Merge branch 'Azure:master' into Keshavm021/Netskopewebtx

Author: keshavm021

ASIM/dev/ASimTester/ASimTester.csv

@@ -727,7 +727,7 @@ EventProduct,string,Mandatory,FileEvent,Enumerated,Security Events|Sysmon for Li
 EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|FalconHost|Carbon Black Cloud|Cortex Data Lake|Core|Azure NSG flows,
 EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne|Carbon Black Cloud|Vision One,
 EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Carbon Black Cloud|Vision One,
-EventProduct,string,Mandatory,UserManagement,Enumerated,Security Events|Authpriv|ISE|SentinelOne,
+EventProduct,string,Mandatory,UserManagement,Enumerated,Security Events|Authpriv|ISE|SentinelOne|CloudTrail,
 EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki|Web Security Gateway|Zeek|Dataminr Pulse|HTTP Server|Fortigate|WAF|ASM|NetScaler|Firepower|Cortex Data Lake|Firewall|Azure Firewall,
 EventProductVersion,string,Optional,AlertEvent,,,
 EventProductVersion,string,Optional,AuditEvent,,,
@@ -825,7 +825,7 @@ EventStartTime,datetime,Mandatory,RegistryEvent,,,
 EventStartTime,datetime,Mandatory,UserManagement,,,
 EventStartTime,datetime,Mandatory,WebSession,,,
 EventSubType,string,Optional,AuditEvent,,,
-EventSubType,string,Optional,Authentication,Enumerated,System|Interactive|RemoteInteractive|Service|RemoteService|Remote|AssumeRole,
+EventSubType,string,Optional,Authentication,Enumerated,System|Interactive|RemoteInteractive|Service|RemoteService|Remote|AssumeRole|NetworkCleartext,
 EventSubType,string,Optional,Common,Enumerated,Placeholder,
 EventSubType,string,Optional,DhcpEvent,,,
 EventSubType,string,Optional,Dns,Enumerated,request|response,
@@ -870,7 +870,7 @@ EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne|VMware|G
 EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|CrowdStrike|VMware|SonicWall|Illumio,
 EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft|SentinelOne|VMware|TrendMicro,
 EventVendor,string,Mandatory,RegistryEvent,Enumerated,Microsoft|SentinelOne|VMware|Trend Micro,
-EventVendor,string,Mandatory,UserManagement,Enumerated,Microsoft|Linux|Cisco|SentinelOne,
+EventVendor,string,Mandatory,UserManagement,Enumerated,Microsoft|Linux|Cisco|SentinelOne|AWS,
 EventVendor,string,Mandatory,WebSession,Enumerated,Apache|Barracuda|Fortinet|Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr|Citrix|F5|SonicWall,
 FileContentType,string,Optional,WebSession,,,
 FileMD5,string,Optional,AlertEvent,,,
@@ -888,7 +888,7 @@ FileSHA512,string,Optional,WebSession,SHA512,,
 FileSize,long,Optional,AlertEvent,,,
 FileSize,long,Optional,WebSession,,,
 GroupId,string,Optional,UserManagement,,,
-GroupIdType,string,Optional,UserManagement,Enumerated,SID|UID,
+GroupIdType,string,Optional,UserManagement,Enumerated,SID|UID|Simple,
 GroupName,string,Optional,UserManagement,,,
 GroupNameType,string,Optional,UserManagement,Enumerated,UPN|Windows|DN|Simple,
 GroupOriginalType,string,Optional,UserManagement,,,
@@ -1460,7 +1460,7 @@ TargetUserId,string,Optional,UserManagement,,,
 TargetUserId,string,Recommended,ProcessEvent,,,
 TargetUserIdType,string,Conditional,Authentication,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|GWorkspaceProfileID|Other,TargetUserId
 TargetUserIdType,string,Conditional,ProcessEvent,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|Other,TargetUserId
-TargetUserIdType,string,Conditional,UserManagement,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|Other,TargetUserId
+TargetUserIdType,string,Conditional,UserManagement,Enumerated,SID|UID|AADID|OktaId|AWSId|PUID|SalesforceId|VectraUserId|MD4IoTid|AWSIAMUserId|AWSIAMRoleId|Other,TargetUserId
 TargetUsername,string,Mandatory,ProcessEvent,,,
 TargetUsername,string,Optional,Authentication,,,
 TargetUsername,string,Optional,UserManagement,,,

CODEOWNERS

@@ -10,6 +10,7 @@
 # This is copied from here: https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
 
 /.script/ @Azure/sentinel-repo-admins @Azure/sentinel-repo-reviewers
+/ASIM/ @Azure/sentinel-repo-admins @Azure/sentinel-repo-reviewers @Azure/sentinel-repo-parser-reviewers
 /DataConnectors/ @Azure/sentinel-repo-connectors-reviewers @Azure/sentinel-repo-admins @Azure/sentinel-repo-reviewers
 /Detections/ @Azure/sentinel-repo-hunt-detection-reviewers @Azure/sentinel-repo-admins @Azure/sentinel-repo-reviewers
 /Hunting\ Queries/ @Azure/sentinel-repo-hunt-detection-reviewers @Azure/sentinel-repo-admins @Azure/sentinel-repo-reviewers

Parsers/ASimProcessEvent/Parsers/ASimProcessTerminateVMwareCarbonBlackCloud.yaml

@@ -19,7 +19,7 @@ References:
 Description: |
   This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Process Terminate normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API.
 ParserName: ASimProcessTerminateVMwareCarbonBlackCloud
-EquivalentBuiltInParser: ASim_ProcessEvent_TerminateVMwareCarbonBlackCloud
+EquivalentBuiltInParser: _ASim_ProcessEvent_TerminateVMwareCarbonBlackCloud
 ParserParams:
   - Name: disabled
     Type: bool

Parsers/ASimProcessEvent/Parsers/vimProcessTerminateVMwareCarbonBlackCloud.yaml

@@ -19,7 +19,7 @@ References:
 Description: |
   This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Process Terminate normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API.
 ParserName: vimProcessTerminateVMwareCarbonBlackCloud
-EquivalentBuiltInParser: Im_ProcessTerminate_VMwareCarbonBlackCloud
+EquivalentBuiltInParser: _Im_ProcessTerminate_VMwareCarbonBlackCloud
 ParserParams:
   - Name: starttime
     Type: datetime

Parsers/ASimUserManagement/ARM/ASimUserManagement/ASimUserManagement.json

@@ -27,7 +27,7 @@
         "displayName": "User Management ASIM parser",
         "category": "ASIM",
         "FunctionAlias": "ASimUserManagement",
-        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n  | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n  | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n  | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n    pack: bool=false\n    ) {\n    union isfuzzy=true\n        vimUserManagementEmpty,\n        ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n        ASimUserManagementMicrosoftWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftWindowsEvent' in (DisabledParsers))),\n        ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n        ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n        ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n        ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers)))\n}; \nparser (\n    pack=pack\n)",
+        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n  | where SearchKey in ('Any', 'ExcludeASimUserManagement')\n  | extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n  | distinct SourceSpecificParser);\nlet ASimBuiltInDisabled=toscalar('ExcludeASimUserManagement' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n    pack: bool=false\n    ) {\n    union isfuzzy=true\n        vimUserManagementEmpty,\n        ASimUserManagementMicrosoftSecurityEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftSecurityEvent' in (DisabledParsers))),\n        ASimUserManagementMicrosoftWindowsEvent (ASimBuiltInDisabled or ('ExcludeASimUserManagementMicrosoftWindowsEvent' in (DisabledParsers))),\n        ASimUserManagementCiscoISE (ASimBuiltInDisabled or ('ExcludeASimUserManagementCiscoISE' in (DisabledParsers))),\n        ASimUserManagementSentinelOne (ASimBuiltInDisabled or ('ExcludeASimUserManagementSentinelOne' in (DisabledParsers))),\n        ASimUserManagementLinuxAuthpriv (ASimBuiltInDisabled or ('ExcludeASimUserManagementLinuxAuthpriv' in (DisabledParsers))),\n        ASimUserManagementNative (ASimBuiltInDisabled or ('ExcludeASimUserManagementNative' in (DisabledParsers))),\n        ASimUserManagementAWSCloudTrail (ASimBuiltInDisabled or ('ExcludeASimUserManagementAWSCloudTrail' in (DisabledParsers)), pack=pack)\n}; \nparser (\n    pack=pack\n)",
         "version": 1,
         "functionParameters": "pack:bool=False"
       }