Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ASIM Parser Updates in Tester.csv #9159

Merged
merged 12 commits into from
Nov 24, 2023
Merged

ASIM Parser Updates in Tester.csv #9159

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
b5ee542
ASIM Parser Updates
vakohl Oct 5, 2023
5cb53d3
adding threat fields for ProcessEvents
vakohl Oct 5, 2023
dc1ed29
removing Vectra from EventProduct
vakohl Nov 21, 2023
ccb8833
Merge branch 'master' into ASIM-Parser-Updates
vakohl Nov 21, 2023
fe5594d
EventProduct update for Vectra
vakohl Nov 23, 2023
35c8c4f
Merge remote-tracking branch 'origin/master' into ASIM-Parser-Updates
Nov 23, 2023
cffaf59
[ASIM Parsers] Generate deployable ARM templates from KQL function YA…
Nov 23, 2023
8398474
changing Audit EventProduct
vakohl Nov 24, 2023
6e52321
Merge branch 'ASIM-Parser-Updates' of https://github.com/Azure/Azure-…
vakohl Nov 24, 2023
51c2635
updating tester with Audit value
vakohl Nov 24, 2023
6fb153a
Merge remote-tracking branch 'origin/master' into ASIM-Parser-Updates
Nov 24, 2023
c74e214
[ASIM Parsers] Generate deployable ARM templates from KQL function YA…
Nov 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 24 additions & 12 deletions ASIM/dev/ASimTester/ASimTester.csv
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -534,17 +534,17 @@ EventOwner,string,Optional,ProcessEvent,,,
EventOwner,string,Optional,RegistryEvent,,,
EventOwner,string,Optional,UserManagement,,,
EventOwner,string,Optional,WebSession,,,
EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|Windows|Exchange 365|Dataminr Pulse|Vectra Cloud,
EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|Azure Defender for IoT|M365 Defender for Endpoint|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra Cloud|SentinelOne,
EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki,
EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF,
EventProduct,string,Mandatory,Common,,,
EventProduct,string,Mandatory,Dhcp,,,
EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne,
EventProduct,string,Mandatory,FileEvent,Enumerated,Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne,
EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki MX|Zeek|Firewall|ASA|Cynerio|SentinelOne,
EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events,
EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF,
EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne,
EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne,
EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki|Web Security Gateway|Zeek|Dataminr Pulse|HTTP Server|Fortigate|WAF,
EventProduct,string,Mandatory,UserManagement,Enumerated,Security Events|Authpriv|ISE|SentinelOne,
EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki MX|Web Security Gateway|Zeek|Dataminr Pulse,
EventProductVersion,string,Optional,AuditEvent,,,
EventProductVersion,string,Optional,Authentication,,,
EventProductVersion,string,Optional,Common,,,
Expand Down Expand Up @@ -662,19 +662,18 @@ EventUid,string,Recommended,ProcessEvent,,,
EventUid,string,Recommended,RegistryEvent,,,
EventUid,string,Recommended,UserManagement,,,
EventUid,string,Recommended,WebSession,,,
EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Dataminr|Vectra,
EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne,
EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra,
EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne,
EventVendor,string,Mandatory,Common,,,
EventVendor,string,Mandatory,Dhcp,,,
EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne,
EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft,
EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne,
EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne,
EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI,
EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne,
EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio,
EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft,
EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne,
EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft|SentinelOne,
EventVendor,string,Mandatory,WebSession,Enumerated,Apache|Barracuda|Fortinet|Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr,
EventVendor,string,Mandatory,UserManagement,Enumerated,Microsoft|Linux|Cisco|SentinelOne,
EventVendor,string,Mandatory,WebSession,Enumerated,Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr,
EventVendor,string,Mandatory,RegistryEvent,Enumerated,SentinelOne,
FileContentType,string,Optional,WebSession,Enumerated,,
FileMD5,string,Optional,WebSession,MD5,,
Expand Down Expand Up @@ -824,6 +823,7 @@ RuleName,string,Optional,Authentication,,,
RuleName,string,Optional,Dns,,,
RuleName,string,Optional,FileEvent,,,
RuleName,string,Optional,WebSession,,,
RuleName,string,Optional,ProcessEvent,,,
RuleName,string,Optional,RegistryEvent,,,
RuleName,string,Optional,UserManagement,,,
RuleName,string,Optional,Dhcp,,,
Expand All @@ -832,6 +832,7 @@ RuleNumber,int,Optional,Authentication,,,
RuleNumber,int,Optional,Dns,,,
RuleNumber,int,Optional,FileEvent,,,
RuleNumber,int,Optional,WebSession,,,
RuleNumber,int,Optional,ProcessEvent,,,
RuleNumber,int,Optional,RegistryEvent,,,
RuleNumber,int,Optional,UserManagement,,,
RuleNumber,int,Optional,Dhcp,,,
Expand Down Expand Up @@ -1183,6 +1184,7 @@ ThreatCategory,string,Optional,Dns,,,
ThreatCategory,string,Optional,FileEvent,,,
ThreatCategory,string,Optional,NetworkSession,,,
ThreatCategory,string,Optional,WebSession,,,
ThreatCategory,string,Optional,ProcessEvent,,,
ThreatCategory,string,Optional,RegistryEvent,,,
ThreatCategory,string,Optional,UserManagement,,,
ThreatCategory,string,Optional,Dhcp,,,
Expand All @@ -1192,6 +1194,7 @@ ThreatConfidence,int,Optional,Dns,ConfidenceLevel,,
ThreatConfidence,int,Optional,FileEvent,,,
ThreatConfidence,int,Optional,NetworkSession,,,
ThreatConfidence,int,Optional,WebSession,,,
ThreatConfidence,int,Optional,ProcessEvent,,,
ThreatConfidence,int,Optional,RegistryEvent,,,
ThreatConfidence,int,Optional,UserManagement,,,
ThreatConfidence,int,Optional,Dhcp,,,
Expand All @@ -1201,6 +1204,7 @@ ThreatField,string,Conditional,NetworkSession,Enumerated,,ThreatIpAddr
ThreatField,string,Optional,Authentication,,,
ThreatField,string,Optional,Dns,,,
ThreatField,string,Optional,WebSession,,,
ThreatField,string,Optional,ProcessEvent,,,
ThreatField,string,Optional,RegistryEvent,,,
ThreatField,string,Optional,UserManagement,,,
ThreatField,string,Optional,Dhcp,,,
Expand All @@ -1211,6 +1215,7 @@ ThreatFirstReportedTime,datetime,Optional,Dns,,,
ThreatFirstReportedTime,datetime,Optional,FileEvent,,,
ThreatFirstReportedTime,datetime,Optional,NetworkSession,,,
ThreatFirstReportedTime,datetime,Optional,WebSession,,,
ThreatFirstReportedTime,datetime,Optional,ProcessEvent,,,
ThreatFirstReportedTime,datetime,Optional,RegistryEvent,,,
ThreatFirstReportedTime,datetime,Optional,UserManagement,,,
ThreatFirstReportedTime,datetime,Optional,Dhcp,,,
Expand All @@ -1220,6 +1225,7 @@ ThreatId,string,Optional,Dns,,,
ThreatId,string,Optional,FileEvent,,,
ThreatId,string,Optional,NetworkSession,,,
ThreatId,string,Optional,WebSession,,,
ThreatId,string,Optional,ProcessEvent,,,
ThreatId,string,Optional,RegistryEvent,,,
ThreatId,string,Optional,UserManagement,,,
ThreatId,string,Optional,Dhcp,,,
Expand All @@ -1234,6 +1240,7 @@ ThreatIsActive,bool,Optional,Dns,,,
ThreatIsActive,bool,Optional,FileEvent,,,
ThreatIsActive,bool,Optional,NetworkSession,,,
ThreatIsActive,bool,Optional,WebSession,,,
ThreatIsActive,bool,Optional,ProcessEvent,,,
ThreatIsActive,bool,Optional,RegistryEvent,,,
ThreatIsActive,bool,Optional,UserManagement,,,
ThreatIsActive,bool,Optional,Dhcp,,,
Expand All @@ -1243,6 +1250,7 @@ ThreatLastReportedTime,datetime,Optional,Dns,,,
ThreatLastReportedTime,datetime,Optional,FileEvent,,,
ThreatLastReportedTime,datetime,Optional,NetworkSession,,,
ThreatLastReportedTime,datetime,Optional,WebSession,,,
ThreatLastReportedTime,datetime,Optional,ProcessEvent,,,
ThreatLastReportedTime,datetime,Optional,RegistryEvent,,,
ThreatLastReportedTime,datetime,Optional,UserManagement,,,
ThreatLastReportedTime,datetime,Optional,Dhcp,,,
Expand All @@ -1252,6 +1260,7 @@ ThreatName,string,Optional,Dns,,,
ThreatName,string,Optional,FileEvent,,,
ThreatName,string,Optional,NetworkSession,,,
ThreatName,string,Optional,WebSession,,,
ThreatName,string,Optional,ProcessEvent,,,
ThreatName,string,Optional,RegistryEvent,,,
ThreatName,string,Optional,UserManagement,,,
ThreatName,string,Optional,Dhcp,,,
Expand All @@ -1261,6 +1270,7 @@ ThreatOriginalConfidence,string,Optional,Dns,,,
ThreatOriginalConfidence,string,Optional,FileEvent,,,
ThreatOriginalConfidence,string,Optional,NetworkSession,,,
ThreatOriginalConfidence,string,Optional,WebSession,,,
ThreatOriginalConfidence,string,Optional,ProcessEvent,,,
ThreatOriginalConfidence,string,Optional,RegistryEvent,,,
ThreatOriginalConfidence,string,Optional,UserManagement,,,
ThreatOriginalConfidence,string,Optional,Dhcp,,,
Expand All @@ -1270,6 +1280,7 @@ ThreatOriginalRiskLevel,string,Optional,Dns,,,
ThreatOriginalRiskLevel,string,Optional,FileEvent,,,
ThreatOriginalRiskLevel,string,Optional,NetworkSession,,,
ThreatOriginalRiskLevel,string,Optional,WebSession,,,
ThreatOriginalRiskLevel,string,Optional,ProcessEvent,,,
ThreatOriginalRiskLevel,string,Optional,RegistryEvent,,,
ThreatOriginalRiskLevel,string,Optional,UserManagement,,,
ThreatOriginalRiskLevel,string,Optional,Dhcp,,,
Expand All @@ -1279,6 +1290,7 @@ ThreatRiskLevel,int,Optional,Dns,RiskLevel,,
ThreatRiskLevel,int,Optional,FileEvent,RiskLevel,,
ThreatRiskLevel,int,Optional,NetworkSession,RiskLevel,,
ThreatRiskLevel,int,Optional,WebSession,RiskLevel,,
ThreatRiskLevel,int,Optional,ProcessEvent,RiskLevel,,
ThreatRiskLevel,int,Optional,RegistryEvent,,,
ThreatRiskLevel,int,Optional,UserManagement,,,
ThreatRiskLevel,int,Optional,Dhcp,,,
Expand Down
2 changes: 1 addition & 1 deletion Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@
"displayName": "Audit event ASIM parser",
"category": "ASIM",
"FunctionAlias": "ASimAuditEvent",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers)))\n",
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n ASimAuditEventCiscoMeraki (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n ASimAuditEventCiscoISE (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers)))\n",
"version": 1,
"functionParameters": "pack:bool=False"
}
Expand Down
Loading
Loading