed to deleted VN info in ISE\",\n\"61111\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration process failed\", \"Domain registration process failed\",\n\"61114\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Domain registration completed successfully\", \"Domain registration completed successfully\",\n\"61115\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Domain registration failed\", \"Domain registration failed\",\n\"61116\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Unable to store ACI certificate\", \"Unable to store ACI certificate\",\n\"61117\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI connector\", \"ACI connector started successfully\", \"ACI connector started successfully\",\n\"61118\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ACI connector\", \"Failed to start ACI connector\", \"Failed to start ACI connector\",\n\"61120\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI certificate\", \"Successfully deleted ACI certificate from ISE\", \"Successfully deleted ACI certificate from ISE\",\n\"61121\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI certificate\", \"Failed to delete ACI certificate from ISE\", \"Failed to delete ACI certificate from ISE\",\n\"61122\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI keystore\", \"Failed to delete ACI keystore\", \"Failed to delete ACI keystore\",\n\"61123\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new ACI domain\", \"ISE has learned a new ACI domain\",\n\"61124\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new ACI domain\", \"Failed to learn a new ACI domain\",\n\"61125\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"ACI domain\", \"ISE has removed ACI domain\", \"ISE has removed ACI domain\",\n\"61126\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"ACI domain\", \"Failed to remove ACI domain\", \"Failed to remove ACI domain\",\n\"61127\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE has learned a new SDA domain\", \"ISE has learned a new SDA domain\",\n\"61128\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to learn a new SDA domain\", \"Failed to learn a new SDA domain\",\n\"61129\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SDA domain\", \"ISE has removed SDA domain\", \"ISE has removed SDA domain\",\n\"61130\", \"Delete\", \"Failure\", \"ERROR\", \"Low\", \"SDA domain\", \"Failed to remove SDA domain\", \"Failed to remove SDA domain\",\n\"61158\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed in receiving SDA SXP configuration\", \"ISE failed in receiving SDA SXP configuration\",\n\"61160\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"ISE failed to publish Gateway advertisement message to ACI\", \"ISE failed to publish Gateway advertisement message to ACI\",\n\"61161\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"ISE learned new SXP Listener\", \"ISE learned new SXP Listener\",\n\"61162\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates VN defined for SXP Listener\", \"ISE updates VN defined for SXP Listener\",\n\"61163\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE learned new VN defined for SXP Listener\", \"ISE learned new VN defined for SXP Listener\",\n\"61164\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE updates SXP Listener\", \"ISE updates SXP Listener\",\n\"61165\", \"Delete\", \"Success\", \"INFO\", \"Informational\", \"SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\", \"ISE removed all SXP connections related to SXP Listener\",\n\"61166\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ACI\", \"ACI published Gateway advertisement message to SDA\", \"ACI published Gateway advertisement message to SDA\",\n\"61167\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Send ACI Gateway advertisement message to ISE\", \"Send ACI Gateway advertisement message to ISE\",\n\"61168\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Failed to send ACI Gateway advertisement message to ISE\", \"Failed to send ACI Gateway advertisement message to ISE/SDA\",\n\"61169\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Successfully Send ACI Gateway advertisement message\", \"Successfully Send ACI Gateway advertisement message\",\n\"61234\", \"Other\", \"Success\", \"WARN\", \"Informational\", \"ISE instance\", \"Got event with unknown properties\", \"Got event with unknown properties\",\n\"62000\", \"Execute\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script execute completed\", \"Agentless script execute completed\",\n\"62001\", \"Execute\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script execute failed\", \"Agentless script execute failed\",\n\"62002\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Agentless script upload completed\", \"Agentless script upload completed\",\n\"62003\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"ISE instance\", \"Agentless script upload failed\", \"Agentless script upload failed\",\n\"61300\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Network Access policy request\", \"Network Access policy request\",\n\"61301\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Device Admin policy request\", \"Device Admin policy request\",\n\"61302\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Policy component request\", \"Policy component request\",\n\"60467\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"OCSP Certificate renewal failed\", \"OCSP Certificate renewal failed.\",\n\"60468\", \"Other\", \"Failure\", \"ERROR\", \"Low\", \"ISE instance\", \"Root CA Regeneration failed\", \"Regeneration of Root CA failed.\",\n\"62008\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service starts\", \"Meraki connector sync service starts\",\n\"62009\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync service stops\", \"Meraki connector sync service stops\",\n\"62010\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync service failure\", \"Meraki connector sync service failure\",\n\"62011\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle starts\", \"Meraki connector sync cycle starts\",\n\"62012\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync cycle stops\", \"Meraki connector sync cycle stops\",\n\"62013\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync cycle failure\", \"Meraki connector sync cycle failure\",\n\"62014\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"Meraki connector\", \"Meraki connector sync operation success\", \"Meraki connector sync operation success\",\n\"62015\", \"Other\", \"Failure\", \"WARN\", \"Low\", \"Meraki connector\", \"Meraki connector sync operation failure\", \"Meraki connector sync operation failure\",\n\"62016\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Port 2484 opened for Data Connect\", \"Port 2484 opened for Data Connect\",\n\"62017\", \"Other\", \"Success\", \"INFO\", \"Informational\", \"ISE instance\", \"Data Connect port 2484 closed\", \"Data Connect port 2484 closed\"\n];\nlet CiscoISEAuditParser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null),\n srcipaddr_has_any_prefix: dynamic=dynamic([]), \n eventresult: string='*',\n actorusername_has_any: dynamic=dynamic([]),\n eventtype_in: dynamic=dynamic([]),\n operation_has_any: dynamic=dynamic([]),\n object_has_any: dynamic=dynamic([]),\n newvalue_has_any: dynamic=dynamic([]),\n disabled: bool = false\n) {\nlet EventOriginalTypeList = toscalar(EventFieldsLookup \n | where (eventresult == \"*\" or eventresult == EventResult)\n and (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | summarize make_set(EventOriginalType));\nSyslog\n| where not(disabled)\n//***************************** **************************\n| where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n//***************************** *************************\n| where ProcessName has_any (\"CISE\", \"CSCO\")\n| parse SyslogMessage with * \" \" longvalue:long \" \" EventOriginalType:int \" \" *\n| where EventOriginalType in (EventOriginalTypeList)\n| where \n (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SyslogMessage, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or SyslogMessage has_any (actorusername_has_any))\n and (array_length(operation_has_any) == 0 or SyslogMessage has_any (operation_has_any))\n and (array_length(newvalue_has_any) == 0 or SyslogMessage has_any (newvalue_has_any))\n| project\n TimeGenerated,\n EventTime,\n EventOriginalType,\n Computer,\n HostName,\n HostIP,\n SyslogMessage\n| lookup EventFieldsLookup on EventOriginalType\n| parse-kv SyslogMessage as (NetworkDeviceName: string, ['User-Name']: string, UserName: string, User: string, ['Remote-Address']: string, ['Device IP Address']: string) with (pair_delimiter=',', kv_delimiter='=')\n| project-rename\n SrcIpAddr=['Remote-Address']\n , TargetIpAddr =['Device IP Address']\n| where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix))\n| extend DvcHostname = coalesce(NetworkDeviceName, Computer, HostName)\n| extend ActorUsername = coalesce(['User-Name'], UserName, User)\n| extend ActorUsernameType = _ASIM_GetUsernameType(ActorUsername) \n| where (array_length(actorusername_has_any) == 0 or ActorUsername has_any (actorusername_has_any))\n| extend \n DvcIpAddr = iif(isnotempty(HostIP) and HostIP != \"Unknown IP\", HostIP, extract(@\"(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\", 1, Computer)) \n , EventStartTime = coalesce(EventTime, TimeGenerated)\n , EventEndTime = coalesce(EventTime, TimeGenerated)\n , EventVendor = \"Cisco\"\n , EventProduct = \"ISE\"\n , EventProductVersion = \"3.2\"\n , EventCount = int(1)\n , EventSchema = \"AuditEvent\"\n , EventSchemaVersion = \"0.1.0\"\n , ObjectType = \"Configuration Atom\"\n , TargetAppName = \"ISE\"\n , TargetAppType = \"Service\"\n// ***************** ********************\n| extend \n Dvc = coalesce(DvcIpAddr, DvcHostname)\n , Application = TargetAppName\n , IpAddr = coalesce(SrcIpAddr, TargetIpAddr)\n , Dst = TargetIpAddr\n , Src = SrcIpAddr\n , User = ActorUsername\n// ***************** *******************\n| project-away\n EventTime,\n Computer,\n HostName,\n SyslogMessage,\n NetworkDeviceName,\n ['User-Name'],\n UserName\n};\nCiscoISEAuditParser(\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/README.md new file mode 100644 index 00000000000..7b55960b509 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/README.md @@ -0,0 +1,18 @@ +# Cisco Meraki ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Cisco Meraki. + +This ASIM parser supports normalizing Cisco Meraki logs to the ASIM Audit Event normalized schema. Cisco Meraki events are generated from network activity and security events from Meraki devices such as firewalls, switches, and access points. These logs are captured through the Cisco Meraki Sentinel connector which uses a Linux agent to collect logs in Syslog format. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventCiscoMeraki%2FvimAuditEventCiscoMeraki.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventCiscoMeraki%2FvimAuditEventCiscoMeraki.json) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json new file mode 100644 index 00000000000..30796225cc8 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventCiscoMeraki/vimAuditEventCiscoMeraki.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuditEventCiscoMeraki", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM parser for Cisco Meraki", + "category": "ASIM", + "FunctionAlias": "vimAuditEventCiscoMeraki", + "query": "let EventFieldsLookup = datatable(TempOperation: string, Operation: string, EventResult: string, EventType: string)\n[\n \"vpn_connectivity_change\", \"VPN connectivity change\",\"Success\", \"Set\",\n \"purging ISAKMP-SA\", \"Purging ISAKMP-SA\",\"Partial\", \"Delete\",\n \"purged ISAKMP-SA\", \"Purged ISAKMP-SA\",\"Success\", \"Delete\",\n \"ISAKMP-SA deleted\", \"ISAKMP-SA deleted\",\"Success\", \"Delete\",\n \"IPsec-SA request\", \"IPsec-SA request queued\",\"Failure\", \"Other\",\n \"failed to get sainfo\", \"Failed to get sainfo\",\"Failure\", \"Other\",\n \"failed to pre-process ph2 packet\", \"Failed to pre-process ph2 packet\",\"Failure\", \"Other\",\n \"phase2 negotiation failed\", \"Phase2 negotiation failed\",\"Failure\", \"Other\",\n \"initiate new phase 1 negotiation\", \"Initiate new phase 1 negotiation\",\"Success\", \"Initialize\",\n \"ISAKMP-SA established\", \"ISAKMP-SA established\",\"Success\", \"Create\",\n \"initiate new phase 2 negotiation\", \"Initiate new phase 2 negotiation\",\"Partial\", \"Initialize\",\n \"IPsec-SA established\", \"IPsec-SA established\",\"Success\", \"Create\",\n \"STP role\", \"Spanning-tree interface role change\",\"Success\", \"Set\",\n \"STP BPDU\", \"Spanning-tree guard state change\", \"\", \"\",\n \"VRRP transition\", \"VRRP transition\",\"Success\", \"Set\",\n \"port status change\", \"Port status change\", \"\", \"\"\n];\nlet EventSeverityLookup=datatable(EventResult: string, EventSeverity: string)[\n \"Success\", \"Informational\",\n \"Partial\", \"Informational\",\n \"Failure\", \"Low\"\n];\nlet parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\nlet allData = union isfuzzy=true\n (\n meraki_CL\n | project-rename LogMessage = Message\n ),\n (\n Syslog\n | where Computer in (_ASIM_GetSourceBySourceType('CiscoMeraki'))\n | project-rename LogMessage = SyslogMessage\n );\nlet PreFilteredData = allData\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime) \n and array_length(newvalue_has_any) == 0\n and array_length(object_has_any) == 0\n and array_length(actorusername_has_any) == 0\n and LogMessage has \"events\"\n and (LogMessage has_any (\"vpn_connectivity_change\", \"status changed\", \"VRRP active\", \"VRRP passive\") or LogMessage has_cs \"Site-to-site\" or LogMessage has_cs \"Port\")\n | extend Parser = extract_all(@\"(\\d+.\\d+)\\s([\\w\\-\\_]+)\\s([\\w\\-\\_]+)\\s([\\S\\s]+)$\", dynamic([1, 2, 3, 4]), LogMessage)[0]\n | extend\n Epoch = tostring(Parser[0])\n | extend EpochTimestamp = split(Epoch, \".\")\n | extend EventStartTime = unixtime_seconds_todatetime(tolong(EpochTimestamp[0]))\n | extend LogType = tostring(Parser[2]),\n Substring = tostring(Parser[3])\n | where LogType == \"events\";\nlet SiteToSiteData = PreFilteredData\n | where Substring has_cs \"Site-to-site\";\nlet SiteToSite_deleted = SiteToSiteData\n | where Substring has \"ISAKMP-SA deleted\"\n | extend TempOperation = \"ISAKMP-SA deleted\"\n | parse Substring with * \" deleted \" temp_deletedSrcIp:string \"-\" temp_deletedTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_deletedSrcIp,\n temp_targetipport = temp_deletedTargetIp;\nlet SiteToSite_negotiation = SiteToSiteData\n | where Substring has_any(\"initiate new phase 1 negotiation\", \"initiate new phase 2 negotiation\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \": \" temp_negotiationSrcIp:string \"<=>\" temp_negotiationTargetIp:string\n | extend temp_srcipport = temp_negotiationSrcIp,\n temp_targetipport = temp_negotiationTargetIp;\nlet SiteToSite_ESP = SiteToSiteData\n | where Substring has \"phase2 negotiation failed due to time up waiting for phase1\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" due to \" EventResultDetails \" ESP \" temp_espSrcIp:string \"->\" temp_espTargetIp:string\n | extend temp_srcipport = temp_espSrcIp,\n temp_targetipport = temp_espTargetIp;\nlet SiteToSite_tunnel = SiteToSiteData\n | where Substring has \"IPsec-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \":\" * \"Tunnel \" temp_tunnelSrcIp:string \"->\" temp_tunnelTargetIp:string \" \" temp_restmessage:string\n | extend temp_srcipport = temp_tunnelSrcIp,\n temp_targetipport = temp_tunnelTargetIp;\nlet SiteToSite_ISAKMPestablished = SiteToSiteData\n | where Substring has \"ISAKMP-SA established\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" established \" temp_estSrcIp:string \"-\" temp_estTargetIp:string \" \" temp_restmessage:string\n | extend TempOperation = strcat(TempOperation, ' ', 'established'),\n temp_srcipport = temp_estSrcIp,\n temp_targetipport = temp_estTargetIp;\nlet SiteToSite_IPsecSArequest = SiteToSiteData\n | where Substring has \"IPsec-SA request\"\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" for \" temp_forTaregtSrcIp:string \" \" * \" due to\" EventResultDetails:string\n | extend temp_targetipport = temp_forTaregtSrcIp;\nlet SiteToSite_purging = SiteToSiteData\n | where Substring has_any(\"purging ISAKMP-SA\", \"purged ISAKMP-SA\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string \" spi=\" temp_restmessage:string;\nlet SiteToSite_failed = SiteToSiteData\n | where Substring has_any (\"failed to get sainfo\", \"failed to pre-process ph2 packet\")\n | parse Substring with * \"Site-to-site VPN: \" TempOperation:string\n | extend TempOperation = tostring(split(TempOperation, ' (')[0]);\nlet VPNConnectivityChangeData = PreFilteredData\n | where Substring has \"vpn_connectivity_change\"\n | parse-kv Substring as (type: string, peer_contact: string, connectivity: string) with (pair_delimiter=\" \", kv_delimiter=\"=\", quote=\"'\")\n | extend type = trim('\"', type),\n connectivity = trim('\"', connectivity)\n | extend TempOperation = type,\n temp_srcipport = peer_contact;\nlet StatusChangedData = PreFilteredData\n | where Substring has \"status changed\"\n | parse Substring with * \"port \" port:string \" \" portnextpart:string\n | extend TempOperation = \"port status change\";\nlet PortData = PreFilteredData\n | where Substring has_cs \"Port\"\n | parse Substring with * \"Port \" Port1:string \" received an \" TempOperation1:string \" from \" STPMac:string \" \" temp_restmessage:string\n | parse Substring with * \"Port \" Port2:string \" changed \" TempOperation2:string \" from \" PortNextPart:string\n | extend Port = coalesce(Port1,Port2)\n | extend TempOperation = coalesce(TempOperation1, TempOperation2);\nlet VRRPData = PreFilteredData\n | where Substring has_any(\"VRRP active\", \"VRRP passive\")\n | extend TempOperation = \"VRRP transition\";\nunion VPNConnectivityChangeData, StatusChangedData, PortData, VRRPData, SiteToSite_deleted, SiteToSite_ESP, SiteToSite_failed, SiteToSite_IPsecSArequest, SiteToSite_ISAKMPestablished, SiteToSite_negotiation, SiteToSite_purging, SiteToSite_tunnel\n | lookup EventFieldsLookup on TempOperation\n | where (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n | extend EventResult = case(\n (Operation == \"Port status change\" and Substring has \"from Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"connected\", \"forwarding\")),\n \"Success\",\n (Operation == \"Port status change\" and Substring has \"to Down\") or (Operation has_cs \"Spanning-tree guard state change\" and Substring has_any (\"disconnected\", \"error disabled\", \"blocked\", \"disabled\", \"not configured\")),\n \"Failure\",\n Operation has_cs \"Spanning-tree guard state change\" and Substring has \"learning\",\n \"Partial\",\n EventResult\n )\n | where (eventresult == \"*\" or EventResult =~ eventresult)\n | extend EventType = case(Operation in(\"Port status change\", \"Spanning-tree guard state change\") and EventResult == \"Success\", \"Enable\",\n (Operation == \"Port status change\" and EventResult == \"Failure\") or (Operation == \"Spanning-tree guard state change\" and EventResult in (\"Partial\", \"Failure\")), \"Disable\",\n EventType\n )\n | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n | extend \n temp_srcipport = iff(temp_srcipport has \"]\" and temp_srcipport !has \":\", trim(']', temp_srcipport), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"]\" and temp_targetipport !has \":\", trim(']', temp_targetipport), temp_targetipport)\n | extend \n temp_srcipport = iff(temp_srcipport has \"[\" and temp_srcipport !has \":\", replace_string(temp_srcipport,'[',':'), temp_srcipport),\n temp_targetipport = iff(temp_targetipport has \"[\" and temp_targetipport !has \":\", replace_string(temp_targetipport,'[',':'), temp_targetipport),\n DvcMacAddr = iff(Operation == \"Spanning-tree guard state change\" and isnotempty(STPMac) and STPMac matches regex \"([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})|([0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4}\\\\.[0-9a-fA-F]{4})\\'*\", STPMac, \"\")\n | extend temp_srcipport = iff(isempty(DvcMacAddr) and isnotempty(STPMac) and Operation == \"Spanning-tree guard state change\", STPMac, temp_srcipport)\n | extend\n temp_srcipport = trim(\"'\", temp_srcipport),\n temp_targetipport = trim(\"'\", temp_targetipport)\n | extend \n temp_srcipport = trim('\"', temp_srcipport),\n temp_targetipport = trim('\"', temp_targetipport)\n | parse temp_srcipport with * \"[\" temp_srcip \"]:\" temp_srcport\n | extend SrcIpAddr = iff(temp_srcipport has \".\", split(temp_srcipport, \":\")[0], coalesce(temp_srcip, temp_srcipport))\n | extend\n temp_SrcMatch=has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or temp_SrcMatch)\n | parse temp_targetipport with * \"[\" temp_targetip \"]:\" temp_targetport\n | extend TargetIpAddr = iff(temp_targetipport has \".\", split(temp_targetipport, \":\")[0], coalesce(temp_targetip, temp_targetipport))\n | extend TargetPortNumber = iff(TargetIpAddr has \".\", toint(split(temp_targetipport, \":\")[1]), toint(coalesce(temp_targetport, \"\")))\n | extend SrcPortNumber = case(\n isnotempty(temp_srcipport),\n iff(SrcIpAddr has \".\", toint(split(temp_srcipport, \":\")[1]), toint(coalesce(temp_srcport, \"\"))),\n Substring has_cs \"Port\",\n toint(Port),\n Operation == \"Port status change\",\n toint(port),\n int(null)\n )\n | lookup EventSeverityLookup on EventResult\n | extend\n EventResultDetails = case(\n Operation == \"VPN connectivity change\" and isnotempty(connectivity), strcat(\"connectivity=\", connectivity),\n Operation == \"IPsec-SA request queued\" or Operation == \"Phase2 negotiation failed\", split(Substring, 'due to')[1], \n Substring has \"Site-to-site\", split(Substring, 'Site-to-site ')[1],\n Substring\n ),\n EventMessage = Substring,\n EventOriginalType = LogType,\n EventUid = _ResourceId\n | extend Device = tostring(Parser[1])\n | invoke _ASIM_ResolveDvcFQDN('Device')\n | extend\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr,\n EventEndTime = EventStartTime, \n EventCount = int(1),\n EventProduct = \"Meraki\",\n EventVendor = \"Cisco\",\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1\"\n | project-away\n LogMessage,\n Parser,\n Epoch,\n EpochTimestamp,\n Device,\n Substring,\n TempOperation*,\n temp*,\n STPMac,\n peer_contact,\n connectivity,\n Port*,\n port,\n portnextpart,\n LogType,\n type,\n TenantId,\n SourceSystem,\n Computer,\n _ResourceId,\n MG,\n ManagementGroupName,\n RawData,\n EventTime,\n Facility,\n HostName,\n SeverityLevel,\n ProcessID,\n HostIP,\n ProcessName\n};\nparser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)", + "version": 1, + "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json index cb85d563183..a77bb09f6f4 100644 --- a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json @@ -35,7 +35,7 @@ "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events", "category": "ASIM", "FunctionAlias": "vimAuditEventMicrosoftWindowsEvents", - "query": "let parser= (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n eventtype_in:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]),\n object_has_any:dynamic=dynamic([]),\n newvalue_has_any:dynamic=dynamic([]),\n disabled:bool = false\n ) { \n union \n (\n union \n (\n SecurityEvent\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type\n | where EventID == 1102\n ),\n (\n Event\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type\n | where EventID == 1102\n )\n | where\n (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(newvalue_has_any) == 0)\n and (array_length(object_has_any) == 0 or \"Logs\" in (object_has_any))\n and (array_length(operation_has_any) == 0 or \"Delete Logs\" has_any (operation_has_any))\n and (array_length(eventtype_in) == 0 or \"Delete\" in (eventtype_in))\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n | parse-kv EventData as \n (\n SubjectUserSid:string,\n SubjectUserName:string,\n SubjectDomainName:string,\n SubjectLogonId:string\n ) \n with (regex=@'<(\\w+)>([^<]*)<')\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n | project-away EventData\n ),\n (\n WindowsEvent \n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and not(disabled)\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type\n | where EventID == 1102\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(newvalue_has_any) == 0)\n and (array_length(object_has_any) == 0 or \"Logs\" in (object_has_any))\n and (array_length(operation_has_any) == 0 or \"Delete Logs\" has_any (operation_has_any))\n and (array_length(eventtype_in) == 0 or \"Delete\" in (eventtype_in))\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectUserName has_any (actorusername_has_any)\n | project-away EventData\n )\n | project-rename\n ActorUserId = SubjectUserSid,\n DvcHostname = Computer,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId\n | extend\n EventCount = int(1),\n EventType = \"Delete\",\n Operation = \"Delete Logs\",\n Object = \"Logs\",\n EventResult = \"Success\",\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Windows',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n ActorUserIdType = 'SID',\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n EventOriginalType = tostring(EventID)\n // Aliases\n | extend \n User=ActorUsername,\n ActorUserSid = ActorUserId,\n Dvc = DvcHostname\n | project-away Subject*, EventID\n};\nparser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n)", + "query": "let parser = (\n starttime:datetime=datetime(null), \n endtime:datetime=datetime(null),\n srcipaddr_has_any_prefix:dynamic=dynamic([]), \n eventtype_in:dynamic=dynamic([]),\n eventresult:string='*',\n actorusername_has_any:dynamic=dynamic([]),\n operation_has_any:dynamic=dynamic([]),\n object_has_any:dynamic=dynamic([]),\n newvalue_has_any:dynamic=dynamic([]),\n disabled:bool = false\n ) {\n // Parsed Events Ids\n let ParsedEventIds = dynamic([1102,4698,4699,4700,4701,4702,4929,5025,5027,5028,5029,5030,5034,5035,5037,7035,7036,7040,7045,2009,5136]);\n // Eventlog Event Ids\n let EventlogEventIds = dynamic([1102]);\n // Scheduled Task Event Ids\n let ScheduledTaskEventIds = dynamic([4698,4699,4700,4701,4702]);\n // Active Directory Replica Source Naming Context Event Ids\n let ActiveDirectoryReplicaIds = dynamic([4929]);\n // Firewall Event Ids\n let FirewallEventIds = dynamic([5025,5027,5028,5029,5030,5034,5035,5037]);\n // Service Event Ids\n let ServiceEventIds = dynamic([7035,7036,7040,7045,2009]); \n // EventID Lookup\n // Directory Service Object Ids\n let DirectoryServiceIds = dynamic([5136]);\n let EventIDLookup = datatable(EventID:int, Operation:string, EventType:string, Object:string, ObjectType:string, EventResult:string)\n [ \n 1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n 4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n 4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n 4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n 4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n 4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n 4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n 5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n 5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n 5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n 5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n 5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n 5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n 7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n 7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n 7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n 7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n 2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n 5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n ];\n let FilteredEventIds = toscalar(EventIDLookup \n | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n and (strlen(eventresult) == 0 or EventResult =~ eventresult)\n | summarize make_set(EventID)\n );\n let FilteredParsedEventIds = iif(array_length(FilteredEventIds) >0, FilteredEventIds, ParsedEventIds);\n let ParsedEvents =\n union (\n union (\n // SecurityEvents\n SecurityEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredParsedEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any)) \n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n ),\n (\n // Event\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredParsedEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n )\n | parse-kv EventData as \n (\n SubjectUserSid:string,\n SubjectUserName:string,\n SubjectDomainName:string,\n SubjectLogonId:string,\n TaskName:string,\n TaskContent:string,\n TaskContentNew:string,\n ClientProcessId:string,\n DestinationDRA:string,\n SourceDRA:string,\n SourceAddr:string,\n ObjectDN:string,\n AttributeValue:string\n ) \n with (regex=@'{?([^<]*?)}?')\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectDomainName has_any (actorusername_has_any)\n | project-away EventData\n ),\n // WindowsEvents\n (\n WindowsEvent\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and EventID in(FilteredParsedEventIds)\n | where (array_length(srcipaddr_has_any_prefix) == 0)\n and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any)) \n and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n | extend\n SubjectUserSid = tostring(EventData.SubjectUserSid),\n SubjectUserName = tostring(EventData.SubjectUserName),\n SubjectDomainName = tostring(EventData.SubjectDomainName),\n SubjectLogonId = tostring(EventData.SubjectLogonId),\n TaskName = tostring(EventData.TaskName),\n TaskContent = tostring(EventData.TaskContent),\n TaskContentNew = tostring(EventData.TaskContentNew),\n ClientProcessId = tostring(EventData.ClientProcessId),\n DestinationDRA = tostring(EventData.DestinationDRA),\n SourceDRA = tostring(EventData.SourceDRA),\n SourceAddr = tostring(EventData.SourceAddr),\n ObjectDN = tostring(EventData.ObjectDN),\n AttributeValue = tostring(EventData.AttributeValue)\n | where \n array_length(actorusername_has_any) == 0 \n or SubjectUserName has_any (actorusername_has_any) \n or SubjectUserName has_any (actorusername_has_any) \n | project-away EventData\n )\n | lookup EventIDLookup on EventID\n ;\n // Parse EventLog\n let EventLog = ParsedEvents\n | where EventID in(EventlogEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n // Parse Scheduled Task\n let ScheduledTask = ParsedEvents\n | where EventID in(ScheduledTaskEventIds)\n | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n | extend \n Object = TaskName,\n NewValue = coalesce(\n TaskContent,\n TaskContentNew\n )\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ADR\n let ActiveDirectoryReplica = ParsedEvents\n | where EventID in(ActiveDirectoryReplicaIds)\n | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n | extend \n NewValue = SourceDRA,\n OldValue = DestinationDRA,\n SrcFQDN = SourceAddr\n | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n | extend \n Value = NewValue,\n Object = OldValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse WindowsFirewall\n let WindowsFirewall = ParsedEvents\n | where EventID in(FirewallEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse ServiceEvent\n let ServiceEvent = ParsedEvents\n | where EventID in(ServiceEventIds)\n and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n ;\n // Parse DirectoryService\n let DirectoryService = ParsedEvents\n | where EventID in(DirectoryServiceIds)\n and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n | extend\n Object = ObjectDN\n | project-rename \n NewValue = AttributeValue\n | extend\n Value = NewValue\n | project-away Task*, *DRA, SourceAddr, ObjectDN\n ;\n // Union Events\n union EventLog, ScheduledTask, ActiveDirectoryReplica, WindowsFirewall, ServiceEvent, DirectoryService\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | project-rename \n ActorUserId = SubjectUserSid,\n ActorSessionId = SubjectLogonId,\n DvcId = _ResourceId,\n ActingAppId = ClientProcessId,\n EventUid = _ItemId\n | extend\n EventCount = int(1),\n EventStartTime = TimeGenerated, \n EventEndTime= TimeGenerated,\n EventProduct = 'Windows',\n EventVendor = 'Microsoft',\n EventSchemaVersion = '0.1.0',\n EventSchema = 'AuditEvent',\n EventOriginalType = tostring(EventID),\n DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n ActorUserIdType = iff (ActorUserId == \"\",\"\", \"SID\"),\n ActingAppType = \"Process\"\n | extend\n User = ActorUsername,\n Dvc = DvcFQDN\n | project-away Subject*, EventID, Computer\n };\n parser (\n starttime = starttime,\n endtime = endtime,\n srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n actorusername_has_any = actorusername_has_any,\n eventtype_in = eventtype_in,\n eventresult = eventresult,\n operation_has_any = operation_has_any,\n object_has_any=object_has_any,\n newvalue_has_any=newvalue_has_any,\n disabled=disabled\n )", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False" } diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/README.md new file mode 100644 index 00000000000..c67b0d7c09d --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/README.md @@ -0,0 +1,18 @@ +# Vectra ASIM AuditEvent Normalization Parser + +ARM template for ASIM AuditEvent schema parser for Vectra. + +This ASIM parser supports filtering and normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Audit Event schema. + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventVectraXDRAudit%2FvimAuditEventVectraXDRAudit.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventVectraXDRAudit%2FvimAuditEventVectraXDRAudit.json) diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json new file mode 100644 index 00000000000..8ae4c18f935 --- /dev/null +++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json @@ -0,0 +1,46 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces", + "apiVersion": "2017-03-15-preview", + "name": "[parameters('Workspace')]", + "location": "[parameters('WorkspaceRegion')]", + "resources": [ + { + "type": "savedSearches", + "apiVersion": "2020-08-01", + "name": "vimAuditEventVectraXDRAudit", + "dependsOn": [ + "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]" + ], + "properties": { + "etag": "*", + "displayName": "Audit Event ASIM filtering parser for Vectra XDR Audit Logs Event", + "category": "ASIM", + "FunctionAlias": "vimAuditEventVectraXDRAudit", + "query": "let parser = (disabled:bool = false, eventresult:string='*', starttime:datetime=datetime(null), endtime:datetime=datetime(null), actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]))\n{\n Audits_Data_CL\n | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n | where (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime) and (array_length(actorusername_has_any) == 0 or tostring(toint(user_id_d)) has_any (actorusername_has_any)) or (array_length(actorusername_has_any) == 0 or username_s has_any (actorusername_has_any)) and (array_length(operation_has_any) == 0 or event_action_s has_any (operation_has_any)) and (array_length(object_has_any) == 0 or event_object_s has_any (object_has_any))\n | extend\n EventEndTime = event_timestamp_t,\n EventProduct = 'Vectra XDR',\n EventSchema = \"AuditEvent\",\n EventSchemaVersion = \"0.1.0\",\n EventStartTime = event_timestamp_t,\n EventType = 'Other',\n EventVendor = 'Vectra',\n Type = \"Audit Log\",\n EventUid = tostring(toint(id_d)),\n ActorUserId = tostring(toint(user_id_d)),\n ActorUserIdType = \"UID\",\n ActorUsernameType = \"UPN\",\n EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n | project-rename\n Dvc = source_ip_s,\n Operation = event_action_s,\n ActorUsername = username_s,\n Object = event_object_s,\n ActorOriginalUserType = user_type_s,\n EventMessage = Message,\n EventProductVersion = version_s\n | where ('*' in (eventresult) or EventResult in (eventresult))\n | extend User = ActorUsername\n | project-away\n id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, eventresult=eventresult, starttime=starttime, endtime=endtime, actorusername_has_any=actorusername_has_any,operation_has_any=operation_has_any,object_has_any=object_has_any)", + "version": 1, + "functionParameters": "disabled:bool=False,eventresult:string='*',starttime:datetime=datetime(null),endtime:datetime=datetime(null),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([])" + } + } + ] + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml index bbf891bc845..6c2b4d272d5 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml @@ -24,6 +24,7 @@ Parsers: - _ASim_AuditEvent_CiscoISE - _ASim_AuditEvent_CiscoMeraki - _ASim_AuditEvent_BarracudaWAF + - _ASim_AuditEvent_VectraXDRAudit ParserParams: - Name: pack diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventVectraXDRAudit.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventVectraXDRAudit.yaml index 9bc9f6772bf..851a7061f36 100644 --- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventVectraXDRAudit.yaml +++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventVectraXDRAudit.yaml @@ -1,6 +1,6 @@ Parser: Title: Audit Event ASIM parser for Vectra XDR Audit Logs Event - Version: '0.1' + Version: '0.1.0' LastUpdated: Mar 17 2023 Product: Name: Vectra @@ -15,6 +15,7 @@ References: Description: | This ASIM parser supports normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Audit Event schema. ParserName: ASimAuditEventVectraXDRAudit +EquivalentBuiltInParser: _ASim_AuditEvent_VectraXDRAudit ParserParams: - Name: disabled Type: bool diff --git a/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml index e526f392f05..b2dff3447da 100644 --- a/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml +++ b/Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml @@ -24,6 +24,7 @@ Parsers: - _Im_AuditEvent_CiscoISE - _Im_AuditEvent_CiscoMeraki - _Im_AuditEvent_BarracudaWAF + - _Im_AuditEvent_VectraXDRAudit ParserParams: - Name: starttime Type: datetime diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventVectraXDRAudit.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventVectraXDRAudit.yaml index 7340bcc17cf..2a2bba50828 100644 --- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventVectraXDRAudit.yaml +++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventVectraXDRAudit.yaml @@ -1,6 +1,6 @@ Parser: Title: Audit Event ASIM filtering parser for Vectra XDR Audit Logs Event - Version: '0.1' + Version: '0.1.0' LastUpdated: Mar 17 2023 Product: Name: Vectra @@ -15,6 +15,7 @@ References: Description: | This ASIM parser supports filtering and normalizing Vectra XDR Audit Logs Event in the Audits_Data_CL table to the ASIM Audit Event schema. ParserName: vimAuditEventVectraXDRAudit +EquivalentBuiltInParser: _Im_AuditEvent_VectraXDRAudit ParserParams: - Name: disabled Type: bool