From 9a497358532c645f4cf459dac03e5325f53df261 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <> Date: Thu, 9 Jan 2025 10:13:26 +0000 Subject: [PATCH] [ASIM Parsers] Generate deployable ARM templates from KQL function YAML files. --- .../ARM/ASimAuthenticationNative/ASimAuthenticationNative.json | 2 +- .../ARM/vimAuthenticationNative/vimAuthenticationNative.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/ASimAuthenticationNative.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/ASimAuthenticationNative.json index b53e393c22..fd66161e54 100644 --- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/ASimAuthenticationNative.json +++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationNative/ASimAuthenticationNative.json @@ -27,7 +27,7 @@ "displayName": "Authentication Event ASIM parser for Microsoft Sentinel native Authentication table", "category": "ASIM", "FunctionAlias": "ASimAuthenticationNative", - "query": "let parser=(disabled:bool=false) \n{\n ASimAuthenticationEventLogs | where not(disabled)\n | extend\n User = TargetUsername,\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n IpAddr=SrcIpAddr,\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n Dvc=EventVendor,\n Application=TargetAppName,\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n Rule = coalesce(RuleName, tostring(RuleNumber)),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Authentication\"\n | project-rename\n EventUid = _ItemId\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (disabled=disabled)", + "query": "let parser=(disabled:bool=false) \n{\n ASimAuthenticationEventLogs | where not(disabled)\n | extend\n User = TargetUsername,\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n IpAddr=SrcIpAddr,\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n Dvc=EventVendor,\n Application=TargetAppName,\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n Rule = coalesce(RuleName, tostring(RuleNumber)),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Authentication\"\n | project-rename\n EventUid = _ItemId\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser (disabled=disabled)\n", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json index 86874ab2f5..57f763f8f3 100644 --- a/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json +++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationNative/vimAuthenticationNative.json @@ -27,7 +27,7 @@ "displayName": "Authentication Event ASIM filtering parser for Microsoft Sentinel native Authentication table", "category": "ASIM", "FunctionAlias": "vimAuthenticationNative", - "query": "let parser=\n(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n)\n{\n ASimAuthenticationEventLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or TargetAppName has_any (targetappname_has_any)) \n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(srchostname_has_any) == 0) or SrcHostname has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n User = TargetUsername,\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n IpAddr=SrcIpAddr,\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n Dvc=EventVendor,\n Application=TargetAppName,\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n Rule = coalesce(RuleName, tostring(RuleNumber)),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Authentication\"\n | project-rename\n EventUid = _ItemId\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)\n", + "query": "let parser=\n(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n)\n{\n ASimAuthenticationEventLogs | where not(disabled)\n // -- Pre-parsing filtering:\n | where\n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or TargetUsername has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or TargetAppName has_any (targetappname_has_any)) \n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(SrcIpAddr, srcipaddr_has_any_prefix)))\n and ((array_length(srchostname_has_any) == 0) or SrcHostname has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n User = TargetUsername,\n Src = coalesce (SrcDvcId, SrcHostname, SrcIpAddr),\n IpAddr=SrcIpAddr,\n LogonTarget= coalesce (TargetAppName, TargetUrl, TargetHostname),\n Dvc=EventVendor,\n Application=TargetAppName,\n Dst = coalesce (TargetDvcId,TargetHostname, TargetIpAddr, TargetAppId,TargetAppName), \n Rule = coalesce(RuleName, tostring(RuleNumber)),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSchema = \"Authentication\"\n | project-rename\n EventUid = _ItemId\n | project-away TenantId, SourceSystem, _ResourceId, _SubscriptionId\n};\nparser\n (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False" }