From b5ee542e4dedf520aece54433d2b6d47be921c04 Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Thu, 5 Oct 2023 17:21:53 +0530
Subject: [PATCH 1/8] ASIM Parser Updates

---
 ASIM/dev/ASimTester/ASimTester.csv | 27 +++++++++++++--------------
 1 file changed, 13 insertions(+), 14 deletions(-)

diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
index 025e3b41eb5..0638dd9cd90 100644
--- a/ASIM/dev/ASimTester/ASimTester.csv
+++ b/ASIM/dev/ASimTester/ASimTester.csv
@@ -534,17 +534,17 @@ EventOwner,string,Optional,ProcessEvent,,,
 EventOwner,string,Optional,RegistryEvent,,,
 EventOwner,string,Optional,UserManagement,,,
 EventOwner,string,Optional,WebSession,,,
-EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|Windows|Exchange 365|Dataminr Pulse|Vectra Cloud,
-EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|Azure Defender for IoT|M365 Defender for Endpoint|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra Cloud|SentinelOne,
+EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Windows|Exchange 365|Dataminr Pulse|ISE|Vectra XDR|Meraki,
+EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF,
 EventProduct,string,Mandatory,Common,,,
 EventProduct,string,Mandatory,Dhcp,,,
 EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne,
 EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne,
-EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio|SentinelOne,
-EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events,
+EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF,
+EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne,
 EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne,
-EventProduct,string,Mandatory,UserManagement,Enumerated,SentinelOne,
-EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki MX|Web Security Gateway|Zeek|Dataminr Pulse,
+EventProduct,string,Mandatory,UserManagement,Enumerated,ISE|Security Events|SentinelOne,
+EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki|Web Security Gateway|Zeek|Dataminr Pulse|HTTP Server|Fortigate|WAF,
 EventProductVersion,string,Optional,AuditEvent,,,
 EventProductVersion,string,Optional,Authentication,,,
 EventProductVersion,string,Optional,Common,,,
@@ -662,19 +662,18 @@ EventUid,string,Recommended,ProcessEvent,,,
 EventUid,string,Recommended,RegistryEvent,,,
 EventUid,string,Recommended,UserManagement,,,
 EventUid,string,Recommended,WebSession,,,
-EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Dataminr|Vectra,
-EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne,
+EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra,
+EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne,
 EventVendor,string,Mandatory,Common,,,
 EventVendor,string,Mandatory,Dhcp,,,
 EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne,
-EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft,
-EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne,
+EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne,
 EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI,
 EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne,
-EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio,
-EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft,
-EventVendor,string,Mandatory,UserManagement,Enumerated,SentinelOne,
-EventVendor,string,Mandatory,WebSession,Enumerated,Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr,
+EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne,
+EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft|SentinelOne,
+EventVendor,string,Mandatory,UserManagement,Enumerated,Cisco|Microsoft|SentinelOne,
+EventVendor,string,Mandatory,WebSession,Enumerated,Apache|Barracuda|Fortinet|Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr,
 EventVendor,string,Mandatory,RegistryEvent,Enumerated,SentinelOne,
 FileContentType,string,Optional,WebSession,Enumerated,,
 FileMD5,string,Optional,WebSession,MD5,,

From 5cb53d3f45aba85f7cf03dbc42e18f566b493a6b Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Thu, 5 Oct 2023 21:52:16 +0530
Subject: [PATCH 2/8] adding threat fields for ProcessEvents

---
 ASIM/dev/ASimTester/ASimTester.csv | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
index 0638dd9cd90..a869482b935 100644
--- a/ASIM/dev/ASimTester/ASimTester.csv
+++ b/ASIM/dev/ASimTester/ASimTester.csv
@@ -823,6 +823,7 @@ RuleName,string,Optional,Authentication,,,
 RuleName,string,Optional,Dns,,,
 RuleName,string,Optional,FileEvent,,,
 RuleName,string,Optional,WebSession,,,
+RuleName,string,Optional,ProcessEvent,,,
 RuleName,string,Optional,RegistryEvent,,,
 RuleName,string,Optional,UserManagement,,,
 RuleName,string,Optional,Dhcp,,,
@@ -831,6 +832,7 @@ RuleNumber,int,Optional,Authentication,,,
 RuleNumber,int,Optional,Dns,,,
 RuleNumber,int,Optional,FileEvent,,,
 RuleNumber,int,Optional,WebSession,,,
+RuleNumber,int,Optional,ProcessEvent,,,
 RuleNumber,int,Optional,RegistryEvent,,,
 RuleNumber,int,Optional,UserManagement,,,
 RuleNumber,int,Optional,Dhcp,,,
@@ -1182,6 +1184,7 @@ ThreatCategory,string,Optional,Dns,,,
 ThreatCategory,string,Optional,FileEvent,,,
 ThreatCategory,string,Optional,NetworkSession,,,
 ThreatCategory,string,Optional,WebSession,,,
+ThreatCategory,string,Optional,ProcessEvent,,,
 ThreatCategory,string,Optional,RegistryEvent,,,
 ThreatCategory,string,Optional,UserManagement,,,
 ThreatCategory,string,Optional,Dhcp,,,
@@ -1191,6 +1194,7 @@ ThreatConfidence,int,Optional,Dns,ConfidenceLevel,,
 ThreatConfidence,int,Optional,FileEvent,,,
 ThreatConfidence,int,Optional,NetworkSession,,,
 ThreatConfidence,int,Optional,WebSession,,,
+ThreatConfidence,int,Optional,ProcessEvent,,,
 ThreatConfidence,int,Optional,RegistryEvent,,,
 ThreatConfidence,int,Optional,UserManagement,,,
 ThreatConfidence,int,Optional,Dhcp,,,
@@ -1200,6 +1204,7 @@ ThreatField,string,Conditional,NetworkSession,Enumerated,,ThreatIpAddr
 ThreatField,string,Optional,Authentication,,,
 ThreatField,string,Optional,Dns,,,
 ThreatField,string,Optional,WebSession,,,
+ThreatField,string,Optional,ProcessEvent,,,
 ThreatField,string,Optional,RegistryEvent,,,
 ThreatField,string,Optional,UserManagement,,,
 ThreatField,string,Optional,Dhcp,,,
@@ -1210,6 +1215,7 @@ ThreatFirstReportedTime,datetime,Optional,Dns,,,
 ThreatFirstReportedTime,datetime,Optional,FileEvent,,,
 ThreatFirstReportedTime,datetime,Optional,NetworkSession,,,
 ThreatFirstReportedTime,datetime,Optional,WebSession,,,
+ThreatFirstReportedTime,datetime,Optional,ProcessEvent,,,
 ThreatFirstReportedTime,datetime,Optional,RegistryEvent,,,
 ThreatFirstReportedTime,datetime,Optional,UserManagement,,,
 ThreatFirstReportedTime,datetime,Optional,Dhcp,,,
@@ -1219,6 +1225,7 @@ ThreatId,string,Optional,Dns,,,
 ThreatId,string,Optional,FileEvent,,,
 ThreatId,string,Optional,NetworkSession,,,
 ThreatId,string,Optional,WebSession,,,
+ThreatId,string,Optional,ProcessEvent,,,
 ThreatId,string,Optional,RegistryEvent,,,
 ThreatId,string,Optional,UserManagement,,,
 ThreatId,string,Optional,Dhcp,,,
@@ -1233,6 +1240,7 @@ ThreatIsActive,bool,Optional,Dns,,,
 ThreatIsActive,bool,Optional,FileEvent,,,
 ThreatIsActive,bool,Optional,NetworkSession,,,
 ThreatIsActive,bool,Optional,WebSession,,,
+ThreatIsActive,bool,Optional,ProcessEvent,,,
 ThreatIsActive,bool,Optional,RegistryEvent,,,
 ThreatIsActive,bool,Optional,UserManagement,,,
 ThreatIsActive,bool,Optional,Dhcp,,,
@@ -1242,6 +1250,7 @@ ThreatLastReportedTime,datetime,Optional,Dns,,,
 ThreatLastReportedTime,datetime,Optional,FileEvent,,,
 ThreatLastReportedTime,datetime,Optional,NetworkSession,,,
 ThreatLastReportedTime,datetime,Optional,WebSession,,,
+ThreatLastReportedTime,datetime,Optional,ProcessEvent,,,
 ThreatLastReportedTime,datetime,Optional,RegistryEvent,,,
 ThreatLastReportedTime,datetime,Optional,UserManagement,,,
 ThreatLastReportedTime,datetime,Optional,Dhcp,,,
@@ -1251,6 +1260,7 @@ ThreatName,string,Optional,Dns,,,
 ThreatName,string,Optional,FileEvent,,,
 ThreatName,string,Optional,NetworkSession,,,
 ThreatName,string,Optional,WebSession,,,
+ThreatName,string,Optional,ProcessEvent,,,
 ThreatName,string,Optional,RegistryEvent,,,
 ThreatName,string,Optional,UserManagement,,,
 ThreatName,string,Optional,Dhcp,,,
@@ -1260,6 +1270,7 @@ ThreatOriginalConfidence,string,Optional,Dns,,,
 ThreatOriginalConfidence,string,Optional,FileEvent,,,
 ThreatOriginalConfidence,string,Optional,NetworkSession,,,
 ThreatOriginalConfidence,string,Optional,WebSession,,,
+ThreatOriginalConfidence,string,Optional,ProcessEvent,,,
 ThreatOriginalConfidence,string,Optional,RegistryEvent,,,
 ThreatOriginalConfidence,string,Optional,UserManagement,,,
 ThreatOriginalConfidence,string,Optional,Dhcp,,,
@@ -1269,6 +1280,7 @@ ThreatOriginalRiskLevel,string,Optional,Dns,,,
 ThreatOriginalRiskLevel,string,Optional,FileEvent,,,
 ThreatOriginalRiskLevel,string,Optional,NetworkSession,,,
 ThreatOriginalRiskLevel,string,Optional,WebSession,,,
+ThreatOriginalRiskLevel,string,Optional,ProcessEvent,,,
 ThreatOriginalRiskLevel,string,Optional,RegistryEvent,,,
 ThreatOriginalRiskLevel,string,Optional,UserManagement,,,
 ThreatOriginalRiskLevel,string,Optional,Dhcp,,,
@@ -1278,6 +1290,7 @@ ThreatRiskLevel,int,Optional,Dns,RiskLevel,,
 ThreatRiskLevel,int,Optional,FileEvent,RiskLevel,,
 ThreatRiskLevel,int,Optional,NetworkSession,RiskLevel,,
 ThreatRiskLevel,int,Optional,WebSession,RiskLevel,,
+ThreatRiskLevel,int,Optional,ProcessEvent,RiskLevel,,
 ThreatRiskLevel,int,Optional,RegistryEvent,,,
 ThreatRiskLevel,int,Optional,UserManagement,,,
 ThreatRiskLevel,int,Optional,Dhcp,,,

From dc1ed2904e73eacea8fa0f714ee3712a0035a7dc Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Tue, 21 Nov 2023 10:32:41 +0530
Subject: [PATCH 3/8] removing Vectra from EventProduct

---
 ASIM/dev/ASimTester/ASimTester.csv | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
index a869482b935..441deec5e88 100644
--- a/ASIM/dev/ASimTester/ASimTester.csv
+++ b/ASIM/dev/ASimTester/ASimTester.csv
@@ -534,7 +534,7 @@ EventOwner,string,Optional,ProcessEvent,,,
 EventOwner,string,Optional,RegistryEvent,,,
 EventOwner,string,Optional,UserManagement,,,
 EventOwner,string,Optional,WebSession,,,
-EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Windows|Exchange 365|Dataminr Pulse|ISE|Vectra XDR|Meraki,
+EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Windows|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki,
 EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF,
 EventProduct,string,Mandatory,Common,,,
 EventProduct,string,Mandatory,Dhcp,,,

From fe5594d11ee6f9bbed091599de31464204834083 Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Thu, 23 Nov 2023 11:39:05 +0530
Subject: [PATCH 4/8] EventProduct update for Vectra

---
 .../ASimAuditEvent/Parsers/ASimAuditEventVectraXDRAudit.yaml    | 2 +-
 Parsers/ASimAuditEvent/Parsers/vimAuditEventVectraXDRAudit.yaml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventVectraXDRAudit.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventVectraXDRAudit.yaml
index d4d70d4ed22..e1071db5dc1 100644
--- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventVectraXDRAudit.yaml
+++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventVectraXDRAudit.yaml
@@ -27,7 +27,7 @@ ParserQuery: |
     | where not(disabled) and event_action_s !in ("login","logout")
     | extend
           EventEndTime = event_timestamp_t,
-          EventProduct = 'Vectra XDR',
+          EventProduct = 'XDR',
           EventSchema = "AuditEvent",
           EventSchemaVersion = "0.1.0",
           EventStartTime = event_timestamp_t,
diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventVectraXDRAudit.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventVectraXDRAudit.yaml
index 87223c69747..2200bc20759 100644
--- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventVectraXDRAudit.yaml
+++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventVectraXDRAudit.yaml
@@ -46,7 +46,7 @@ ParserQuery: |
     | where (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime) and (array_length(actorusername_has_any) == 0 or tostring(toint(user_id_d)) has_any (actorusername_has_any)) or (array_length(actorusername_has_any) == 0 or username_s has_any (actorusername_has_any)) and (array_length(operation_has_any) == 0 or event_action_s has_any (operation_has_any)) and (array_length(object_has_any) == 0 or event_object_s has_any (object_has_any))
     | extend
           EventEndTime = event_timestamp_t,
-          EventProduct = 'Vectra XDR',
+          EventProduct = 'XDR',
           EventSchema = "AuditEvent",
           EventSchemaVersion = "0.1.0",
           EventStartTime = event_timestamp_t,

From cffaf593eaa82feff946868c72f4a2ae4c7797dc Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Thu, 23 Nov 2023 06:11:48 +0000
Subject: [PATCH 5/8] [ASIM Parsers] Generate deployable ARM templates from KQL
 function YAML files.

---
 .../ARM/ASimAuditEvent/ASimAuditEvent.json    |  2 +-
 .../ASimAuditEventSentinelOne.json            | 46 +++++++++++++++++++
 .../ARM/ASimAuditEventSentinelOne/README.md   | 18 ++++++++
 .../ASimAuditEventVectraXDRAudit.json         |  2 +-
 .../ARM/FullDeploymentAuditEvent.json         | 40 ++++++++++++++++
 .../ARM/imAuditEvent/imAuditEvent.json        |  2 +-
 .../ARM/vimAuditEventSentinelOne/README.md    | 18 ++++++++
 .../vimAuditEventSentinelOne.json             | 46 +++++++++++++++++++
 .../vimAuditEventVectraXDRAudit.json          |  2 +-
 9 files changed, 172 insertions(+), 4 deletions(-)
 create mode 100644 Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json
 create mode 100644 Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/README.md
 create mode 100644 Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/README.md
 create mode 100644 Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json

diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json
index e145f4fa36c..9c36a1a6c81 100644
--- a/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json
+++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json
@@ -35,7 +35,7 @@
             "displayName": "Audit event ASIM parser",
             "category": "ASIM",
             "FunctionAlias": "ASimAuditEvent",
-            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuditEventEmpty, \n  ASimAuditEventMicrosoftExchangeAdmin365  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n  ASimAuditEventMicrosoftWindowsEvents  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n  ASimAuditEventAzureActivity  (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n  ASimAuditEventCiscoMeraki  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n  ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n  ASimAuditEventCiscoISE  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n  ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers)))\n",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuditEventEmpty, \n  ASimAuditEventMicrosoftExchangeAdmin365  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n  ASimAuditEventMicrosoftWindowsEvents  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n  ASimAuditEventAzureActivity  (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n  ASimAuditEventCiscoMeraki  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n  ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n  ASimAuditEventCiscoISE  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n  ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n  ASimAuditEventSentinelOne  (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers)))\n",
             "version": 1,
             "functionParameters": "pack:bool=False"
           }
diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json
new file mode 100644
index 00000000000..f89a67bcae3
--- /dev/null
+++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimAuditEventSentinelOne",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Audit Event ASIM parser for SentinelOne",
+            "category": "ASIM",
+            "FunctionAlias": "ASimAuditEventSentinelOne",
+            "query": "let EventFieldsLookup = datatable(\n      activityType_d: real,\n      Operation: string,\n      EventType_activity: string,\n      EventSubType: string,\n      EventResult: string,\n      Object: string,\n      ObjectType: string\n  )\n      [\n      39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\n      41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\n      44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n      45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n      46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n      56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\n      57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\n      68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\n      69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\n      70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\n      82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\n      83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\n      105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\n      116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\n      150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n      151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n      200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\n      201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\n      4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n      4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n      4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n      4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n      5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\n      5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\n      5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n      5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n      6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n      6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n      6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n      6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n      6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n      73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\n      76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\n      77, \"Agent UI Settings Modified\", \"Set  \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\n      78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\n      79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\n      84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\n      87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\n      2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n      2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n      2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n  ];\n  let EventFieldsLookupMachineActivity = datatable(\n      activityType_d: real,\n      Operation: string,\n      EventType_machineactivity: string,\n      EventSubType_machineactivity: string,\n      EventResult: string,\n      Object: string,\n      ObjectType: string\n  )\n      [\n      52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\n      53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\n      54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\n      55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\n      61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n      62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n      63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n      93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\n      95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\n      117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n      118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n      4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n      4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n  ];\n  let EventFieldsLookupAccountActivity = datatable(\n      activityType_d: real,\n      Operation: string,\n      EventType_accountactivity: string,\n      EventSubType_accountactivity: string,\n      EventResult: string,\n      Object: string,\n      ObjectType: string\n  )\n      [\n      130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n      7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\n  ];\n  let EventFieldsLookup_useractivity = datatable(\n      activityType_d: real,\n      Operation: string,\n      EventType_useractivity: string,\n      EventSubType_useractivity: string,\n      EventResult: string,\n      Object: string,\n      ObjectType: string\n  )\n      [\n      88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\n      114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\n  ];\n  let EventFieldsLookup_otheractivity = datatable(\n      activityType_d: real,\n      Operation: string,\n      EventType_otheractivity: string,\n      EventSubType_otheractivity: string,\n      EventResult: string,\n      Object: string,\n      ObjectType: string\n  )\n      [\n      2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\n      58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\n      59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\n      60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\n      101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\n      106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\n      107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\n      113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\n      129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\n      1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\n      1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\n      1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n      1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\n      2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n      2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n      2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n      2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n      2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n      2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n      3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n      3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\n      3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n      3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\n      3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\n      3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\n      3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n      3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\n      3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\n      3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\n      3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n      3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\n      3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\n      3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n      3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n      3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\n      3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\n      3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n      3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n      3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\n      3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\n      3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\n      3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\n      3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\n      3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\n      3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n      3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n      3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n      3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n      3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n      3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\n      3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n      3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\n      3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\n      3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\n      3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\n      3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\n      3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \n      3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\n      3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\n      3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\n      3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\n      4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\n      4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\n      5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\n      5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\n      7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n      7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n      7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\n      7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n      7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n      5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\n      5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n      5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n      5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n      5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n      5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\n      6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\n  ];\n  let EventTypeLookup_onoff = datatable(\n      field: string,\n      EventType_field: string,\n      NewValue_field: string\n  )\n      [\n      \"true\", \"Enable\", \"on\",\n      \"false\", \"Disable\", \"off\"\n  ];\n  let EventTypeLookup_enableddisabled = datatable(\n      field: string,\n      EventType_fieldenableddisabled: string,\n      NewValue_fieldenableddisabled: string\n  )\n      [\n      \"true\", \"Enable\", \"enabled\",\n      \"false\", \"Disable\", \"disabled\"\n  ];\n  let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\n      [\n      \"Success\", \"Informational\",\n      \"Failure\", \"Low\"\n  ];\n  let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\n      [\n      4100, \"Medium\",\n      4101, \"High\",\n      2016, \"Medium\",\n      2028, \"Low\",\n      4001, \"Medium\",\n      4002, \"Low\",\n      4007, \"Low\",\n      4008, \"Medium\",\n      4009, \"Medium\",\n      4011, \"High\",\n      2, \"Medium\",\n      2011, \"Low\",\n      2012, \"Low\",\n      2013, \"Medium\",\n      2014, \"Low\",\n      2015, \"Low\",\n      4002, \"Low\",\n      4104, \"High\",\n      4105, \"Medium\"\n  ];\n  let ThreatConfidenceLookup_undefined = datatable(\n      threatInfo_analystVerdict_s: string,\n      ThreatConfidence_undefined: int\n  )\n      [\n      \"false_positive\", 5,\n      \"undefined\", 15,\n      \"suspicious\", 25,\n      \"true_positive\", 33 \n  ];\n  let ThreatConfidenceLookup_suspicious = datatable(\n      threatInfo_analystVerdict_s: string,\n      ThreatConfidence_suspicious: int\n  )\n      [\n      \"false_positive\", 40,\n      \"undefined\", 50,\n      \"suspicious\", 60,\n      \"true_positive\", 67 \n  ];\n  let ThreatConfidenceLookup_malicious = datatable(\n      threatInfo_analystVerdict_s: string,\n      ThreatConfidence_malicious: int\n  )\n      [\n      \"false_positive\", 75,\n      \"undefined\", 80,\n      \"suspicious\", 90,\n      \"true_positive\", 100 \n  ];\n  let parser = (disabled: bool=false) {\n      let RawGroupSiteActivityIds = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111]);\n      let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n      let activitydata = SentinelOne_CL\n          | where not(disabled) and event_name_s == \"Activities.\"\n          | project-away\n              threatInfo_confidenceLevel_s,\n              threatInfo_analystVerdict_s,\n              threatInfo_threatName_s,\n              threatInfo_incidentStatus_s,\n              threatInfo_identifiedAt_t,\n              threatInfo_updatedAt_t,\n              threatInfo_threatId_s,\n              mitigationStatus_s;\n      let rawgroupsiteactivitydata = activitydata\n          | where activityType_d in (RawGroupSiteActivityIds)\n          | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | project-rename ObjectId = id\n          | lookup EventFieldsLookup on activityType_d;\n      let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\n          | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\n          | lookup EventTypeLookup_onoff on $left.newValue == $right.field\n          | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\n          | extend\n              EventType = coalesce(EventType_field, EventType_field1),\n              NewValue = coalesce(NewValue_field, NewValue_field1);\n      let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\n          | where activityType_d in (70, 82, 83, 201)\n          | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n          | extend\n              EventType = EventType_fieldenableddisabled,\n              NewValue = NewValue_fieldenableddisabled;\n      let groupsiteactivitydata_other = rawgroupsiteactivitydata\n          | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\n          | extend EventType = EventType_activity;\n      let groupsiteactivitydata = union\n              groupsiteactivitydata_onoff,\n              groupsiteactivitydata_enabledisabled,\n              groupsiteactivitydata_other\n          | extend\n              ActorUsername = coalesce(username, userName, userFullName),\n              Object = coalesce(Object, siteName, oldSiteName),\n              NewValue = coalesce(NewValue, newValue),\n              OldValue = oldValue;\n      let machineactivitydata = activitydata\n          | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\n          | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | lookup EventFieldsLookupMachineActivity on activityType_d\n          | extend\n              EventType = EventType_machineactivity,\n              EventSubType = EventSubType_machineactivity,\n              ThreatCategory_datafields = threatClassification,\n              OldValue = groupName,\n              NewValue = targetGroupName,\n              ObjectId = agentId_s\n          | extend ActorUsername = coalesce(username, userName)\n          | invoke _ASIM_ResolveDvcFQDN('computerName');\n      let accountactivitydata = activitydata\n          | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\n          | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | lookup EventFieldsLookupAccountActivity on activityType_d\n          | extend\n              EventType = EventType_accountactivity,\n              EventSubType = EventSubType_accountactivity,\n              Object = coalesce(accountName, cloudProviderAccountName),\n              ObjectId = accountId;\n      let useractivitydata = activitydata\n          | where activityType_d in (88, 114)\n          | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | lookup EventFieldsLookup_useractivity on activityType_d\n          | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n          | extend\n              ActorUsername = byUser,\n              EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\n              EventSubType = EventSubType_useractivity,\n              NewValue = NewValue_fieldenableddisabled;\n      let rawotheractivitydata = activitydata\n          | where activityType_d in (RawOtherActivityIds)\n          | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | lookup EventFieldsLookup_otheractivity on activityType_d\n          | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\n          | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\n          | extend\n              ActorUsername = coalesce(username, userName),\n              EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\n              EventSubType = EventSubType_otheractivity,\n              Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\n              NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\n              OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\n              TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\n              ThreatCategory_datafields = threatClassification,\n              RuleName = ruleName,\n              TargetDvcId = deviceId,\n              ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\n          | invoke _ASIM_ResolveDstFQDN('affectedDevices')\n          | project-rename\n              TargetHostname = DstHostname,\n              TargetDomain = DstDomain,\n              TargetDomainType = DstDomainType,\n              TargetFQDN = DstFQDN,\n              TargetUrl = consoleUrl;\n      let parsedotheractivitydata_eventtype = rawotheractivitydata\n          | where activityType_d in (5256, 5258)\n          | extend EventType = case(\n                          isnotempty(rulesAdded) or isnotempty(tagsAdded),\n                          \"Create\",\n                          isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\n                          \"Delete\",\n                          \"Set\"\n                      );\n      let parsedotheractivitydata_objectvalue = rawotheractivitydata\n          | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\n          | extend Object = strcat(Object, ' ', value);\n      let parsedotheractivitydata_severity = rawotheractivitydata\n          | where activityType_d in (2036, 2037, 2030)\n          | extend EventSeverity_specific = case(\n                                      primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\n                                      \"High\", \n                                      primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\n                                      \"Medium\",\n                                      primaryDescription_s has \"to False positive\",\n                                      \"Low\",\n                                      \"Informational\"\n                                  );\n      let ParsedActivitydata = union\n              groupsiteactivitydata,\n              machineactivitydata,\n              accountactivitydata,\n              useractivitydata,\n              rawotheractivitydata,\n              parsedotheractivitydata_eventtype,\n              parsedotheractivitydata_objectvalue\n          | where activityType_d !in(2030, 2036, 2037)\n          | lookup EventSeverityLookup on EventResult\n          | lookup EventSeverityLookup_activity on activityType_d;\n      let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\n          | where isnotempty(threatId_s)\n          | join kind=inner (SentinelOne_CL\n              | where event_name_s == \"Threats.\"\n              | project\n                  TimeGenerated,\n                  threatInfo_confidenceLevel_s,\n                  threatInfo_analystVerdict_s,\n                  threatInfo_threatName_s,\n                  threatInfo_incidentStatus_s,\n                  threatInfo_identifiedAt_t,\n                  threatInfo_updatedAt_t,\n                  threatInfo_threatId_s,\n                  mitigationStatus_s)\n              on $left.threatId_s == $right.threatInfo_threatId_s\n          | where TimeGenerated1 >= TimeGenerated\n          | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\n      let undefineddata = UnParsedActivitydatawithThreat\n          | where threatInfo_confidenceLevel_s == \"Undefined\"\n          | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\n      let suspiciousdata = UnParsedActivitydatawithThreat\n          | where threatInfo_confidenceLevel_s == \"suspicious\"\n          | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\n      let maliciousdata = UnParsedActivitydatawithThreat\n          | where threatInfo_confidenceLevel_s == \"malicious\"\n          | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\n      let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\n          | extend\n              ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n              AdditionalFields = bag_pack(\n                      \"threatUpdatedAt\",\n                      threatInfo_updatedAt_t,\n                      \"threatAnalystVerdict\",\n                      threatInfo_analystVerdict_s,\n                      \"threatIncidentStatus\",\n                      threatInfo_incidentStatus_s,\n                      \"mitigationStatus\",\n                      mitigationStatus_s\n                  )\n          | project-rename\n              ThreatId = threatId_s,\n              ThreatName = threatInfo_threatName_s,\n              ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n              ThreatCategory_threats = threatInfo_classification_s,\n              ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\n      let ParsedActivitydatawithoutThreat = ParsedActivitydata\n          | where isempty(threatId_s);\n      union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\n      | extend \n          EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\n          EventProduct = \"SentinelOne\",\n          EventVendor = \"SentinelOne\",\n          EventSchema = \"AuditEvent\",\n          EventSchemaVersion = \"0.1\",\n          EventCount = toint(1),\n          AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\n          EventOriginalType = tostring(toint(activityType_d)),\n          SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\n          DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\"),\n          ThreatCategory = coalesce(ThreatCategory_datafields, ThreatCategory_threats)\n      | project-rename\n          EventStartTime = createdAt_t,\n          EventUid = _ItemId,\n          EventMessage = primaryDescription_s,\n          ActorUserId = userId_s,\n          DvcId = agentId_s,\n          EventOriginalUid = activityUuid_g\n      | extend\n          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n          ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n          ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n          DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n          TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n          ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n      | extend\n          EventEndTime = EventStartTime,\n          User = ActorUsername,\n          IpAddr = SrcIpAddr,\n          Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n          Dst = coalesce(TargetHostname, TargetIpAddr),\n          Src = SrcIpAddr,\n          Rule = RuleName,\n          Value = NewValue\n      | project-away\n          *_d,\n          *_s,\n          *_t,\n          *_g,\n          *_b,\n          Computer,\n          MG,\n          ManagementGroupName,\n          RawData,\n          SourceSystem,\n          TenantId,\n          username,\n          userName,\n          userFullName,\n          newValue,\n          policyEnabled,\n          siteName,\n          oldValue,\n          computerName,\n          accountName,\n          cloudProviderAccountName,\n          email,\n          globalTwoFaEnabled,\n          cloudIntelligenceOn,\n          fileDisplayName,\n          roleName,\n          oldIncidentStatusTitle,\n          oldTicketId,\n          oldAnalystVerdictTitle,\n          oldConfidenceLevel,\n          previous,\n          oldStatus,\n          oldTagName,\n          oldTagDescription,\n          newIncidentStatusTitle,\n          newTicketId,\n          newAnalystVerdictTitle,\n          newConfidenceLevel,\n          newStatus,\n          current,\n          Status,\n          newTagName,\n          newTagDescription,\n          value,\n          rulesAdded,\n          rulesRemoved,\n          tagsAdded,\n          tagsRemoved,\n          incidentName,\n          ruleName,\n          deviceId,\n          ip,\n          externalIp,\n          affectedDevices,\n          featureValue,\n          featureName,\n          recoveryEmail,\n          policyName,\n          policy,\n          tagName,\n          gatewayExternalIp,\n          gatewayMac,\n          threatClassification,\n          applicationPath,\n          externalId,\n          groupName,\n          oldSiteName,\n          targetGroupName,\n          ipAddress,\n          EventType_*,\n          EventSubType_*,\n          EventSeverity_*,\n          NewValue_*,\n          _ResourceId,\n          TimeGenerated1,\n          ThreatCategory_*,\n          ThreatConfidence_*,\n          accountId,\n          policyId,\n          ruleId,\n          byUser\n  };\n  parser(disabled=disabled)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/README.md b/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/README.md
new file mode 100644
index 00000000000..792640c3680
--- /dev/null
+++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/README.md
@@ -0,0 +1,18 @@
+# SentinelOne ASIM AuditEvent Normalization Parser
+
+ARM template for ASIM AuditEvent schema parser for SentinelOne.
+
+This ASIM parser supports normalizing SentinelOne logs to the ASIM Audit Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventSentinelOne%2FASimAuditEventSentinelOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventSentinelOne%2FASimAuditEventSentinelOne.json)
diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json
index a2877c13e19..1cac4446d1a 100644
--- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json
+++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json
@@ -35,7 +35,7 @@
             "displayName": "Audit Event ASIM parser for Vectra XDR Audit Logs Event",
             "category": "ASIM",
             "FunctionAlias": "ASimAuditEventVectraXDRAudit",
-            "query": "let parser = (disabled:bool = false)\n{\n  Audits_Data_CL\n  | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n  | extend\n        EventEndTime = event_timestamp_t,\n        EventProduct = 'Vectra XDR',\n        EventSchema = \"AuditEvent\",\n        EventSchemaVersion = \"0.1.0\",\n        EventStartTime = event_timestamp_t,\n        EventType = \"Other\",\n        EventVendor = 'Vectra',\n        Type = \"Audit Log\",\n        EventUid = tostring(toint(id_d)),\n        ActorUserId = tostring(toint(user_id_d)),\n        ActorUserIdType = \"UID\",\n        ActorUsernameType = \"UPN\",\n        EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n  | project-rename\n        Dvc = source_ip_s,\n        Operation = event_action_s,\n        ActorUsername = username_s,\n        Object = event_object_s,\n        ActorOriginalUserType = user_type_s,\n        EventMessage = Message,\n        EventProductVersion = version_s\n  | extend User = ActorUsername\n  | project-away\n        id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)",
+            "query": "let parser = (disabled:bool = false)\n{\n  Audits_Data_CL\n  | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n  | extend\n        EventEndTime = event_timestamp_t,\n        EventProduct = 'XDR',\n        EventSchema = \"AuditEvent\",\n        EventSchemaVersion = \"0.1.0\",\n        EventStartTime = event_timestamp_t,\n        EventType = \"Other\",\n        EventVendor = 'Vectra',\n        Type = \"Audit Log\",\n        EventUid = tostring(toint(id_d)),\n        ActorUserId = tostring(toint(user_id_d)),\n        ActorUserIdType = \"UID\",\n        ActorUsernameType = \"UPN\",\n        EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n  | project-rename\n        Dvc = source_ip_s,\n        Operation = event_action_s,\n        ActorUsername = username_s,\n        Object = event_object_s,\n        ActorOriginalUserType = user_type_s,\n        EventMessage = Message,\n        EventProductVersion = version_s\n  | extend User = ActorUsername\n  | project-away\n        id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled)",
             "version": 1,
             "functionParameters": "disabled:bool=False"
           }
diff --git a/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json b/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json
index 0bf4ba63e0f..b5ec8993b24 100644
--- a/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json
+++ b/Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json
@@ -158,6 +158,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAuditEventSentinelOne",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -338,6 +358,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuditEventSentinelOne",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
diff --git a/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json b/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json
index e4fc3534ff3..9af36d648a0 100644
--- a/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json
+++ b/Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json
@@ -35,7 +35,7 @@
             "displayName": "Audit event ASIM filtering parser.",
             "category": "ASIM",
             "FunctionAlias": "imAuditEvent",
-            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuditEventEmpty, \n  ASimAuditEventMicrosoftExchangeAdmin365  (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n  ASimAuditEventMicrosoftWindowsEvents  (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n  ASimAuditEventAzureActivity  (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers))),\n  ASimAuditEventCiscoMeraki  (BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers))),\n  ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers))),\n  ASimAuditEventCiscoISE  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n  ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers)))\n",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuditEventEmpty, \n  ASimAuditEventMicrosoftExchangeAdmin365  (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n  ASimAuditEventMicrosoftWindowsEvents  (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n  ASimAuditEventAzureActivity  (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers))),\n  ASimAuditEventCiscoMeraki  (BuiltInDisabled or ('ExcludevimAuditEventCiscoMeraki' in (DisabledParsers))),\n  ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludevimAuditEventBarracudaWAF' in (DisabledParsers))),\n  ASimAuditEventCiscoISE  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n  ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n  ASimAuditEventSentinelOne  (BuiltInDisabled or ('ExcludevimAuditEventSentinelOne' in (DisabledParsers)))\n",
             "version": 1,
             "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),pack:bool=False"
           }
diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/README.md b/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/README.md
new file mode 100644
index 00000000000..40aafadd8f4
--- /dev/null
+++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/README.md
@@ -0,0 +1,18 @@
+# SentinelOne ASIM AuditEvent Normalization Parser
+
+ARM template for ASIM AuditEvent schema parser for SentinelOne.
+
+This ASIM parser supports normalizing SentinelOne logs to the ASIM Audit Event normalized schema. SentinelOne events are captured through SentinelOne data connector which ingests SentinelOne server objects such as Threats, Agents, Applications, Activities, Policies, Groups, and more events into Microsoft Sentinel through the REST API.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventSentinelOne%2FvimAuditEventSentinelOne.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FvimAuditEventSentinelOne%2FvimAuditEventSentinelOne.json)
diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json
new file mode 100644
index 00000000000..c95fc8b1a7a
--- /dev/null
+++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventSentinelOne/vimAuditEventSentinelOne.json
@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuditEventSentinelOne",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Audit Event ASIM parser for SentinelOne",
+            "category": "ASIM",
+            "FunctionAlias": "vimAuditEventSentinelOne",
+            "query": "let EventFieldsLookup = datatable(\n      activityType_d: real,\n      Operation: string,\n      EventType_activity: string,\n      EventSubType: string,\n      EventResult: string,\n      Object: string,\n      ObjectType: string\n  )\n      [\n      39, \"Research Settings Modified\", \"\", \"\", \"Success\", \"Research Settings\", \"Policy Rule\",\n      41, \"Learning Mode Settings Modified\", \"Set\", \"\", \"Success\", \"Mitigation policy\", \"Policy Rule\",\n      44, \"Auto decommission On\", \"Enable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n      45, \"Auto decommission Off\", \"Disable\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n      46, \"Auto Decommission Period Modified\", \"Set\", \"\", \"Success\", \"Auto decommission\", \"Service\",\n      56, \"Auto Mitigation Actions Modified\", \"Set\", \"\", \"Success\", \"Mitigation action\", \"Other\",\n      57, \"Quarantine Network Settings Modified\", \"\", \"\", \"Success\", \"NetworkSettings\", \"Configuration Atom\",\n      68, \"Engine Modified In Policy\", \"Set\", \"\", \"Success\", \"Engine Policy\", \"Policy Rule\",\n      69, \"Mitigation Policy Modified\", \"Set\", \"\", \"Success\", \"Threat Mitigation Policy\", \"Policy Rule\",\n      70, \"Policy Setting - Agent Notification On Suspicious Modified\", \"\", \"\", \"Success\", \"Agent notification\", \"Service\",\n      82, \"Monitor On Execute\", \"\", \"\", \"Success\", \"On execute setting\", \"Configuration Atom\",\n      83, \"Monitor On Write\", \"\", \"\", \"Success\", \"On write setting\", \"Configuration Atom\",\n      105, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility Setting\", \"Configuration Atom\",\n      116, \"Policy Settings Modified\", \"Disable\", \"\", \"Success\", \"Policy Settings\", \"Policy Rule\",\n      150, \"Live Security Updates Policy Modified\", \"\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n      151, \"Live Security Updates Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Live Security Updates Policy\", \"Policy Rule\",\n      200, \"File Upload Settings Modified\", \"Set\", \"\", \"Success\", \"Binary Vault Settings\", \"Configuration Atom\",\n      201, \"File Upload Enabled/Disabled\", \"\", \"\", \"Success\", \"Binary Vault\", \"Policy Rule\",\n      4004, \"Policy Setting - Show Suspicious Activities Configuration Enabled\", \"Enable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n      4005, \"Policy Setting - Show Suspicious Activities Configuration Disabled\", \"Disable\", \"\", \"Success\", \"Policy Setting\", \"Policy Rule\",\n      4104, \"STAR Manual Response Marked Event As Malicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n      4105, \"STAR Manual Response Marked Event As Suspicious\", \"Set\", \"\", \"Success\", \"computerName\", \"Other\",\n      5012, \"Group Token Regenerated\", \"Create\", \"\", \"Success\", \"Token\", \"Policy Rule\",\n      5020, \"Site Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5021, \"Site Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      5022, \"Site Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5024, \"Site Policy Reverted\", \"\", \"\", \"Success\", \"\", \"Other\",\n      5025, \"Site Marked As Expired\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n      5026, \"Site Duplicated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5027, \"Site Token Regenerated\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      6000, \"Mobile Policy updated\", \"Set\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n      6001, \"Mobile Policy created\", \"Create\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n      6002, \"Mobile Policy removed\", \"Delete\", \"\", \"Success\", \"Mobile Policy\", \"Policy Rule\",\n      6010, \"UEM Connection created\", \"Create\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n      6011, \"UEM Connection updated\", \"Set\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n      6012, \"UEM Connection Removed\", \"Delete\", \"\", \"Success\", \"MDM Connection\", \"Configuration Atom\",\n      73, \"Scan New Agents Changed\", \"\", \"\", \"Success\", \"Scan new agents Setting\", \"Configuration Atom\",\n      76, \"Anti Tampering Modified\", \"\", \"\", \"Success\", \"Anti tampering setting\", \"Configuration Atom\",\n      77, \"Agent UI Settings Modified\", \"Set  \", \"\", \"Success\", \"Agent UI setting\", \"Configuration Atom\",\n      78, \"Snapshots Settings Modified\", \"\", \"\", \"Success\", \"Snapshots setting\", \"Configuration Atom\",\n      79, \"Agent Logging Modified\", \"\", \"\", \"Success\", \"Agent logging setting\", \"Configuration Atom\",\n      84, \"Deep Visibility Settings Modified\", \"\", \"\", \"Success\", \"Deep Visibility setting\", \"Configuration Atom\",\n      87, \"Remote Shell Settings Modified\", \"\", \"\", \"Success\", \"Remote Shell Settings\", \"Configuration Atom\",\n      2100, \"Upgrade Policy - Concurrency Limit Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n      2101, \"Upgrade Policy - Concurrency Limit Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n      2111, \"Upgrade Policy - Maintenance Window Time Inheritance Changed\", \"Set\", \"\", \"Success\", \"Policy Upgrade\", \"Policy Rule\",\n  ];\n  let EventFieldsLookupMachineActivity = datatable(\n      activityType_d: real,\n      Operation: string,\n      EventType_machineactivity: string,\n      EventSubType_machineactivity: string,\n      EventResult: string,\n      Object: string,\n      ObjectType: string\n  )\n      [\n      52, \"User Approved Agent Uninstall Request\", \"Other\", \"Approve\", \"Success\", \"Agent\", \"Service\",\n      53, \"User Rejected Agent Uninstall Request\", \"Other\", \"Reject\", \"Failure\", \"Agent\", \"Service\",\n      54, \"User Decommissioned Agent\", \"Disable\", \"\", \"Success\", \"Agent\", \"Service\",\n      55, \"User Recommissioned Agent\", \"Enable\", \"\", \"Success\", \"Agent\", \"Service\",\n      61, \"User Disconnected Agent From Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n      62, \"User Reconnected Agent to Network\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n      63, \"User Shutdown Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n      93, \"User Reset Agent's Local Config\", \"Set\", \"\", \"Success\", \"Local config\", \"Configuration Atom\",\n      95, \"User Moved Agent to Group\", \"Other\", \"Move\", \"Success\", \"Agent\", \"Service\",\n      117, \"User Disabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n      118, \"User Enabled Agent\", \"Execute\", \"\", \"Success\", \"Agent\", \"Service\",\n      4100, \"User Marked Deep Visibility Event As Threat\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n      4101, \"User Marked Deep Visibility Event As Suspicious\", \"Set\", \"\", \"Success\", \"Deep Visibility Event\", \"Other\",\n  ];\n  let EventFieldsLookupAccountActivity = datatable(\n      activityType_d: real,\n      Operation: string,\n      EventType_accountactivity: string,\n      EventSubType_accountactivity: string,\n      EventResult: string,\n      Object: string,\n      ObjectType: string\n  )\n      [\n      130, \"Opt-in To EA program\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      131, \"Opt-out From EA Program\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5040, \"Account Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5041, \"Account Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      5042, \"Account Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5044, \"Account Policy Reverted\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      7200, \"Add cloud account\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      7201, \"Disable cloud Account\", \"Disable\", \"\", \"Success\", \"\", \"Other\",\n      7202, \"Enable cloud Account\", \"Enable\", \"\", \"Success\", \"\", \"Other\"\n  ];\n  let EventFieldsLookup_useractivity = datatable(\n      activityType_d: real,\n      Operation: string,\n      EventType_useractivity: string,\n      EventSubType_useractivity: string,\n      EventResult: string,\n      Object: string,\n      ObjectType: string\n  )\n      [\n      88, \"User Remote Shell Modified\", \"\", \"\", \"Success\", \"Remote Shell\", \"Configuration Atom\",\n      114, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\"\n  ];\n  let EventFieldsLookup_otheractivity = datatable(\n      activityType_d: real,\n      Operation: string,\n      EventType_otheractivity: string,\n      EventSubType_otheractivity: string,\n      EventResult: string,\n      Object: string,\n      ObjectType: string\n  )\n      [\n      2, \"Hash Defined as Malicious By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      40, \"Cloud Intelligence Settings Modified\", \"\", \"\", \"Success\", \"Cloud Intelligence Settings\", \"Policy Rule\",\n      58, \"Notification Option Level Modified\", \"Set\", \"\", \"Success\", \"Notification Level\", \"Service\",\n      59, \"Event Severity Level Modified\", \"Set\", \"\", \"Success\", \"EventSeverity Level\", \"Other\",\n      60, \"Notification - Recipients Configuration Modified\", \"Set\", \"\", \"Success\", \"Recipients configuration\", \"Policy Rule\",\n      101, \"User Changed Agent's Customer Identifier\", \"Set\", \"\", \"Success\", \"Customer Identifier string\", \"Configuration Atom\",\n      106, \"User Commanded Agents To Move To Another Console\", \"Execute\", \"\", \"Failure\", \"Agents\", \"Service\",\n      107, \"User Created RBAC Role\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      108, \"User Edited RBAC Role\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      109, \"User Deleted RBAC Role\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      112, \"API token Generated\", \"Create\", \"\", \"Success\", \"API Token\", \"Service\",\n      113, \"API Token Revoked\", \"Disable\", \"\", \"Success\", \"API Token\", \"Service\",\n      129, \"Allowed Domains Settings Changed\", \"Set\", \"\", \"Success\", \"User Domain Setting\", \"Other\",\n      1501, \"Location Created\", \"Create\", \"\", \"Success\", \"\", \"Service\",\n      1502, \"Location Copied\", \"Set\", \"Copy\", \"Success\", \"\", \"Service\",\n      1503, \"Location Modified\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n      1504, \"Location Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Service\",\n      2011, \"User Issued Kill Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n      2012, \"User Issued Remediate Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n      2013, \"User Issued Rollback Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n      2014, \"User Issued Quarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n      2015, \"User Issued Unquarantine Command\", \"Execute\", \"\", \"Success\", \"\", \"Other\",\n      2016, \"User Marked Application As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      2028, \"Threat Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      2029, \"Ticket Number Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      2030, \"Analyst Verdict Changes\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      2036, \"Threat Confidence Level Changed By Agent\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      2037, \"Threat Confidence Level Changed By Cloud\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      3001, \"User Added Hash Exclusion\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n      3002, \"User Added Blocklist Hash\", \"Set\", \"\", \"Success\", \"Hash\", \"Other\",\n      3008, \"New Path Exclusion\", \"Create\", \"\", \"Success\", \"Path\", \"Other\",\n      3009, \"New Signer Identity Exclusion\", \"Create\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n      3010, \"New File Type Exclusion\", \"Create\", \"\", \"Success\", \"File Type\", \"Other\",\n      3011, \"New Browser Type Exclusion\", \"Create\", \"\", \"Success\", \"Browser Type\", \"Other\",\n      3012, \"Path Exclusion Modified\", \"Set\", \"\", \"Success\", \"Path\", \"Other\",\n      3013, \"Signer Identity Exclusion Modified\", \"Set\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n      3014, \"File Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"File Type\", \"Other\",\n      3015, \"Browser Type Exclusion Modified\", \"Set\", \"\", \"Success\", \"Browser Type\", \"Other\",\n      3016, \"Path Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Path\", \"Other\",\n      3017, \"Signer Identity Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Signer Identity\", \"Other\",\n      3018, \"File Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"File Type\", \"Other\",\n      3019, \"Browser Type Exclusion Deleted\", \"Delete\", \"\", \"Success\", \"Browser Type\", \"Other\",\n      3020, \"User Deleted Hash From Blocklist\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n      3021, \"User Deleted Hash Exclusion\", \"Delete\", \"\", \"Success\", \"Hash\", \"Other\",\n      3100, \"User Added Package\", \"Create\", \"\", \"Success\", \"Package\", \"Other\",\n      3101, \"User Modified Package\", \"Set\", \"\", \"Success\", \"Package\", \"Other\",\n      3102, \"User Deleted Package\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n      3103, \"Package Deleted By System - Too Many Packages\", \"Delete\", \"\", \"Success\", \"Package\", \"Other\",\n      3500, \"User Toggled Ranger Status\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Other\",\n      3501, \"Ranger Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Settings\", \"Configuration Atom\",\n      3502, \"Ranger Network Settings Modified\", \"Set\", \"\", \"Success\", \"Ranger Network Setting\", \"Other\",\n      3506, \"Ranger - Device Review Modified\", \"Set\", \"\", \"Success\", \"Device Review\", \"Other\",\n      3507, \"Ranger - Device Tag Modified On Host\", \"Set\", \"\", \"Success\", \"Device Tag\", \"Other\",\n      3521, \"Ranger Deploy Initiated\", \"Initialize\", \"\", \"Success\", \"Ranger Deploy\", \"Other\",\n      3525, \"Ranger Deploy - Credential Created\", \"Create\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n      3526, \"Ranger Deploy - Credential Deleted\", \"Delete\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n      3527, \"Ranger Deploy - Credential Overridden\", \"Set\", \"\", \"Success\", \"Credential\", \"Configuration Atom\",\n      3530, \"Ranger Labels Updated\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n      3531, \"Ranger labels reverted\", \"Set\", \"\", \"Success\", \"Ranger Labels\", \"Other\",\n      3600, \"Custom Rules - User Created A Rule\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3601, \"Custom Rules - User Changed A Rule\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3602, \"Custom Rules - User Deleted A Rule\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3603, \"Custom Rules - Rule Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3604, \"Custom Rules - Rule Status Change Failed\", \"Set\", \"\", \"Failure\", \"\", \"Policy Rule\",\n      3626, \"User 2FA Email Verification Changed\", \"Set\", \"\", \"Success\", \"\", \"Service\",\n      3628, \"2FA Code Verification\", \"Set\", \"\", \"Success\", \"2FA\", \"Service\",\n      3641, \"Ranger self Provisioning Default Features Modified\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      3650, \"Tag Manager - User Created New Tag\", \"Create\", \"\", \"Success\", \"Tag\", \"Other\",\n      3651, \"Tag Manager - User Modified Tag\", \"Set\", \"\", \"Success\", \"Tag\", \"Other\",\n      3652, \"Tag Manager - User Deleted Tag\", \"Delete\", \"\", \"Success\", \"Tag\", \"Other\",\n      3653, \"Tag Manager - User Attached Tag\", \"Other\", \"Attach\", \"Success\", \"Tags\", \"Other\",\n      3654, \"Tag Manager - User Detached Tag\", \"Detach\", \"\", \"Success\", \"Tags\", \"Other\", \n      3750, \"Auto-Upgrade Policy Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3751, \"Auto-Upgrade Policy Disabled\", \"Disable\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3752, \"Auto-Upgrade Policy Activated\", \"Enable\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3753, \"Auto-Upgrade Policy Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3754, \"Auto-Upgrade Policy Reordered\", \"Other\", \"Reorder\", \"Success\", \"\", \"Policy Rule\",\n      3755, \"Upgrade Policy Inheritance Setting Changed\", \"Set\", \"\", \"Success\", \"Upgrade Policy\", \"Policy Rule\",\n      3756, \"Auto-Upgrade Policy Edited\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      3767, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3768, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3769, \"Local Upgrade Authorized\", \"Other\", \"Authorize\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3770, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3771, \"Local Upgrade Authorization Expiry Date Changed\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3772, \"Local Upgrade Unauthorized\", \"Other\", \"Unauthorize\", \"Failure\", \"Local Upgrade Authorization\", \"Service\",\n      3773, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      3774, \"Local Upgrade Authorization Inherits from Site Level\", \"Set\", \"\", \"Success\", \"Local Upgrade Authorization\", \"Service\",\n      4001, \"Suspicious Threat Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      4002, \"Suspicious Threat Was Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      4006, \"Remember Me Length Modified\", \"Set\", \"\", \"Success\", \"Stay Sign in Duration\", \"Policy Rule\",\n      4007, \"Suspicious Threat Was Marked As Benign\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      4008, \"Threat Mitigation Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      4009, \"Process Was Marked As Threat\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      4011, \"Suspicious Threat Was Unresolved\", \"Set\", \"\", \"Failure\", \"\", \"Other\",\n      4012, \"UI Inactivity Timeout Modified\", \"Set\", \"\", \"Success\", \"Inactivity timeout\", \"Configuration Atom\",\n      5242, \"Ranger - Device Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5243, \"Ranger - Device Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      5244, \"Ranger - Device Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5250, \"Firewall Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5251, \"Firewall Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      5252, \"Firewall Control Tag Updated\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5253, \"Network Quarantine Control Tag Created\", \"Create\", \"\", \"Success\", \"\", \"Other\",\n      5254, \"Network Quarantine Control Tag Updated\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      5255, \"Network Quarantine Control Tag Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Other\",\n      5256, \"Firewall Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5257, \"Firewall Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Firewall Control tags\", \"Other\",\n      5258, \"Network Quarantine Control Tag Added/Removed From Rule\", \"\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5259, \"Network Quarantine Control Tag Inherited\", \"Set\", \"\", \"Success\", \"Network Quarantine Control Tag\", \"Other\",\n      7500, \"Remote Ops Password Configured\", \"Set\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n      7501, \"Remote Ops Password Deleted\", \"Delete\", \"\", \"Success\", \"Remote Ops password configuration\", \"Configuration Atom\",\n      7602, \"User Edited Run Script Guardrails\", \"Set\", \"\", \"Success\", \"Guardrails\", \"Service\",\n      7603, \"User Enabled Run Script Guardrails\", \"Enable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n      7604, \"User Disabled Run Script Guardrails\", \"Disable\", \"\", \"Success\", \"Guardrails\", \"Service\",\n      5120, \"Device Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5121, \"Device Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5122, \"Device Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5123, \"Device Rules Reordered\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5124, \"Device Rules Settings Modified\", \"Set\", \"\", \"Success\", \"Device Control settings\", \"Policy Rule\",\n      5129, \"Device Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5220, \"Firewall Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5221, \"Firewall Rule Modified\", \"Set/Other\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5222, \"Firewall Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5225, \"Firewall Control Settings Modified\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n      5226, \"Firewall Rules Reordered\", \"Set\", \"\", \"Success\", \"Firewall Rule\", \"Policy Rule\",\n      5231, \"Firewall Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5234, \"Network Quarantine Rule Created\", \"Create\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5235, \"Network Quarantine Rule Modified\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5236, \"Network Quarantine Rule Deleted\", \"Delete\", \"\", \"Success\", \"\", \"Policy Rule\",\n      5237, \"Network Quarantine Control Settings Modified\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n      5238, \"Network Quarantine Rules Reordered\", \"Set\", \"\", \"Success\", \"Network Quarantine Rule\", \"Policy Rule\",\n      5241, \"Network Quarantine Rule Copied To Scope\", \"Set\", \"\", \"Success\", \"\", \"Policy Rule\",\n      6030, \"Mobile Device Updated\", \"Other\", \"\", \"Success\", \"Device\", \"Other\",\n      6053, \"Mobile Incident Resolved\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      6054, \"Mobile Incident Status Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\",\n      6055, \"Mobile Incident Analyst Verdict Changed\", \"Set\", \"\", \"Success\", \"\", \"Other\"\n  ];\n  let EventTypeLookup_onoff = datatable(\n      field: string,\n      EventType_field: string,\n      NewValue_field: string\n  )\n      [\n      \"true\", \"Enable\", \"on\",\n      \"false\", \"Disable\", \"off\"\n  ];\n  let EventTypeLookup_enableddisabled = datatable(\n      field: string,\n      EventType_fieldenableddisabled: string,\n      NewValue_fieldenableddisabled: string\n  )\n      [\n      \"true\", \"Enable\", \"enabled\",\n      \"false\", \"Disable\", \"disabled\"\n  ];\n  let EventSeverityLookup = datatable (EventResult: string, EventSeverity_lookup: string)\n      [\n      \"Success\", \"Informational\",\n      \"Failure\", \"Low\"\n  ];\n  let EventSeverityLookup_activity = datatable (activityType_d: real, EventSeverity_activity: string)\n      [\n      4100, \"Medium\",\n      4101, \"High\",\n      2016, \"Medium\",\n      2028, \"Low\",\n      4001, \"Medium\",\n      4002, \"Low\",\n      4007, \"Low\",\n      4008, \"Medium\",\n      4009, \"Medium\",\n      4011, \"High\",\n      2, \"Medium\",\n      2011, \"Low\",\n      2012, \"Low\",\n      2013, \"Medium\",\n      2014, \"Low\",\n      2015, \"Low\",\n      4002, \"Low\",\n      4104, \"High\",\n      4105, \"Medium\"\n  ];\n  let ThreatConfidenceLookup_undefined = datatable(\n      threatInfo_analystVerdict_s: string,\n      ThreatConfidence_undefined: int\n  )\n      [\n      \"false_positive\", 5,\n      \"undefined\", 15,\n      \"suspicious\", 25,\n      \"true_positive\", 33 \n  ];\n  let ThreatConfidenceLookup_suspicious = datatable(\n      threatInfo_analystVerdict_s: string,\n      ThreatConfidence_suspicious: int\n  )\n      [\n      \"false_positive\", 40,\n      \"undefined\", 50,\n      \"suspicious\", 60,\n      \"true_positive\", 67 \n  ];\n  let ThreatConfidenceLookup_malicious = datatable(\n      threatInfo_analystVerdict_s: string,\n      ThreatConfidence_malicious: int\n  )\n      [\n      \"false_positive\", 75,\n      \"undefined\", 80,\n      \"suspicious\", 90,\n      \"true_positive\", 100 \n  ];\n  let parser=(disabled: bool = false, starttime: datetime=datetime(null), endtime: datetime=datetime(null), eventresult: string='*', operation_has_any: dynamic=dynamic([]), eventtype_in: dynamic=dynamic([]), srcipaddr_has_any_prefix: dynamic=dynamic([]), actorusername_has_any: dynamic=dynamic([]), object_has_any: dynamic=dynamic([]), newvalue_has_any: dynamic=dynamic([])) {\n      let AllActivityIdsForAudit = dynamic([39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111, 52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101, 130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203, 2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n      let RawOtherActivityIds = dynamic([2, 40, 58, 59, 60, 101, 106, 107, 108, 109, 112, 113, 129, 1501, 1502, 1503, 1504, 2011, 2012, 2013, 2014, 2015, 2016, 2028, 2029, 2030, 2036, 2037, 3001, 3002, 3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3020, 3021, 3100, 3101, 3102, 3103, 3500, 3501, 3502, 3506, 3507, 3521, 3525, 3526, 3527, 3530, 3531, 3600, 3601, 3602, 3603, 3604, 3626, 3628, 3641, 3650, 3651, 3652, 3653, 3654, 3750, 3751, 3752, 3753, 3754, 3755, 3756, 3767, 3768, 3769, 3770, 3771, 3772, 3773, 3774, 4001, 4002, 4006, 4007, 4008, 4009, 4011, 4012, 5242, 5243, 5244, 5250, 5251, 5252, 5253, 5254, 5255, 5256, 5257, 5258, 5259, 7500, 7501, 7602, 7603, 7604, 5120, 5121, 5122, 5123, 5124, 5129, 5220, 5221, 5222, 5225, 5226, 5231, 5234, 5235, 5236, 5237, 5238, 5241, 6030, 6053, 6054, 6055]);\n      let activitydata = SentinelOne_CL\n          | where not(disabled) and (isnull(starttime) or TimeGenerated >= starttime) and (isnull(endtime) or TimeGenerated <= endtime) \n              and event_name_s == \"Activities.\" \n              and activityType_d in (AllActivityIdsForAudit)\n              and (array_length(actorusername_has_any) == 0 or primaryDescription_s has_any (actorusername_has_any))\n              and (array_length(newvalue_has_any) == 0 or primaryDescription_s has_any (newvalue_has_any) or DataFields_s has_any (newvalue_has_any))\n              and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(DataFields_s, srcipaddr_has_any_prefix))\n          | project-away\n              threatInfo_confidenceLevel_s,\n              threatInfo_analystVerdict_s,\n              threatInfo_threatName_s,\n              threatInfo_incidentStatus_s,\n              threatInfo_identifiedAt_t,\n              threatInfo_updatedAt_t,\n              threatInfo_threatId_s,\n              mitigationStatus_s;\n      let rawgroupsiteactivitydata = activitydata\n          | where activityType_d in (39, 41, 44, 45, 46, 56, 57, 68, 69, 70, 82, 83, 105, 116, 150, 151, 200, 201, 4004, 4005, 4104, 4105, 5012, 5020, 5021, 5022, 5024, 5025, 5026, 5027, 6000, 6001, 6002, 6010, 6011, 6012, 73, 76, 77, 78, 79, 84, 87, 2100, 2101, 2111)\n          | parse-kv DataFields_s as (username: string, userName: string, userFullName: string, newValue: string, policyEnabled: string, siteName: string, oldValue: string, ipAddress: string, oldSiteName: string, policy: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | parse-kv policy as (id: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | project-rename ObjectId = id\n          | lookup EventFieldsLookup on activityType_d;\n      let groupsiteactivitydata_onoff = rawgroupsiteactivitydata\n          | where activityType_d in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150)\n          | lookup EventTypeLookup_onoff on $left.newValue == $right.field\n          | lookup EventTypeLookup_onoff on $left.policyEnabled == $right.field\n          | extend\n              EventType = coalesce(EventType_field, EventType_field1),\n              NewValue = coalesce(NewValue_field, NewValue_field1);\n      let groupsiteactivitydata_enabledisabled = rawgroupsiteactivitydata\n          | where activityType_d in (70, 82, 83, 201)\n          | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n          | extend\n              EventType = EventType_fieldenableddisabled,\n              NewValue = NewValue_fieldenableddisabled;\n      let groupsiteactivitydata_other = rawgroupsiteactivitydata\n          | where activityType_d !in(39, 41, 57, 105, 200, 73, 76, 78, 79, 84, 87, 150, 70, 82, 83, 201)\n          | extend EventType = EventType_activity;\n      let groupsiteactivitydata = union\n              groupsiteactivitydata_onoff,\n              groupsiteactivitydata_enabledisabled,\n              groupsiteactivitydata_other\n          | extend\n              ActorUsername = coalesce(username, userName, userFullName),\n              Object = coalesce(Object, siteName, oldSiteName),\n              NewValue = coalesce(NewValue, newValue),\n              OldValue = oldValue;\n      let machineactivitydata = activitydata\n          | where activityType_d in (52, 53, 54, 55, 61, 62, 63, 93, 95, 117, 118, 4100, 4101)\n          | parse-kv DataFields_s as (username: string, userName: string, computerName: string, threatClassification: string, ipAddress: string, groupName: string, targetGroupName: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | lookup EventFieldsLookupMachineActivity on activityType_d\n          | extend\n              EventType = EventType_machineactivity,\n              EventSubType = EventSubType_machineactivity,\n              ThreatCategory = threatClassification,\n              OldValue = groupName,\n              NewValue = targetGroupName,\n              ObjectId = agentId_s\n          | extend ActorUsername = coalesce(username, userName)\n          | invoke _ASIM_ResolveDvcFQDN('computerName');\n      let accountactivitydata = activitydata\n          | where activityType_d in (130, 131, 5040, 5041, 5042, 5044, 7200, 7201, 7202, 7203)\n          | parse-kv DataFields_s as (username: string, accountName: string, cloudProviderAccountName: string, ipAddress: string, accountId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | lookup EventFieldsLookupAccountActivity on activityType_d\n          | extend\n              EventType = EventType_accountactivity,\n              EventSubType = EventSubType_accountactivity,\n              Object = coalesce(accountName, cloudProviderAccountName),\n              ObjectId = accountId;\n      let useractivitydata = activitydata\n          | where activityType_d in (88, 114)\n          | parse-kv DataFields_s as (username: string, byUser: string, newValue: string, ipAddress: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | lookup EventFieldsLookup_useractivity on activityType_d\n          | lookup EventTypeLookup_enableddisabled on $left.newValue == $right.field\n          | extend\n              ActorUsername = byUser,\n              EventType = coalesce(EventType_useractivity, EventType_fieldenableddisabled),\n              EventSubType = EventSubType_useractivity,\n              NewValue = NewValue_fieldenableddisabled;\n      let rawotheractivitydata = activitydata\n          | where activityType_d in (RawOtherActivityIds)\n          | parse-kv DataFields_s as (username: string, userName: string, email: string, globalTwoFaEnabled: string, cloudIntelligenceOn: string, fileDisplayName: string, roleName: string, oldIncidentStatusTitle: string, oldTicketId: string, oldAnalystVerdictTitle: string, oldConfidenceLevel: string, previous: string, oldStatus: string, oldTagName: string, oldTagDescription: string, newIncidentStatusTitle: string, newTicketId: string, newAnalystVerdictTitle: string, newConfidenceLevel: string, newStatus: string, current: string, Status: string, newTagName: string, newTagDescription: string, value: string, rulesAdded: string, rulesRemoved: string, tagsAdded: string, tagsRemoved: string, incidentName: string, ruleName: string, deviceId: string, ip: string, externalIp: string, affectedDevices: string, featureValue: string, featureName: string, recoveryEmail: string, policyName: string, tagName: string, gatewayExternalIp: string, gatewayMac: string, threatClassification: string, ipAddress: string, applicationPath: string, externalId: string, consoleUrl: string, ruleId: string, policyId: string) with (pair_delimiter=\",\", kv_delimiter=\":\", quote='\"')\n          | lookup EventFieldsLookup_otheractivity on activityType_d\n          | lookup EventTypeLookup_onoff on $left.cloudIntelligenceOn == $right.field\n          | lookup EventTypeLookup_onoff on $left.globalTwoFaEnabled == $right.field\n          | extend\n              ActorUsername = coalesce(username, userName),\n              EventType = coalesce(EventType_otheractivity, EventType_field, EventType_field1),\n              EventSubType = EventSubType_otheractivity,\n              Object = coalesce(Object, fileDisplayName, applicationPath, roleName, ruleName, incidentName, recoveryEmail, featureName, policyName, tagName),\n              NewValue = coalesce(newIncidentStatusTitle, newTicketId, newAnalystVerdictTitle, newConfidenceLevel, newStatus, current, Status, newTagName, newTagDescription, featureValue),\n              OldValue = coalesce(oldIncidentStatusTitle, oldTicketId, oldAnalystVerdictTitle, oldConfidenceLevel, oldStatus, previous, oldTagName, oldTagDescription),\n              TargetIpAddr = coalesce(externalIp, ip, gatewayExternalIp),\n              ThreatCategory = threatClassification,\n              RuleName = ruleName,\n              TargetDvcId = deviceId,\n              ObjectId = coalesce(ruleId, policyId, externalId, deviceId)\n          | invoke _ASIM_ResolveDstFQDN('affectedDevices')\n          | project-rename\n              TargetHostname = DstHostname,\n              TargetDomain = DstDomain,\n              TargetDomainType = DstDomainType,\n              TargetFQDN = DstFQDN,\n              TargetUrl = consoleUrl;\n      let parsedotheractivitydata_eventtype = rawotheractivitydata\n          | where activityType_d in (5256, 5258)\n          | extend EventType = case(\n                          isnotempty(rulesAdded) or isnotempty(tagsAdded),\n                          \"Create\",\n                          isnotempty(rulesRemoved) or isnotempty(tagsRemoved),\n                          \"Delete\",\n                          \"Set\"\n                      );\n      let parsedotheractivitydata_objectvalue = rawotheractivitydata\n          | where activityType_d in (3008, 3009, 3010, 3011, 3012, 3013, 3014, 3015, 3016, 3017, 3018, 3019, 3650, 3651, 3652, 3653, 3654)\n          | extend Object = strcat(Object, ' ', value);\n      let parsedotheractivitydata_severity = rawotheractivitydata\n          | where activityType_d in (2036, 2037, 2030)\n          | where (eventresult == \"*\" or EventResult =~ eventresult)\n              and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n              and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n              and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n              and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n              and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix))\n          | extend EventSeverity_specific = case(\n                                      primaryDescription_s has_any (\"to malicious\", \"to True positive\"),\n                                      \"High\", \n                                      primaryDescription_s has_any (\"to suspicious\", \"to Undefined\"),\n                                      \"Medium\",\n                                      primaryDescription_s has \"to False positive\",\n                                      \"Low\",\n                                      \"Informational\"\n                                  );\n      let ParsedActivitydata = union\n              groupsiteactivitydata,\n              machineactivitydata,\n              accountactivitydata,\n              useractivitydata,\n              rawotheractivitydata,\n              parsedotheractivitydata_eventtype,\n              parsedotheractivitydata_objectvalue\n          | where activityType_d !in(2030, 2036, 2037)\n          | lookup EventSeverityLookup on EventResult\n          | lookup EventSeverityLookup_activity on activityType_d\n          | where (eventresult == \"*\" or EventResult =~ eventresult)\n              and (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n              and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n              and (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n              and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n              and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(ipAddress, srcipaddr_has_any_prefix));\n      let UnParsedActivitydatawithThreat = union ParsedActivitydata, parsedotheractivitydata_severity\n          | where isnotempty(threatId_s)\n          | join kind=inner (SentinelOne_CL\n              | where event_name_s == \"Threats.\"\n              | project\n                  TimeGenerated,\n                  threatInfo_confidenceLevel_s,\n                  threatInfo_analystVerdict_s,\n                  threatInfo_threatName_s,\n                  threatInfo_incidentStatus_s,\n                  threatInfo_identifiedAt_t,\n                  threatInfo_updatedAt_t,\n                  threatInfo_threatId_s,\n                  mitigationStatus_s)\n              on $left.threatId_s == $right.threatInfo_threatId_s\n          | where TimeGenerated1 >= TimeGenerated\n          | summarize arg_min(TimeGenerated1, *) by activityType_d, threatId_s, createdAt_t, TimeGenerated;\n      let undefineddata = UnParsedActivitydatawithThreat\n          | where threatInfo_confidenceLevel_s == \"Undefined\"\n          | lookup ThreatConfidenceLookup_undefined on threatInfo_analystVerdict_s;\n      let suspiciousdata = UnParsedActivitydatawithThreat\n          | where threatInfo_confidenceLevel_s == \"suspicious\"\n          | lookup ThreatConfidenceLookup_suspicious on threatInfo_analystVerdict_s;\n      let maliciousdata = UnParsedActivitydatawithThreat\n          | where threatInfo_confidenceLevel_s == \"malicious\"\n          | lookup ThreatConfidenceLookup_malicious on threatInfo_analystVerdict_s;\n      let ParsedActivitydatawithThreat = union undefineddata, suspiciousdata, maliciousdata\n          | extend\n              ThreatConfidence = coalesce(ThreatConfidence_undefined, ThreatConfidence_suspicious, ThreatConfidence_malicious),\n              AdditionalFields = bag_pack(\n                      \"threatUpdatedAt\",\n                      threatInfo_updatedAt_t,\n                      \"threatAnalystVerdict\",\n                      threatInfo_analystVerdict_s,\n                      \"threatIncidentStatus\",\n                      threatInfo_incidentStatus_s,\n                      \"mitigationStatus\",\n                      mitigationStatus_s\n                  )\n          | project-rename\n              ThreatId = threatId_s,\n              ThreatName = threatInfo_threatName_s,\n              ThreatFirstReportedTime = threatInfo_identifiedAt_t,\n              ThreatCategory_threats = threatInfo_classification_s,\n              ThreatOriginalConfidence = threatInfo_confidenceLevel_s;\n      let ParsedActivitydatawithoutThreat = ParsedActivitydata\n          | where isempty(threatId_s);\n      union ParsedActivitydatawithThreat, ParsedActivitydatawithoutThreat\n      | extend \n          EventSeverity = coalesce(EventSeverity_specific, EventSeverity_activity, EventSeverity_lookup),\n          EventProduct = \"SentinelOne\",\n          EventVendor = \"SentinelOne\",\n          EventSchema = \"AuditEvent\",\n          EventSchemaVersion = \"0.1\",\n          EventCount = toint(1),\n          AdditionalFields = bag_merge(AdditionalFields, todynamic(DataFields_s)),\n          EventOriginalType = tostring(toint(activityType_d)),\n          SrcIpAddr = iff(ipAddress != \"null\", ipAddress, \"\"),\n          DvcAction = iff(EventResult == \"Success\", \"Allow\", \"Deny\")\n      | project-rename\n          EventStartTime = createdAt_t,\n          EventUid = _ItemId,\n          EventMessage = primaryDescription_s,\n          ActorUserId = userId_s,\n          DvcId = agentId_s,\n          EventOriginalUid = activityUuid_g\n      | extend\n          ActorUsernameType = _ASIM_GetUsernameType(ActorUsername),\n          ActorUserType = _ASIM_GetUserType(ActorUsername, ActorUserId),\n          ActorUserIdType = iff(isnotempty(ActorUserId), \"Other\", \"\"),\n          DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n          TargetDvcIdType = iff(isnotempty(TargetDvcId), \"Other\", \"\"),\n          ValueType = iff(isnotempty(NewValue), \"Other\", \"\")\n      | extend\n          EventEndTime = EventStartTime,\n          User = ActorUsername,\n          IpAddr = SrcIpAddr,\n          Dvc = coalesce(DvcHostname, DvcId, EventProduct),\n          Dst = coalesce(TargetHostname, TargetIpAddr),\n          Src = SrcIpAddr,\n          Rule = RuleName,\n          Value = NewValue\n      | project-away\n          *_d,\n          *_s,\n          *_t,\n          *_g,\n          *_b,\n          Computer,\n          MG,\n          ManagementGroupName,\n          RawData,\n          SourceSystem,\n          TenantId,\n          username,\n          userName,\n          userFullName,\n          newValue,\n          policyEnabled,\n          siteName,\n          oldValue,\n          computerName,\n          accountName,\n          cloudProviderAccountName,\n          email,\n          globalTwoFaEnabled,\n          cloudIntelligenceOn,\n          fileDisplayName,\n          roleName,\n          oldIncidentStatusTitle,\n          oldTicketId,\n          oldAnalystVerdictTitle,\n          oldConfidenceLevel,\n          previous,\n          oldStatus,\n          oldTagName,\n          oldTagDescription,\n          newIncidentStatusTitle,\n          newTicketId,\n          newAnalystVerdictTitle,\n          newConfidenceLevel,\n          newStatus,\n          current,\n          Status,\n          newTagName,\n          newTagDescription,\n          value,\n          rulesAdded,\n          rulesRemoved,\n          tagsAdded,\n          tagsRemoved,\n          incidentName,\n          ruleName,\n          deviceId,\n          ip,\n          externalIp,\n          affectedDevices,\n          featureValue,\n          featureName,\n          recoveryEmail,\n          policyName,\n          policy,\n          tagName,\n          gatewayExternalIp,\n          gatewayMac,\n          threatClassification,\n          applicationPath,\n          externalId,\n          groupName,\n          oldSiteName,\n          targetGroupName,\n          ipAddress,\n          EventType_*,\n          EventSubType_*,\n          EventSeverity_*,\n          NewValue_*,\n          _ResourceId,\n          TimeGenerated1,\n          ThreatCategory_*,\n          ThreatConfidence_*,\n          accountId,\n          policyId,\n          ruleId,\n          byUser\n  };\n  parser(disabled=disabled, starttime=starttime, endtime=endtime, eventresult=eventresult, operation_has_any=operation_has_any, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, object_has_any=object_has_any, newvalue_has_any=newvalue_has_any)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False,starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',actorusername_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([])"
+          }
+        }
+      ]
+    }
+  ]
+}
\ No newline at end of file
diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json
index 8ae4c18f935..941440de568 100644
--- a/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json
+++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventVectraXDRAudit/vimAuditEventVectraXDRAudit.json
@@ -35,7 +35,7 @@
             "displayName": "Audit Event ASIM filtering parser for Vectra XDR Audit Logs Event",
             "category": "ASIM",
             "FunctionAlias": "vimAuditEventVectraXDRAudit",
-            "query": "let parser = (disabled:bool = false, eventresult:string='*', starttime:datetime=datetime(null), endtime:datetime=datetime(null), actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]))\n{\n  Audits_Data_CL\n  | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n  | where (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime) and (array_length(actorusername_has_any) == 0 or tostring(toint(user_id_d)) has_any (actorusername_has_any)) or (array_length(actorusername_has_any) == 0 or username_s has_any (actorusername_has_any)) and (array_length(operation_has_any) == 0 or event_action_s has_any (operation_has_any)) and (array_length(object_has_any) == 0 or event_object_s has_any (object_has_any))\n  | extend\n        EventEndTime = event_timestamp_t,\n        EventProduct = 'Vectra XDR',\n        EventSchema = \"AuditEvent\",\n        EventSchemaVersion = \"0.1.0\",\n        EventStartTime = event_timestamp_t,\n        EventType = 'Other',\n        EventVendor = 'Vectra',\n        Type = \"Audit Log\",\n        EventUid = tostring(toint(id_d)),\n        ActorUserId = tostring(toint(user_id_d)),\n        ActorUserIdType = \"UID\",\n        ActorUsernameType = \"UPN\",\n        EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n  | project-rename\n        Dvc = source_ip_s,\n        Operation = event_action_s,\n        ActorUsername = username_s,\n        Object = event_object_s,\n        ActorOriginalUserType = user_type_s,\n        EventMessage = Message,\n        EventProductVersion = version_s\n  | where ('*' in (eventresult) or EventResult in (eventresult))\n  | extend User = ActorUsername\n  | project-away\n        id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, eventresult=eventresult, starttime=starttime, endtime=endtime, actorusername_has_any=actorusername_has_any,operation_has_any=operation_has_any,object_has_any=object_has_any)",
+            "query": "let parser = (disabled:bool = false, eventresult:string='*', starttime:datetime=datetime(null), endtime:datetime=datetime(null), actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([]))\n{\n  Audits_Data_CL\n  | where not(disabled) and event_action_s !in (\"login\",\"logout\")\n  | where (isnull(starttime) or event_timestamp_t >= starttime) and (isnull(endtime) or event_timestamp_t <= endtime) and (array_length(actorusername_has_any) == 0 or tostring(toint(user_id_d)) has_any (actorusername_has_any)) or (array_length(actorusername_has_any) == 0 or username_s has_any (actorusername_has_any)) and (array_length(operation_has_any) == 0 or event_action_s has_any (operation_has_any)) and (array_length(object_has_any) == 0 or event_object_s has_any (object_has_any))\n  | extend\n        EventEndTime = event_timestamp_t,\n        EventProduct = 'XDR',\n        EventSchema = \"AuditEvent\",\n        EventSchemaVersion = \"0.1.0\",\n        EventStartTime = event_timestamp_t,\n        EventType = 'Other',\n        EventVendor = 'Vectra',\n        Type = \"Audit Log\",\n        EventUid = tostring(toint(id_d)),\n        ActorUserId = tostring(toint(user_id_d)),\n        ActorUserIdType = \"UID\",\n        ActorUsernameType = \"UPN\",\n        EventResult = case(result_status_s==\"success\", \"Success\", result_status_s==\"failure\", \"Failure\",\"NA\")\n  | project-rename\n        Dvc = source_ip_s,\n        Operation = event_action_s,\n        ActorUsername = username_s,\n        Object = event_object_s,\n        ActorOriginalUserType = user_type_s,\n        EventMessage = Message,\n        EventProductVersion = version_s\n  | where ('*' in (eventresult) or EventResult in (eventresult))\n  | extend User = ActorUsername\n  | project-away\n        id_d, user_id_d, user_role_s, result_status_s,event_timestamp_t, event_data_s, api_client_id_g, TenantId, _ResourceId, RawData, SourceSystem, Computer, MG, ManagementGroupName\n};\nparser (disabled=disabled, eventresult=eventresult, starttime=starttime, endtime=endtime, actorusername_has_any=actorusername_has_any,operation_has_any=operation_has_any,object_has_any=object_has_any)",
             "version": 1,
             "functionParameters": "disabled:bool=False,eventresult:string='*',starttime:datetime=datetime(null),endtime:datetime=datetime(null),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),object_has_any:dynamic=dynamic([])"
           }

From 8398474e334633c00fa5acec3283f1a8e16d7c62 Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Fri, 24 Nov 2023 15:34:52 +0530
Subject: [PATCH 6/8] changing Audit EventProduct

---
 .../Parsers/ASimAuditEventMicrosoftWindowsEvents.yaml           | 2 +-
 .../Parsers/vimAuditEventMicrosoftWindowsEvents.yaml            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventMicrosoftWindowsEvents.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventMicrosoftWindowsEvents.yaml
index 4c4451ed175..345dd86fe60 100644
--- a/Parsers/ASimAuditEvent/Parsers/ASimAuditEventMicrosoftWindowsEvents.yaml
+++ b/Parsers/ASimAuditEvent/Parsers/ASimAuditEventMicrosoftWindowsEvents.yaml
@@ -185,7 +185,7 @@ ParserQuery: |
             EventCount = int(1),
             EventStartTime = TimeGenerated, 
             EventEndTime= TimeGenerated,
-            EventProduct = 'Windows',
+            EventProduct = 'Security Events',
             EventVendor = 'Microsoft',
             EventSchemaVersion = '0.1.0',
             EventSchema = 'AuditEvent',
diff --git a/Parsers/ASimAuditEvent/Parsers/vimAuditEventMicrosoftWindowsEvents.yaml b/Parsers/ASimAuditEvent/Parsers/vimAuditEventMicrosoftWindowsEvents.yaml
index 3155baf8633..8d4851a92b9 100644
--- a/Parsers/ASimAuditEvent/Parsers/vimAuditEventMicrosoftWindowsEvents.yaml
+++ b/Parsers/ASimAuditEvent/Parsers/vimAuditEventMicrosoftWindowsEvents.yaml
@@ -261,7 +261,7 @@ ParserQuery: |
             EventCount = int(1),
             EventStartTime = TimeGenerated, 
             EventEndTime= TimeGenerated,
-            EventProduct = 'Windows',
+            EventProduct = 'Security Events',
             EventVendor = 'Microsoft',
             EventSchemaVersion = '0.1.0',
             EventSchema = 'AuditEvent',

From 51c2635250506a2214783476e5b6f0e82702eafe Mon Sep 17 00:00:00 2001
From: vakohl <97222872+vakohl@users.noreply.github.com>
Date: Fri, 24 Nov 2023 15:37:36 +0530
Subject: [PATCH 7/8] updating tester with Audit value

---
 ASIM/dev/ASimTester/ASimTester.csv | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
index 4ff1b9b2fc0..09816b9d528 100644
--- a/ASIM/dev/ASimTester/ASimTester.csv
+++ b/ASIM/dev/ASimTester/ASimTester.csv
@@ -534,7 +534,7 @@ EventOwner,string,Optional,ProcessEvent,,,
 EventOwner,string,Optional,RegistryEvent,,,
 EventOwner,string,Optional,UserManagement,,,
 EventOwner,string,Optional,WebSession,,,
-EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Windows|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki,
+EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki,
 EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF,
 EventProduct,string,Mandatory,Common,,,
 EventProduct,string,Mandatory,Dhcp,,,

From c74e214c6aecfc07348daa322d8c13cacdcdaecd Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Fri, 24 Nov 2023 10:10:20 +0000
Subject: [PATCH 8/8] [ASIM Parsers] Generate deployable ARM templates from KQL
 function YAML files.

---
 .../ASimAuditEventMicrosoftWindowsEvents.json                   | 2 +-
 .../vimAuditEventMicrosoftWindowsEvents.json                    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json
index ddb5229ec61..7c4bb5ffa17 100644
--- a/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json
+++ b/Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json
@@ -35,7 +35,7 @@
             "displayName": "Audit Event ASIM parser for Microsoft Windows Events audit events",
             "category": "ASIM",
             "FunctionAlias": "ASimAuditEventMicrosoftWindowsEvents",
-            "query": "let parser = (disabled:bool = false) {\n  // Parsed Events Ids\n  let ParsedEventIds = dynamic([1102,4698,4699,4700,4701,4702,4929,5025,5027,5028,5029,5030,5034,5035,5037,7035,7036,7040,7045,2009,5136]);\n  // Eventlog Event Ids\n  let EventlogEventIds = dynamic([1102]);\n  // Scheduled Task Event Ids\n  let ScheduledTaskEventIds = dynamic([4698,4699,4700,4701,4702]);\n  // Active Directory Replica Source Naming Context Event Ids\n  let ActiveDirectoryReplicaIds = dynamic([4929]);\n  // Firewall Event Ids\n  let FirewallEventIds = dynamic([5025,5027,5028,5029,5030,5034,5035,5037]);\n  // Service Event Ids\n  let ServiceEventIds = dynamic([7035,7036,7040,7045,2009]); \n  // Directory Service Object Ids\n  let DirectoryServiceIds = dynamic([5136]);   \n  // EventID Lookup\n  let EventIDLookup = datatable(EventID:int, Operation:string, EventType:string, Object:string, ObjectType:string, EventResult:string)\n  [   \n      1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n      4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n      4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n      4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n      4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n      4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n      4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n      5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n      5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n      5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n      5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n      5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n      5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n      7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n      7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n      7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n      2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n      5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n  ];\n  let ParsedEvents =\n  union (\n      union (\n      // SecurityEvents\n          SecurityEvent\n          | where not(disabled)\n          | where EventID in(ParsedEventIds)\n          | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      ),\n      (\n      // Event\n          Event\n          | where not(disabled)\n          | where EventID in(ParsedEventIds)\n          | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      )\n      | parse-kv EventData as \n          (\n              SubjectUserSid:string,\n              SubjectUserName:string,\n              SubjectDomainName:string,\n              SubjectLogonId:string,\n              TaskName:string,\n              TaskContent:string,\n              TaskContentNew:string,\n              ClientProcessId:string,\n              DestinationDRA:string,\n              SourceDRA:string,\n              SourceAddr:string,\n              ObjectDN:string,\n              AttributeValue:string\n          ) \n      with (regex=@'<Data Name=\"(\\w+)\">{?([^<]*?)}?</Data>')\n      | project-away EventData\n  ),\n  // WindowsEvents\n  (\n      WindowsEvent\n      | where not(disabled)\n      | where EventID in(ParsedEventIds)\n      | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      | extend\n          SubjectUserSid = tostring(EventData.SubjectUserSid),\n          SubjectUserName = tostring(EventData.SubjectUserName),\n          SubjectDomainName = tostring(EventData.SubjectDomainName),\n          SubjectLogonId = tostring(EventData.SubjectLogonId),\n          TaskName = tostring(EventData.TaskName),\n          TaskContent = tostring(EventData.TaskContent),\n          TaskContentNew = tostring(EventData.TaskContentNew),\n          ClientProcessId = tostring(EventData.ClientProcessId),\n          DestinationDRA = tostring(EventData.DestinationDRA),\n          SourceDRA = tostring(EventData.SourceDRA),\n          SourceAddr = tostring(EventData.SourceAddr),\n          ObjectDN = tostring(EventData.ObjectDN),\n          AttributeValue = tostring(EventData.AttributeValue)\n      | project-away EventData\n  )\n  | lookup EventIDLookup on EventID\n  ;\n  // Parse EventLog\n  let EventLog = ParsedEvents\n  | where EventID in(EventlogEventIds)\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n  // Parse Scheduled Task\n  let ScheduledTask = ParsedEvents\n  | where EventID in(ScheduledTaskEventIds)\n  | extend \n      Object = TaskName,\n      NewValue = coalesce(\n          TaskContent,\n          TaskContentNew\n      )\n  | extend \n      Value = NewValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse ADR\n  let ActiveDirectoryReplica = ParsedEvents\n  | where EventID in(ActiveDirectoryReplicaIds)\n  | extend \n      NewValue = SourceDRA,\n      OldValue = DestinationDRA,\n      SrcFQDN = SourceAddr\n  | extend \n      Value = NewValue,\n      Object = OldValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse WindowsFirewall\n  let WindowsFirewall = ParsedEvents\n  | where EventID in(FirewallEventIds)\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse ServiceEvent\n  let ServiceEvent = ParsedEvents\n  | where EventID in(ServiceEventIds)\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse DirectoryService\n  let DirectoryService = ParsedEvents\n  | where EventID in(DirectoryServiceIds)\n  | extend \n      Object = ObjectDN\n  | project-rename \n      NewValue = AttributeValue\n  | extend\n      Value = NewValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN\n  ;\n  // Union Events\n  union EventLog, ScheduledTask, ActiveDirectoryReplica, WindowsFirewall, ServiceEvent, DirectoryService\n      | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n      | project-rename \n          ActorUserId = SubjectUserSid,\n          ActorSessionId = SubjectLogonId,\n          DvcId = _ResourceId,\n          ActingAppId = ClientProcessId,\n          EventUid = _ItemId\n      | extend\n          EventCount = int(1),\n          EventStartTime = TimeGenerated, \n          EventEndTime= TimeGenerated,\n          EventProduct = 'Windows',\n          EventVendor = 'Microsoft',\n          EventSchemaVersion = '0.1.0',\n          EventSchema = 'AuditEvent',\n          EventOriginalType = tostring(EventID),\n          DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n          ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n          ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n          ActorUserIdType = iff (ActorUserId == \"\",\"\", \"SID\"),\n          ActingAppType = \"Process\"\n      | extend\n          User = ActorUsername,\n          Dvc = DvcFQDN\n      | project-away Subject*, EventID, Computer\n};\nparser (disabled=disabled)",
+            "query": "let parser = (disabled:bool = false) {\n  // Parsed Events Ids\n  let ParsedEventIds = dynamic([1102,4698,4699,4700,4701,4702,4929,5025,5027,5028,5029,5030,5034,5035,5037,7035,7036,7040,7045,2009,5136]);\n  // Eventlog Event Ids\n  let EventlogEventIds = dynamic([1102]);\n  // Scheduled Task Event Ids\n  let ScheduledTaskEventIds = dynamic([4698,4699,4700,4701,4702]);\n  // Active Directory Replica Source Naming Context Event Ids\n  let ActiveDirectoryReplicaIds = dynamic([4929]);\n  // Firewall Event Ids\n  let FirewallEventIds = dynamic([5025,5027,5028,5029,5030,5034,5035,5037]);\n  // Service Event Ids\n  let ServiceEventIds = dynamic([7035,7036,7040,7045,2009]); \n  // Directory Service Object Ids\n  let DirectoryServiceIds = dynamic([5136]);   \n  // EventID Lookup\n  let EventIDLookup = datatable(EventID:int, Operation:string, EventType:string, Object:string, ObjectType:string, EventResult:string)\n  [   \n      1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n      4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n      4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n      4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n      4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n      4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n      4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n      5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n      5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n      5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n      5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n      5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n      5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n      7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n      7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n      7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n      2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n      5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n  ];\n  let ParsedEvents =\n  union (\n      union (\n      // SecurityEvents\n          SecurityEvent\n          | where not(disabled)\n          | where EventID in(ParsedEventIds)\n          | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      ),\n      (\n      // Event\n          Event\n          | where not(disabled)\n          | where EventID in(ParsedEventIds)\n          | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      )\n      | parse-kv EventData as \n          (\n              SubjectUserSid:string,\n              SubjectUserName:string,\n              SubjectDomainName:string,\n              SubjectLogonId:string,\n              TaskName:string,\n              TaskContent:string,\n              TaskContentNew:string,\n              ClientProcessId:string,\n              DestinationDRA:string,\n              SourceDRA:string,\n              SourceAddr:string,\n              ObjectDN:string,\n              AttributeValue:string\n          ) \n      with (regex=@'<Data Name=\"(\\w+)\">{?([^<]*?)}?</Data>')\n      | project-away EventData\n  ),\n  // WindowsEvents\n  (\n      WindowsEvent\n      | where not(disabled)\n      | where EventID in(ParsedEventIds)\n      | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      | extend\n          SubjectUserSid = tostring(EventData.SubjectUserSid),\n          SubjectUserName = tostring(EventData.SubjectUserName),\n          SubjectDomainName = tostring(EventData.SubjectDomainName),\n          SubjectLogonId = tostring(EventData.SubjectLogonId),\n          TaskName = tostring(EventData.TaskName),\n          TaskContent = tostring(EventData.TaskContent),\n          TaskContentNew = tostring(EventData.TaskContentNew),\n          ClientProcessId = tostring(EventData.ClientProcessId),\n          DestinationDRA = tostring(EventData.DestinationDRA),\n          SourceDRA = tostring(EventData.SourceDRA),\n          SourceAddr = tostring(EventData.SourceAddr),\n          ObjectDN = tostring(EventData.ObjectDN),\n          AttributeValue = tostring(EventData.AttributeValue)\n      | project-away EventData\n  )\n  | lookup EventIDLookup on EventID\n  ;\n  // Parse EventLog\n  let EventLog = ParsedEvents\n  | where EventID in(EventlogEventIds)\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n  // Parse Scheduled Task\n  let ScheduledTask = ParsedEvents\n  | where EventID in(ScheduledTaskEventIds)\n  | extend \n      Object = TaskName,\n      NewValue = coalesce(\n          TaskContent,\n          TaskContentNew\n      )\n  | extend \n      Value = NewValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse ADR\n  let ActiveDirectoryReplica = ParsedEvents\n  | where EventID in(ActiveDirectoryReplicaIds)\n  | extend \n      NewValue = SourceDRA,\n      OldValue = DestinationDRA,\n      SrcFQDN = SourceAddr\n  | extend \n      Value = NewValue,\n      Object = OldValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse WindowsFirewall\n  let WindowsFirewall = ParsedEvents\n  | where EventID in(FirewallEventIds)\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse ServiceEvent\n  let ServiceEvent = ParsedEvents\n  | where EventID in(ServiceEventIds)\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse DirectoryService\n  let DirectoryService = ParsedEvents\n  | where EventID in(DirectoryServiceIds)\n  | extend \n      Object = ObjectDN\n  | project-rename \n      NewValue = AttributeValue\n  | extend\n      Value = NewValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN\n  ;\n  // Union Events\n  union EventLog, ScheduledTask, ActiveDirectoryReplica, WindowsFirewall, ServiceEvent, DirectoryService\n      | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n      | project-rename \n          ActorUserId = SubjectUserSid,\n          ActorSessionId = SubjectLogonId,\n          DvcId = _ResourceId,\n          ActingAppId = ClientProcessId,\n          EventUid = _ItemId\n      | extend\n          EventCount = int(1),\n          EventStartTime = TimeGenerated, \n          EventEndTime= TimeGenerated,\n          EventProduct = 'Security Events',\n          EventVendor = 'Microsoft',\n          EventSchemaVersion = '0.1.0',\n          EventSchema = 'AuditEvent',\n          EventOriginalType = tostring(EventID),\n          DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n          ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n          ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n          ActorUserIdType = iff (ActorUserId == \"\",\"\", \"SID\"),\n          ActingAppType = \"Process\"\n      | extend\n          User = ActorUsername,\n          Dvc = DvcFQDN\n      | project-away Subject*, EventID, Computer\n};\nparser (disabled=disabled)",
             "version": 1,
             "functionParameters": "disabled:bool=False"
           }
diff --git a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json
index a77bb09f6f4..fa885577711 100644
--- a/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json
+++ b/Parsers/ASimAuditEvent/ARM/vimAuditEventMicrosoftWindowsEvents/vimAuditEventMicrosoftWindowsEvents.json
@@ -35,7 +35,7 @@
             "displayName": "Audit Event ASIM filtering parser for Microsoft Windows Events audit events",
             "category": "ASIM",
             "FunctionAlias": "vimAuditEventMicrosoftWindowsEvents",
-            "query": "let parser = (\n      starttime:datetime=datetime(null), \n      endtime:datetime=datetime(null),\n      srcipaddr_has_any_prefix:dynamic=dynamic([]), \n      eventtype_in:dynamic=dynamic([]),\n      eventresult:string='*',\n      actorusername_has_any:dynamic=dynamic([]),\n      operation_has_any:dynamic=dynamic([]),\n      object_has_any:dynamic=dynamic([]),\n      newvalue_has_any:dynamic=dynamic([]),\n      disabled:bool = false\n  ) {\n  // Parsed Events Ids\n  let ParsedEventIds = dynamic([1102,4698,4699,4700,4701,4702,4929,5025,5027,5028,5029,5030,5034,5035,5037,7035,7036,7040,7045,2009,5136]);\n  // Eventlog Event Ids\n  let EventlogEventIds = dynamic([1102]);\n  // Scheduled Task Event Ids\n  let ScheduledTaskEventIds = dynamic([4698,4699,4700,4701,4702]);\n  // Active Directory Replica Source Naming Context Event Ids\n  let ActiveDirectoryReplicaIds = dynamic([4929]);\n  // Firewall Event Ids\n  let FirewallEventIds = dynamic([5025,5027,5028,5029,5030,5034,5035,5037]);\n  // Service Event Ids\n  let ServiceEventIds = dynamic([7035,7036,7040,7045,2009]);   \n  // EventID Lookup\n  // Directory Service Object Ids\n  let DirectoryServiceIds = dynamic([5136]);\n  let EventIDLookup = datatable(EventID:int, Operation:string, EventType:string, Object:string, ObjectType:string, EventResult:string)\n  [   \n      1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n      4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n      4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n      4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n      4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n      4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n      4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n      5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n      5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n      5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n      5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n      5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n      5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n      7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n      7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n      7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n      2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n      5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n  ];\n  let FilteredEventIds = toscalar(EventIDLookup \n      | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n          and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n          and (strlen(eventresult) == 0 or EventResult =~ eventresult)\n      | summarize make_set(EventID)\n  );\n  let FilteredParsedEventIds = iif(array_length(FilteredEventIds) >0, FilteredEventIds, ParsedEventIds);\n  let ParsedEvents =\n  union (\n      union (\n      // SecurityEvents\n          SecurityEvent\n          | where not(disabled)\n          | where (isnull(starttime) or TimeGenerated >= starttime) \n              and (isnull(endtime) or TimeGenerated <= endtime)\n              and EventID in(FilteredParsedEventIds)\n          | where (array_length(srcipaddr_has_any_prefix) == 0)\n              and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n              and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))         \n          | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      ),\n      (\n      // Event\n          Event\n          | where not(disabled)\n          | where (isnull(starttime) or TimeGenerated >= starttime) \n              and (isnull(endtime) or TimeGenerated <= endtime)\n              and EventID in(FilteredParsedEventIds)\n          | where (array_length(srcipaddr_has_any_prefix) == 0)\n              and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n              and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n          | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      )\n      | parse-kv EventData as \n          (\n              SubjectUserSid:string,\n              SubjectUserName:string,\n              SubjectDomainName:string,\n              SubjectLogonId:string,\n              TaskName:string,\n              TaskContent:string,\n              TaskContentNew:string,\n              ClientProcessId:string,\n              DestinationDRA:string,\n              SourceDRA:string,\n              SourceAddr:string,\n              ObjectDN:string,\n              AttributeValue:string\n          ) \n      with (regex=@'<Data Name=\"(\\w+)\">{?([^<]*?)}?</Data>')\n      | where \n          array_length(actorusername_has_any) == 0 \n          or SubjectUserName has_any (actorusername_has_any) \n          or SubjectDomainName has_any (actorusername_has_any)\n      | project-away EventData\n  ),\n  // WindowsEvents\n  (\n      WindowsEvent\n      | where not(disabled)\n      | where (isnull(starttime) or TimeGenerated >= starttime) \n          and (isnull(endtime) or TimeGenerated <= endtime)\n          and EventID in(FilteredParsedEventIds)\n      | where (array_length(srcipaddr_has_any_prefix) == 0)\n          and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))   \n          and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n      | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      | extend\n          SubjectUserSid = tostring(EventData.SubjectUserSid),\n          SubjectUserName = tostring(EventData.SubjectUserName),\n          SubjectDomainName = tostring(EventData.SubjectDomainName),\n          SubjectLogonId = tostring(EventData.SubjectLogonId),\n          TaskName = tostring(EventData.TaskName),\n          TaskContent = tostring(EventData.TaskContent),\n          TaskContentNew = tostring(EventData.TaskContentNew),\n          ClientProcessId = tostring(EventData.ClientProcessId),\n          DestinationDRA = tostring(EventData.DestinationDRA),\n          SourceDRA = tostring(EventData.SourceDRA),\n          SourceAddr = tostring(EventData.SourceAddr),\n          ObjectDN = tostring(EventData.ObjectDN),\n          AttributeValue = tostring(EventData.AttributeValue)\n      | where \n          array_length(actorusername_has_any) == 0 \n          or SubjectUserName has_any (actorusername_has_any) \n          or SubjectUserName has_any (actorusername_has_any)        \n      | project-away EventData\n  )\n  | lookup EventIDLookup on EventID\n  ;\n  // Parse EventLog\n  let EventLog = ParsedEvents\n  | where EventID in(EventlogEventIds)\n      and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n  // Parse Scheduled Task\n  let ScheduledTask = ParsedEvents\n  | where EventID in(ScheduledTaskEventIds)\n  | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n  | extend \n      Object = TaskName,\n      NewValue = coalesce(\n          TaskContent,\n          TaskContentNew\n      )\n  | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n  | extend \n      Value = NewValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse ADR\n  let ActiveDirectoryReplica = ParsedEvents\n  | where EventID in(ActiveDirectoryReplicaIds)\n  | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n  | extend \n      NewValue = SourceDRA,\n      OldValue = DestinationDRA,\n      SrcFQDN = SourceAddr\n  | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n  | extend \n      Value = NewValue,\n      Object = OldValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse WindowsFirewall\n  let WindowsFirewall = ParsedEvents\n  | where EventID in(FirewallEventIds)\n      and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse ServiceEvent\n  let ServiceEvent = ParsedEvents\n  | where EventID in(ServiceEventIds)\n      and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse DirectoryService\n  let DirectoryService = ParsedEvents\n  | where EventID in(DirectoryServiceIds)\n      and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n  | extend\n      Object = ObjectDN\n  | project-rename \n      NewValue = AttributeValue\n  | extend\n      Value = NewValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN\n  ;\n  // Union Events\n  union EventLog, ScheduledTask, ActiveDirectoryReplica, WindowsFirewall, ServiceEvent, DirectoryService\n      | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n      | project-rename \n          ActorUserId = SubjectUserSid,\n          ActorSessionId = SubjectLogonId,\n          DvcId = _ResourceId,\n          ActingAppId = ClientProcessId,\n          EventUid = _ItemId\n      | extend\n          EventCount = int(1),\n          EventStartTime = TimeGenerated, \n          EventEndTime= TimeGenerated,\n          EventProduct = 'Windows',\n          EventVendor = 'Microsoft',\n          EventSchemaVersion = '0.1.0',\n          EventSchema = 'AuditEvent',\n          EventOriginalType = tostring(EventID),\n          DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n          ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n          ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n          ActorUserIdType = iff (ActorUserId == \"\",\"\", \"SID\"),\n          ActingAppType = \"Process\"\n      | extend\n          User = ActorUsername,\n          Dvc = DvcFQDN\n      | project-away Subject*, EventID, Computer\n  };\n  parser (\n      starttime = starttime,\n      endtime = endtime,\n      srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n      actorusername_has_any = actorusername_has_any,\n      eventtype_in = eventtype_in,\n      eventresult = eventresult,\n      operation_has_any = operation_has_any,\n      object_has_any=object_has_any,\n      newvalue_has_any=newvalue_has_any,\n      disabled=disabled\n  )",
+            "query": "let parser = (\n      starttime:datetime=datetime(null), \n      endtime:datetime=datetime(null),\n      srcipaddr_has_any_prefix:dynamic=dynamic([]), \n      eventtype_in:dynamic=dynamic([]),\n      eventresult:string='*',\n      actorusername_has_any:dynamic=dynamic([]),\n      operation_has_any:dynamic=dynamic([]),\n      object_has_any:dynamic=dynamic([]),\n      newvalue_has_any:dynamic=dynamic([]),\n      disabled:bool = false\n  ) {\n  // Parsed Events Ids\n  let ParsedEventIds = dynamic([1102,4698,4699,4700,4701,4702,4929,5025,5027,5028,5029,5030,5034,5035,5037,7035,7036,7040,7045,2009,5136]);\n  // Eventlog Event Ids\n  let EventlogEventIds = dynamic([1102]);\n  // Scheduled Task Event Ids\n  let ScheduledTaskEventIds = dynamic([4698,4699,4700,4701,4702]);\n  // Active Directory Replica Source Naming Context Event Ids\n  let ActiveDirectoryReplicaIds = dynamic([4929]);\n  // Firewall Event Ids\n  let FirewallEventIds = dynamic([5025,5027,5028,5029,5030,5034,5035,5037]);\n  // Service Event Ids\n  let ServiceEventIds = dynamic([7035,7036,7040,7045,2009]);   \n  // EventID Lookup\n  // Directory Service Object Ids\n  let DirectoryServiceIds = dynamic([5136]);\n  let EventIDLookup = datatable(EventID:int, Operation:string, EventType:string, Object:string, ObjectType:string, EventResult:string)\n  [   \n      1102, \"Delete Logs\", \"Delete\", \"Security Logs\", \"Event Log\", \"Success\",\n      4698, \"Create Scheduled Task\", \"Create\", \"\", \"Scheduled Task\", \"Success\",\n      4699, \"Delete Scheduled Task\", \"Delete\", \"\", \"Scheduled Task\", \"Success\",\n      4700, \"Enable Scheduled Task\", \"Enable\", \"\", \"Scheduled Task\", \"Success\",\n      4701, \"Disable Scheduled Task \", \"Disable\", \"\", \"Scheduled Task\", \"Success\",\n      4702, \"Update Scheduled Task\", \"Set\", \"\", \"Scheduled Task\", \"Success\",\n      4929, \"Remove Active Directory Replica Source Naming Context\", \"Delete\", \"\", \"Other\", \"Success\",\n      5025, \"Stop Firewall Service\", \"Disable\", \"Firewall Service\", \"Service\", \"Success\",\n      5027, \"Retrieve the Security Policy From The Local Storage\", \"Read\", \"Firewall Service\", \"Service\", \"Failure\",\n      5028, \"Parse the new Security Policy\", \"Set\", \"Firewall Service\", \"Service\", \"Failure\",\n      5029, \"Initialize the Firewall Driver\", \"Initialize\", \"Firewall Service\", \"Service\", \"Failure\",\n      5030, \"Start the Firewall Service\", \"Start\", \"Firewall Service\", \"Service\", \"Failure\",\n      5034, \"Stop Firewall Driver\", \"Stop\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      5035, \"Start Firewall Driver\", \"Start\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      5037, \"Terminating Firewall Driver\", \"Terminate\", \"Firewall Driver\", \"Driver\", \"Failure\",\n      7035, \"Start Control Sent\", \"Execute\", \"Service\", \"Service\", \"Success\",\n      7036, \"Enter Stop State\", \"Stop\", \"Service\", \"Service\", \"Success\",\n      7040, \"Changed Service Settings\", \"Set\", \"Service\", \"Service\", \"Success\",\n      7045, \"Install Service\", \"Install\", \"Service\", \"Service\", \"Success\",\n      2009, \"Load Group Policy\", \"Other\", \"Service\", \"Service\", \"Failure\",\n      5136, \"Modified Directory Services Object\", \"Set\", \"\", \"Directory Service Object\", \"Success\"\n  ];\n  let FilteredEventIds = toscalar(EventIDLookup \n      | where (array_length(eventtype_in) == 0 or EventType in (eventtype_in))\n          and (array_length(operation_has_any) == 0 or Operation has_any (operation_has_any))\n          and (strlen(eventresult) == 0 or EventResult =~ eventresult)\n      | summarize make_set(EventID)\n  );\n  let FilteredParsedEventIds = iif(array_length(FilteredEventIds) >0, FilteredEventIds, ParsedEventIds);\n  let ParsedEvents =\n  union (\n      union (\n      // SecurityEvents\n          SecurityEvent\n          | where not(disabled)\n          | where (isnull(starttime) or TimeGenerated >= starttime) \n              and (isnull(endtime) or TimeGenerated <= endtime)\n              and EventID in(FilteredParsedEventIds)\n          | where (array_length(srcipaddr_has_any_prefix) == 0)\n              and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n              and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))         \n          | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      ),\n      (\n      // Event\n          Event\n          | where not(disabled)\n          | where (isnull(starttime) or TimeGenerated >= starttime) \n              and (isnull(endtime) or TimeGenerated <= endtime)\n              and EventID in(FilteredParsedEventIds)\n          | where (array_length(srcipaddr_has_any_prefix) == 0)\n              and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))\n              and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n          | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      )\n      | parse-kv EventData as \n          (\n              SubjectUserSid:string,\n              SubjectUserName:string,\n              SubjectDomainName:string,\n              SubjectLogonId:string,\n              TaskName:string,\n              TaskContent:string,\n              TaskContentNew:string,\n              ClientProcessId:string,\n              DestinationDRA:string,\n              SourceDRA:string,\n              SourceAddr:string,\n              ObjectDN:string,\n              AttributeValue:string\n          ) \n      with (regex=@'<Data Name=\"(\\w+)\">{?([^<]*?)}?</Data>')\n      | where \n          array_length(actorusername_has_any) == 0 \n          or SubjectUserName has_any (actorusername_has_any) \n          or SubjectDomainName has_any (actorusername_has_any)\n      | project-away EventData\n  ),\n  // WindowsEvents\n  (\n      WindowsEvent\n      | where not(disabled)\n      | where (isnull(starttime) or TimeGenerated >= starttime) \n          and (isnull(endtime) or TimeGenerated <= endtime)\n          and EventID in(FilteredParsedEventIds)\n      | where (array_length(srcipaddr_has_any_prefix) == 0)\n          and (array_length(actorusername_has_any) == 0 or EventData has_any (actorusername_has_any))   \n          and (array_length(newvalue_has_any) == 0 or EventData has_any (newvalue_has_any))\n      | project EventID, EventData, _ResourceId, TimeGenerated, Computer, Type, _ItemId\n      | extend\n          SubjectUserSid = tostring(EventData.SubjectUserSid),\n          SubjectUserName = tostring(EventData.SubjectUserName),\n          SubjectDomainName = tostring(EventData.SubjectDomainName),\n          SubjectLogonId = tostring(EventData.SubjectLogonId),\n          TaskName = tostring(EventData.TaskName),\n          TaskContent = tostring(EventData.TaskContent),\n          TaskContentNew = tostring(EventData.TaskContentNew),\n          ClientProcessId = tostring(EventData.ClientProcessId),\n          DestinationDRA = tostring(EventData.DestinationDRA),\n          SourceDRA = tostring(EventData.SourceDRA),\n          SourceAddr = tostring(EventData.SourceAddr),\n          ObjectDN = tostring(EventData.ObjectDN),\n          AttributeValue = tostring(EventData.AttributeValue)\n      | where \n          array_length(actorusername_has_any) == 0 \n          or SubjectUserName has_any (actorusername_has_any) \n          or SubjectUserName has_any (actorusername_has_any)        \n      | project-away EventData\n  )\n  | lookup EventIDLookup on EventID\n  ;\n  // Parse EventLog\n  let EventLog = ParsedEvents\n  | where EventID in(EventlogEventIds)\n      and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue;\n  // Parse Scheduled Task\n  let ScheduledTask = ParsedEvents\n  | where EventID in(ScheduledTaskEventIds)\n  | where (array_length(object_has_any) == 0 or TaskName has_any (object_has_any))\n  | extend \n      Object = TaskName,\n      NewValue = coalesce(\n          TaskContent,\n          TaskContentNew\n      )\n  | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n  | extend \n      Value = NewValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse ADR\n  let ActiveDirectoryReplica = ParsedEvents\n  | where EventID in(ActiveDirectoryReplicaIds)\n  | where (array_length(object_has_any) == 0 or DestinationDRA has_any (object_has_any))\n  | extend \n      NewValue = SourceDRA,\n      OldValue = DestinationDRA,\n      SrcFQDN = SourceAddr\n  | where (array_length(newvalue_has_any) == 0 or NewValue has_any (newvalue_has_any))\n  | extend \n      Value = NewValue,\n      Object = OldValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse WindowsFirewall\n  let WindowsFirewall = ParsedEvents\n  | where EventID in(FirewallEventIds)\n      and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse ServiceEvent\n  let ServiceEvent = ParsedEvents\n  | where EventID in(ServiceEventIds)\n      and (array_length(object_has_any) == 0 or Object has_any (object_has_any))\n  | project-away Task*, *DRA, SourceAddr, ObjectDN, AttributeValue\n  ;\n  // Parse DirectoryService\n  let DirectoryService = ParsedEvents\n  | where EventID in(DirectoryServiceIds)\n      and (array_length(object_has_any) == 0 or ObjectDN has_any (object_has_any))\n  | extend\n      Object = ObjectDN\n  | project-rename \n      NewValue = AttributeValue\n  | extend\n      Value = NewValue\n  | project-away Task*, *DRA, SourceAddr, ObjectDN\n  ;\n  // Union Events\n  union EventLog, ScheduledTask, ActiveDirectoryReplica, WindowsFirewall, ServiceEvent, DirectoryService\n      | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n      | project-rename \n          ActorUserId = SubjectUserSid,\n          ActorSessionId = SubjectLogonId,\n          DvcId = _ResourceId,\n          ActingAppId = ClientProcessId,\n          EventUid = _ItemId\n      | extend\n          EventCount = int(1),\n          EventStartTime = TimeGenerated, \n          EventEndTime= TimeGenerated,\n          EventProduct = 'Security Events',\n          EventVendor = 'Microsoft',\n          EventSchemaVersion = '0.1.0',\n          EventSchema = 'AuditEvent',\n          EventOriginalType = tostring(EventID),\n          DvcIdType = iff (DvcId == \"\", \"\", \"AzureResourceID\"),\n          ActorUsername = iff (SubjectDomainName == \"\", SubjectUserName, strcat (SubjectDomainName, '\\\\', SubjectUserName)),\n          ActorUsernameType = iff (SubjectDomainName == \"\", 'Simple', 'Windows'),\n          ActorUserIdType = iff (ActorUserId == \"\",\"\", \"SID\"),\n          ActingAppType = \"Process\"\n      | extend\n          User = ActorUsername,\n          Dvc = DvcFQDN\n      | project-away Subject*, EventID, Computer\n  };\n  parser (\n      starttime = starttime,\n      endtime = endtime,\n      srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,\n      actorusername_has_any = actorusername_has_any,\n      eventtype_in = eventtype_in,\n      eventresult = eventresult,\n      operation_has_any = operation_has_any,\n      object_has_any=object_has_any,\n      newvalue_has_any=newvalue_has_any,\n      disabled=disabled\n  )",
             "version": 1,
             "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),disabled:bool=False"
           }