+ "query": "let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n)\n{\n let prefilter = (T: (SyslogMessage: string, TimeGenerated: datetime, EventResult: string, EventType: string, HostIP: string))\n {\n T\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or SyslogMessage has_any (username_has_any))\n and (array_length(targetappname_has_any) == 0 or 'su' in~ (targetappname_has_any))\n and (array_length(srcipaddr_has_any_prefix) == 0 or (has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))) // Mapping dvc ip to src filtering\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n and ((array_length(eventtype_in) == 0) or (EventType in~ (eventtype_in)))\n and (array_length(eventresultdetails_in) == 0) // EventResultDetails not available in source\n and (eventresult == \"*\" or (EventResult == eventresult))\n };\n let SyslogProjects = Syslog\n | project\n TimeGenerated,\n Computer,\n SyslogMessage,\n ProcessName,\n ProcessID,\n HostIP,\n Type,\n _ItemId,\n _ResourceId,\n _SubscriptionId;\n //\n // -- Successful SU\n // Parses the event \"Successful su for <user> by <user>\"\n let SuSignInAuthorized=(disabled: bool=false)\n {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"Successful su for\"\n | extend\n EventType = 'Logon',\n EventResult = \"Success\"\n | invoke prefilter()\n | parse SyslogMessage with * \"for \" TargetUsername: string \" by \" ActorUsername: string\n | project-away SyslogMessage, ProcessName\n };\n // \n // -- SU end\n // Parsers the event \"pam_unix(su[-l]:session): session closed for user <user>\"\n let SuDisconnect=(disabled: bool=false)\n {\n SyslogProjects \n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage has_all ('pam_unix(su', 'session): session closed for user')\n | extend\n EventType = 'Logoff',\n EventResult = \"Success\"\n | invoke prefilter()\n | parse SyslogMessage with * \"for user \" TargetUsername: string\n | project-away SyslogMessage, ProcessName\n };\n // Failed SU\n let SuFailed=(disabled: bool=false)\n {\n SyslogProjects\n | where not(disabled)\n | where ProcessName == \"su\" and SyslogMessage startswith \"FAILED SU\"\n | extend \n EventType = \"Logon\",\n EventResult = \"Failure\"\n | invoke prefilter()\n | parse SyslogMessage with * \"to \" TargetUsername: string \") \" ActorUsername: string \" on \" *\n | project-away SyslogMessage, ProcessName\n };\n union isfuzzy=false \n SuDisconnect(disabled = disabled),\n SuSignInAuthorized(disabled = disabled),\n SuFailed(disabled = disabled)\n // Post-filtering\n | where ((array_length(username_has_any) == 0) or (TargetUsername has_any (username_has_any)) or (ActorUsername has_any (username_has_any)))\n and (array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))\n // mapping ASimMatchingUsername\n | extend\n temp_isMatchTargetUsername=TargetUsername has_any(username_has_any),\n temp_isMatchActorUsername=ActorUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0, \"-\",\n temp_isMatchTargetUsername and temp_isMatchActorUsername, \"Both\",\n temp_isMatchTargetUsername, \"TargetUsername\",\n temp_isMatchActorUsername, \"ActorUsername\",\n \"No match\"\n )\n | invoke _ASIM_ResolveDvcFQDN('Computer')\n | extend\n ActingAppId = tostring(ProcessID),\n ActingAppType = 'Process',\n ActorUsernameType = 'Simple',\n DvcIdType = iff (isnotempty(_ResourceId), \"AzureResourceId\", \"\"),\n DvcOs = 'Linux',\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventProduct = 'su',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventSeverity = 'Informational',\n EventStartTime = TimeGenerated,\n EventVendor = 'Linux',\n TargetDvcOs = 'Linux',\n TargetUsernameType = 'Simple',\n Type = \"Syslog\"\n | project-away Computer, ProcessID\n | project-rename \n DvcId = _ResourceId,\n DvcIpAddr = HostIP,\n DvcScopeId = _SubscriptionId,\n EventUid = _ItemId\n //\n // -- Aliases\n | extend\n Dst = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),\n IpAddr = DvcIpAddr,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n TargetDvcId = DvcId,\n TargetDvcIdType = DvcDomainType,\n TargetDvcScopeId = DvcScopeId,\n TargetFQDN = DvcFQDN,\n TargetHostname = DvcHostname,\n TargetIpAddr = DvcIpAddr,\n User = TargetUsername\n | extend Dvc = Dst\n | project\n TimeGenerated,\n EventType,\n EventResult,\n DvcHostname,\n DvcDomain,\n DvcFQDN,\n DvcDomainType,\n ActingAppId,\n ActingAppType,\n ActorUsernameType,\n DvcIdType,\n DvcOs,\n EventCount,\n EventEndTime,\n EventProduct,\n EventSchema,\n EventSchemaVersion,\n EventSeverity,\n EventStartTime,\n EventVendor,\n TargetDvcOs,\n TargetUsernameType,\n Type,\n DvcId,\n DvcIpAddr,\n DvcScopeId,\n EventUid,\n Dst,\n Dvc,\n IpAddr,\n TargetDomain,\n TargetDomainType,\n TargetDvcId,\n TargetDvcIdType,\n TargetDvcScopeId,\n TargetFQDN,\n TargetHostname,\n TargetIpAddr,\n User,\n TargetUsername,\n ActorUsername,\n ASimMatchingUsername\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)",
0 commit comments