diff --git a/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json index fe931c8bd18..8da1aa46064 100644 --- a/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json +++ b/Parsers/ASimAlertEvent/ARM/ASimAlertEventMicrosoftDefenderXDR/ASimAlertEventMicrosoftDefenderXDR.json @@ -27,7 +27,7 @@ "displayName": "Alert Event ASIM parser for Microsoft Defender XDR", "category": "ASIM", "FunctionAlias": "ASimAlertEventMicrosoftDefenderXDR", - "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n[\n\"User\", \"User\",\n\"Machine\", \"Host\",\n\"Process\", \"Process\",\n\"File\", \"File\",\n\"Ip\", \"Ip\",\n\"Url\", \"Url\",\n\"RegistryValue\", \"Registry\",\n\"CloudLogonSession\", \"LogonSession\",\n\"CloudApplication\", \"Application\",\n\"Mailbox\", \"Mailbox\",\n\"MailMessage\", \"Email\",\n\"CloudResource\", \"Cloud Resource\"\n];\nlet IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n [\n \"Related\", \"Associated\",\n \"Impacted\", \"Targeted\"\n];\nlet RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n [\n \"ExpandString\", \"Reg_Expand_Sz\"\n];\nlet AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n [\n \"Malicious\", \"True Positive\",\n \"Suspicious\", \"True Positive\",\n \"NoThreatsFound\", \"Benign Positive\"\n];\nlet AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\nlet ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet parser = (\n disabled: bool=false) {\n AlertEvidence\n | where not(disabled)\n // Mapping Inspection Fields\n | extend \n EventUid = AlertId,\n AlertName = Title,\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\"),\n AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),\n AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == \"Active\", \"Active\", \"Closed\"), \"\"),\n DetectionMethod = DetectionSource\n | lookup AlertVerdictLookup on AlertVerdict_Custom\n | lookup IndicatorTypeLookup on EntityType\n | lookup IndicatorAssociationLookup on EvidenceRole\n // Mapping Threat Fields\n | extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n // Mapping User Entity\n | extend \n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),\n UserSessionId = tostring(AdditionalFields.SessionId),\n UserScopeId = tostring(AdditionalFields.AadTenantId),\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n | extend\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n UserId = coalesce(UserId, UserSid),\n UserType = _ASIM_GetUserType(Username, UserSid),\n UsernameType = _ASIM_GetUsernameType(Username)\n // Mapping Device Entity\n | extend \n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n | extend DvcIdType = iif(isnotempty(DvcId), \"MDEid\", \"\")\n | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n // Mapping Additional Fields\n | extend\n GeoCity_s = AdditionalFields.Location.City,\n GeoCountry_s = AdditionalFields.Location.CountryCode,\n GeoLatitude_s = AdditionalFields.Location.Latitude,\n GeoLongitude_s = AdditionalFields.Location.Longitude,\n GeoRegion_s = AdditionalFields.Location.State\n // Mapping Process Entity\n | extend \n ProcessId = AdditionalFields.ProcessId,\n ProcessCommandLine,\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n ProcessFileCompany = AdditionalFields.Publisher,\n // Parent Process Fields\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n // Mapping File Entity\n | extend \n FileName,\n FileDirectory = FolderPath,\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n FileSHA1 = SHA1,\n FileSHA256 = SHA256,\n FileMD5 = AdditionalFields.FileHashes[1].Value,\n FileSize = FileSize\n // Mapping Url Entity\n | extend \n Url = RemoteUrl\n // Mapping Registry Entity\n | extend \n RegistryKey,\n RegistryValue = RegistryValueName,\n RegistryValueData,\n ValueType = tostring(AdditionalFields.ValueType)\n | lookup RegistryValueTypeLookup on ValueType\n // Mapping Application Entity\n | extend \n AppId_s = ApplicationId,\n AppName_s = Application\n // Mapping Email Entity\n | extend \n EmailMessageId = NetworkMessageId,\n EmailSubject\n | extend AdditionalFields = bag_pack(\n \"AlertVerdictDate\",\n AlertVerdictDate_s,\n \"HttpUserAgent\",\n HttpUserAgent_s,\n \"GeoCity\",\n GeoCity_s,\n \"GeoCountry\",\n GeoCountry_s,\n \"GeoLatitude\",\n GeoLatitude_s,\n \"GeoLongitude\",\n GeoLongitude_s,\n \"GeoRegion\",\n GeoRegion_s,\n \"ParentProcessId\",\n ParentProcessId_s,\n \"ParentProcessCommandLine\",\n ParentProcessCommandLine_s,\n \"ParentProcessName\",\n ParentProcessName_s,\n \"ParentProcessSHA256\",\n ParentProcessSHA256_s,\n \"ParentProcessMD5\",\n ParentProcessMD5_s\n )\n // Mapping common event fields\n | extend\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = ServiceSource,\n EventVendor = 'Microsoft',\n EventSchema = 'AlertEvent',\n EventSchemaVersion = '0.1',\n EventType = 'Alert',\n EventCount = int(1)\n // MApping Alias\n | extend \n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n User = Username\n | project-away\n Title,\n Categories,\n EntityType,\n EvidenceRole,\n DetectionSource,\n ServiceSource,\n ThreatFamily,\n RemoteIP,\n RemoteUrl,\n AccountName,\n AccountDomain,\n DeviceName,\n LocalIP,\n AlertVerdict_Custom,\n EvidenceDirection,\n Account*,\n ApplicationId,\n Application,\n *_s\n};\nparser(\n disabled = disabled\n)", + "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n[\n\"User\", \"User\",\n\"Machine\", \"Host\",\n\"Process\", \"Process\",\n\"File\", \"File\",\n\"Ip\", \"Ip\",\n\"Url\", \"Url\",\n\"RegistryValue\", \"Registry\",\n\"CloudLogonSession\", \"LogonSession\",\n\"CloudApplication\", \"Application\",\n\"Mailbox\", \"Mailbox\",\n\"MailMessage\", \"Email\",\n\"CloudResource\", \"Cloud Resource\"\n];\nlet IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n [\n \"Related\", \"Associated\",\n \"Impacted\", \"Targeted\"\n];\nlet RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n [\n \"ExpandString\", \"Reg_Expand_Sz\"\n];\nlet AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n [\n \"Malicious\", \"True Positive\",\n \"Suspicious\", \"True Positive\",\n \"NoThreatsFound\", \"Benign Positive\"\n];\nlet AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\nlet ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet parser = (\ndisabled: bool=false) {\nAlertEvidence\n| where not(disabled)\n// Mapping Inspection Fields\n| project-rename\n AlertName = Title,\n DetectionMethod = DetectionSource\n| extend \n EventUid = AlertId,\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace_regex(Categories, @\"[\\[\\]\\\"\"]\", \"\"), \"\"),\n AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState)\n| extend\n AlertStatus = case(\n AlertOriginalStatus == \"Active\", \"Active\",\n isempty(AlertOriginalStatus), \"\",\n \"Closed\"\n )\n| lookup AlertVerdictLookup on AlertVerdict_Custom\n| lookup IndicatorTypeLookup on EntityType\n| lookup IndicatorAssociationLookup on EvidenceRole\n// Mapping Threat Fields\n| extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace_regex(Categories, @\"[\\[\\]\\\"\"]\", \"\"), \"\")\n// Mapping User Entity\n| extend \n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n Username = coalesce(AccountName, tostring(AdditionalFields.Account.UserPrincipalName)),\n UserSessionId = tostring(AdditionalFields.SessionId),\n UserScopeId = tostring(AdditionalFields.AadTenantId),\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n| extend\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n UserId = coalesce(UserId, UserSid),\n UserType = _ASIM_GetUserType(Username, UserSid),\n UsernameType = _ASIM_GetUsernameType(Username)\n// Mapping Device Entity\n| extend \n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n| extend DvcIdType = iif(isnotempty(DvcId), \"FQDN\", \"\")\n| invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n// Mapping Additional Fields\n| extend\n GeoCity_s = AdditionalFields.Location.City,\n GeoCountry_s = AdditionalFields.Location.CountryCode,\n GeoLatitude_s = AdditionalFields.Location.Latitude,\n GeoLongitude_s = AdditionalFields.Location.Longitude,\n GeoRegion_s = AdditionalFields.Location.State\n// Mapping Process Entity\n| extend \n ProcessId = tostring(AdditionalFields.ProcessId),\n ProcessCommandLine,\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n ProcessFileCompany = tostring(AdditionalFields.Publisher),\n // Parent Process Fields\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n// Mapping File Entity\n| extend \n FileName,\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n FileMD5 = tostring(AdditionalFields.FileHashes[1].Value),\n FileSize\n| project-rename\n FileDirectory = FolderPath,\n FileSHA1 = SHA1,\n FileSHA256 = SHA256,\n Url = RemoteUrl\n// Mapping Registry Entity\n| extend \n RegistryKey,\n RegistryValueData,\n ValueType = tostring(AdditionalFields.ValueType)\n| lookup RegistryValueTypeLookup on ValueType\n// Mapping Application Entity\n| extend \n AppId_s = ApplicationId,\n AppName_s = Application\n// Mapping Email Entity\n| extend\n EmailSubject\n// Creating IpAddress list in AdditionalFields\n | extend IpAddresses = pack_array(RemoteIP, LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address))\n | mv-apply IpAddress = IpAddresses on (where isnotempty(IpAddress) | summarize IpAddresses = make_list(IpAddress))\n| extend AdditionalFields = bag_pack(\n \"AlertVerdictDate\",\n AlertVerdictDate_s,\n \"HttpUserAgent\",\n HttpUserAgent_s,\n \"GeoCity\",\n GeoCity_s,\n \"GeoCountry\",\n GeoCountry_s,\n \"GeoLatitude\",\n GeoLatitude_s,\n \"GeoLongitude\",\n GeoLongitude_s,\n \"GeoRegion\",\n GeoRegion_s,\n \"ParentProcessId\",\n ParentProcessId_s,\n \"ParentProcessCommandLine\",\n ParentProcessCommandLine_s,\n \"ParentProcessName\",\n ParentProcessName_s,\n \"ParentProcessSHA256\",\n ParentProcessSHA256_s,\n \"ParentProcessMD5\",\n ParentProcessMD5_s,\n \"AppId\",\n AppId_s,\n \"AppName\",\n AppName_s,\n \"FileDirectory\",\n FileDirectory,\n \"IpAddresses\",\n IpAddresses\n )\n| project-rename\n RegistryValue = RegistryValueName,\n EmailMessageId = NetworkMessageId\n// Mapping common event fields\n| extend\n Type = \"AlertEvidence\",\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n TimeGenerated = Timestamp,\n EventEndTime = Timestamp,\n EventStartTime = Timestamp,\n EventProduct = ServiceSource,\n EventVendor = 'Microsoft',\n EventSchema = 'AlertEvent',\n EventSchemaVersion = '0.1',\n EventType = 'Alert',\n EventCount = int(1)\n// Mapping Alias\n| extend \n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n User = Username,\n AlertId = EventUid\n| project\n TimeGenerated,\n Type,\n AlertId,\n EventUid,\n AlertName,\n AttackTactics,\n AlertOriginalStatus,\n AlertStatus,\n DetectionMethod,\n AlertVerdict,\n IndicatorType,\n IndicatorAssociation,\n ThreatCategory,\n UserId,\n Username,\n UserSessionId,\n UserIdType,\n UserType,\n UsernameType,\n DvcId,\n DvcIpAddr,\n DvcOs,\n DvcOsVersion,\n DvcScopeId,\n DvcIdType,\n DvcHostname,\n DvcDomain,\n DvcFQDN,\n DvcDomainType,\n ProcessId,\n ProcessCommandLine,\n ProcessName,\n ProcessFileCompany,\n FileName,\n FilePath,\n FileSHA1,\n FileSHA256,\n FileMD5,\n FileSize,\n Url,\n RegistryKey,\n RegistryValue,\n RegistryValueData,\n RegistryValueType,\n EmailMessageId,\n EmailSubject,\n AdditionalFields,\n EventSubType,\n EventEndTime,\n EventStartTime,\n EventProduct,\n EventVendor,\n EventSchema,\n EventSchemaVersion,\n EventType,\n EventCount,\n IpAddr,\n Hostname,\n User\n};\nparser(\n disabled = disabled\n)", "version": 1, "functionParameters": "disabled:bool=False" } diff --git a/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json index e70dda92f57..18b018351e8 100644 --- a/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json +++ b/Parsers/ASimAlertEvent/ARM/vimAlertEventMicrosoftDefenderXDR/vimAlertEventMicrosoftDefenderXDR.json @@ -27,7 +27,7 @@ "displayName": "Alert Event ASIM filtering parser for Microsoft Defender XDR", "category": "ASIM", "FunctionAlias": "vimAlertEventMicrosoftDefenderXDR", - "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n [\n \"User\", \"User\",\n \"Machine\", \"Host\",\n \"Process\", \"Process\",\n \"File\", \"File\",\n \"Ip\", \"Ip\",\n \"Url\", \"Url\",\n \"RegistryValue\", \"Registry\",\n \"CloudLogonSession\", \"LogonSession\",\n \"CloudApplication\", \"Application\",\n \"Mailbox\", \"Mailbox\",\n \"MailMessage\", \"Email\",\n \"CloudResource\", \"Cloud Resource\"\n ];\n let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n [\n \"Related\", \"Associated\",\n \"Impacted\", \"Targeted\"\n ];\n let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n [\n \"ExpandString\", \"Reg_Expand_Sz\"\n ];\n let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n [\n \"Malicious\", \"True Positive\",\n \"Suspicious\", \"True Positive\",\n \"NoThreatsFound\", \"Benign Positive\"\n ];\n let AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\n let ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\n let parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n AlertEvidence\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix)))\n and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any)))\n and ((array_length(username_has_any) == 0) or (AccountUpn has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any)))\n and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any)))\n and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any)))\n // ThreatCategory filtering done later in the parser\n // AlertVerdict filtering done later in the parser\n and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser.\n // Mapping Inspection Fields\n | extend \n EventUid = AlertId,\n AlertName = Title,\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\"),\n AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState),\n AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == \"Active\", \"Active\", \"Closed\"), \"\"),\n DetectionMethod = DetectionSource\n | lookup AlertVerdictLookup on AlertVerdict_Custom\n // Filter for AlertVerdict\n | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n | lookup IndicatorTypeLookup on EntityType\n | lookup IndicatorAssociationLookup on EvidenceRole\n // Mapping Threat Fields\n | extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n // Filter for ThreatCategory\n | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n // Mapping User Entity\n | extend \n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)),\n UserSessionId = tostring(AdditionalFields.SessionId),\n UserScopeId = tostring(AdditionalFields.AadTenantId),\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n | extend\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n UserId = coalesce(UserId, UserSid),\n UserType = _ASIM_GetUserType(Username, UserSid),\n UsernameType = _ASIM_GetUsernameType(Username)\n // Mapping Device Entity\n | extend \n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n | extend DvcIdType = iif(isnotempty(DvcId), \"MDEid\", \"\")\n | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n // Mapping Additional Fields\n | extend\n GeoCity_s = AdditionalFields.Location.City,\n GeoCountry_s = AdditionalFields.Location.CountryCode,\n GeoLatitude_s = AdditionalFields.Location.Latitude,\n GeoLongitude_s = AdditionalFields.Location.Longitude,\n GeoRegion_s = AdditionalFields.Location.State\n // Mapping Process Entity\n | extend \n ProcessId = AdditionalFields.ProcessId,\n ProcessCommandLine,\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n ProcessFileCompany = AdditionalFields.Publisher,\n // Parent Process Fields\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n // Mapping File Entity\n | extend \n FileName,\n FileDirectory = FolderPath,\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n FileSHA1 = SHA1,\n FileSHA256 = SHA256,\n FileMD5 = AdditionalFields.FileHashes[1].Value,\n FileSize = FileSize\n // Mapping Url Entity\n | extend \n Url = RemoteUrl\n // Mapping Registry Entity\n | extend \n RegistryKey,\n RegistryValue = RegistryValueName,\n RegistryValueData,\n ValueType = tostring(AdditionalFields.ValueType)\n | lookup RegistryValueTypeLookup on ValueType\n // Mapping Application Entity\n | extend \n AppId_s = ApplicationId,\n AppName_s = Application\n // Mapping Email Entity\n | extend \n EmailMessageId = NetworkMessageId,\n EmailSubject\n | extend AdditionalFields = bag_pack(\n \"AlertVerdictDate\",\n AlertVerdictDate_s,\n \"HttpUserAgent\",\n HttpUserAgent_s,\n \"GeoCity\",\n GeoCity_s,\n \"GeoCountry\",\n GeoCountry_s,\n \"GeoLatitude\",\n GeoLatitude_s,\n \"GeoLongitude\",\n GeoLongitude_s,\n \"GeoRegion\",\n GeoRegion_s,\n \"ParentProcessId\",\n ParentProcessId_s,\n \"ParentProcessCommandLine\",\n ParentProcessCommandLine_s,\n \"ParentProcessName\",\n ParentProcessName_s,\n \"ParentProcessSHA256\",\n ParentProcessSHA256_s,\n \"ParentProcessMD5\",\n ParentProcessMD5_s\n )\n // Mapping common event fields\n | extend\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n EventProduct = ServiceSource,\n EventVendor = 'Microsoft',\n EventSchema = 'AlertEvent',\n EventSchemaVersion = '0.1',\n EventType = 'Alert',\n EventCount = int(1)\n // MApping Alias\n | extend \n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n User = Username\n | project-away\n Title,\n Categories,\n EntityType,\n EvidenceRole,\n DetectionSource,\n ServiceSource,\n ThreatFamily,\n RemoteIP,\n RemoteUrl,\n AccountName,\n AccountDomain,\n DeviceName,\n LocalIP,\n AlertVerdict_Custom,\n EvidenceDirection,\n Account*,\n ApplicationId,\n Application,\n *_s\n };\n parser(\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n disabled = disabled\n )\n", + "query": "let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string)\n [\n \"User\", \"User\",\n \"Machine\", \"Host\",\n \"Process\", \"Process\",\n \"File\", \"File\",\n \"Ip\", \"Ip\",\n \"Url\", \"Url\",\n \"RegistryValue\", \"Registry\",\n \"CloudLogonSession\", \"LogonSession\",\n \"CloudApplication\", \"Application\",\n \"Mailbox\", \"Mailbox\",\n \"MailMessage\", \"Email\",\n \"CloudResource\", \"Cloud Resource\"\n ];\nlet IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string)\n [\n \"Related\", \"Associated\",\n \"Impacted\", \"Targeted\"\n];\nlet RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string)\n [\n \"ExpandString\", \"Reg_Expand_Sz\"\n];\nlet AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string)\n [\n \"Malicious\", \"True Positive\",\n \"Suspicious\", \"True Positive\",\n \"NoThreatsFound\", \"Benign Positive\"\n];\nlet AttackTacticSet = dynamic([\"Exfiltration\", \"PrivilegeEscalation\", \"Persistence\", \"LateralMovement\", \"Execution\", \"Discovery\", \"InitialAccess\", \"CredentialAccess\", \"DefenseEvasion\", \"CommandAndControl\", \"Impact\"]);\nlet ThreatCategorySet = dynamic([\"Malware\", \"Ransomware\", \"Trojan\", \"Virus\", \"Worm\", \"Adware\", \"Spyware\", \"Rootkit\", \"Cryptominor\", \"Phishing\", \"Spam\", \"MaliciousUrl\", \"Spoofing\", \"Security Policy Violation\", \"Unknown\", \"SuspiciousActivity\"]);\nlet parser = (starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n ipaddr_has_any_prefix: dynamic=dynamic([]),\n hostname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n attacktactics_has_any: dynamic=dynamic([]),\n attacktechniques_has_any: dynamic=dynamic([]),\n threatcategory_has_any: dynamic=dynamic([]),\n alertverdict_has_any: dynamic=dynamic([]),\n eventseverity_has_any: dynamic=dynamic([]),\n disabled: bool=false) {\n AlertEvidence\n | where not(disabled)\n // Mapping Inspection Fields\n | where (isnull(starttime) or Timestamp >= starttime)\n and (isnull(endtime) or Timestamp <= endtime)\n and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix)))\n and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any)))\n and ((array_length(username_has_any) == 0) or (AccountName has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any)))\n and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any)))\n and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any)))\n // ThreatCategory filtering done later in the parser\n // AlertVerdict filtering done later in the parser\n and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser.\n | extend\n temp_LocalMatch = has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix),\n temp_RemoteMatch = has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix),\n temp_AdditionalFieldsMatch = has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)\n | extend ASimMatchingIpAddr = case(\n array_length(ipaddr_has_any_prefix) == 0, \"-\",\n temp_LocalMatch, \"Local\",\n temp_RemoteMatch, \"Remote\",\n temp_AdditionalFieldsMatch, \"AdditionalFields\",\n \"No match\"\n )\n | project-rename\n AlertName = Title,\n DetectionMethod = DetectionSource\n | extend \n EventUid = AlertId,\n AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict),\n AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate),\n AttackTactics = iff(Categories has_any (AttackTacticSet), replace_regex(Categories, @\"[\\[\\]\\\"\"]\", \"\"), \"\"),\n | extend\n AlertStatus = case(\n AlertOriginalStatus == \"Active\", \"Active\",\n isempty(AlertOriginalStatus), \"\",\n \"Closed\"\n )\n // Filter for AlertVerdict\n | lookup AlertVerdictLookup on AlertVerdict_Custom\n | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any)))\n | lookup IndicatorTypeLookup on EntityType\n | lookup IndicatorAssociationLookup on EvidenceRole\n // Mapping Threat Fields\n | extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@\"[\\[\\]\\\"\"]\", \"\", Categories), \"\")\n // Filter for ThreatCategory\n | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any)))\n | lookup IndicatorTypeLookup on EntityType\n | lookup IndicatorAssociationLookup on EvidenceRole\n // Mapping Threat Fields\n | extend\n ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace_regex(Categories, @\"[\\[\\]\\\"\"]\", \"\"), \"\")\n // Mapping User Entity\n | extend \n UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)),\n UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)),\n Username = coalesce(AccountName, tostring(AdditionalFields.Account.UserPrincipalName)),\n UserSessionId = tostring(AdditionalFields.SessionId),\n UserScopeId = tostring(AdditionalFields.AadTenantId),\n HttpUserAgent_s = tostring(AdditionalFields.UserAgent)\n | extend\n UserIdType = iif(isnotempty(UserId), \"EntraUserID\", iif(isnotempty(UserSid), \"SID\", \"\")),\n UserId = coalesce(UserId, UserSid),\n UserType = _ASIM_GetUserType(Username, UserSid),\n UsernameType = _ASIM_GetUsernameType(Username)\n // Mapping Device Entity\n | extend \n DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)),\n DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP),\n DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)),\n DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)),\n DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)),\n DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, \"/\")[2]), (tostring(split(AdditionalFields.ResourceId, \"/\")[2])))\n | extend DvcIdType = iif(isnotempty(DvcId), \"FQDN\", \"\")\n | invoke _ASIM_ResolveDvcFQDN(\"DeviceName\")\n // Mapping Additional Fields\n | extend\n GeoCity_s = AdditionalFields.Location.City,\n GeoCountry_s = AdditionalFields.Location.CountryCode,\n GeoLatitude_s = AdditionalFields.Location.Latitude,\n GeoLongitude_s = AdditionalFields.Location.Longitude,\n GeoRegion_s = AdditionalFields.Location.State\n // Mapping Process Entity\n | extend \n ProcessId = tostring(AdditionalFields.ProcessId),\n ProcessCommandLine,\n ProcessName = iif(IndicatorType == \"Process\", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName), \"\"),\n ProcessFileCompany = tostring(AdditionalFields.Publisher),\n // Parent Process Fields\n ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId,\n ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine,\n ParentProcessName_s = iif(IndicatorType == \"Process\", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, \"\\\\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), \"\"),\n ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1,\n ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256,\n ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5\n // Mapping File Entity\n | extend \n FileName,\n FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\\\', FileName), FileName),\n FileMD5 = tostring(AdditionalFields.FileHashes[1].Value),\n FileSize\n | project-rename\n FileDirectory = FolderPath,\n FileSHA1 = SHA1,\n FileSHA256 = SHA256,\n Url = RemoteUrl\n // Mapping Registry Entity\n | extend \n RegistryKey,\n RegistryValueData,\n ValueType = tostring(AdditionalFields.ValueType)\n | lookup RegistryValueTypeLookup on ValueType\n // Mapping Application Entity\n | extend \n AppId_s = ApplicationId,\n AppName_s = Application\n // Mapping Email Entity\n | extend\n EmailSubject\n // Creating IpAddress list in AdditionalFields\n | extend IpAddresses = pack_array(RemoteIP, LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address))\n | mv-apply IpAddress = IpAddresses on (where isnotempty(IpAddress) | summarize IpAddresses = make_set(IpAddress))\n | extend AdditionalFields = bag_pack(\n \"AlertVerdictDate\",\n AlertVerdictDate_s,\n \"HttpUserAgent\",\n HttpUserAgent_s,\n \"GeoCity\",\n GeoCity_s,\n \"GeoCountry\",\n GeoCountry_s,\n \"GeoLatitude\",\n GeoLatitude_s,\n \"GeoLongitude\",\n GeoLongitude_s,\n \"GeoRegion\",\n GeoRegion_s,\n \"ParentProcessId\",\n ParentProcessId_s,\n \"ParentProcessCommandLine\",\n ParentProcessCommandLine_s,\n \"ParentProcessName\",\n ParentProcessName_s,\n \"ParentProcessSHA256\",\n ParentProcessSHA256_s,\n \"ParentProcessMD5\",\n ParentProcessMD5_s,\n \"AppId\",\n AppId_s,\n \"AppName\",\n AppName_s,\n \"FileDirectory\",\n FileDirectory,\n \"IpAddresses\",\n IpAddresses\n )\n | project-rename\n RegistryValue = RegistryValueName,\n EmailMessageId = NetworkMessageId\n // Mapping common event fields\n | extend\n Type = \"AlertEvidence\",\n EventSubType = \"Threat\", // All events in AlertEvidence contains threat info\n TimeGenerated = Timestamp,\n EventEndTime = Timestamp,\n EventStartTime = Timestamp,\n EventProduct = ServiceSource,\n EventVendor = 'Microsoft',\n EventSchema = 'AlertEvent',\n EventSchemaVersion = '0.1',\n EventType = 'Alert',\n EventCount = int(1)\n // Mapping Alias\n | extend \n IpAddr = DvcIpAddr,\n Hostname = DvcHostname,\n User = Username,\n AlertId = EventUid\n | project\n TimeGenerated,\n Type,\n AlertId,\n EventUid,\n AlertName,\n AttackTactics,\n AlertOriginalStatus,\n AlertStatus,\n DetectionMethod,\n AlertVerdict,\n IndicatorType,\n IndicatorAssociation,\n ThreatCategory,\n UserId,\n Username,\n UserSessionId,\n UserIdType,\n UserType,\n UsernameType,\n DvcId,\n DvcIpAddr,\n DvcOs,\n DvcOsVersion,\n DvcScopeId,\n DvcIdType,\n DvcHostname,\n DvcDomain,\n DvcFQDN,\n DvcDomainType,\n ProcessId,\n ProcessCommandLine,\n ProcessName,\n ProcessFileCompany,\n FileName,\n FilePath,\n FileSHA1,\n FileSHA256,\n FileMD5,\n FileSize,\n Url,\n RegistryKey,\n RegistryValue,\n RegistryValueData,\n RegistryValueType,\n EmailMessageId,\n EmailSubject,\n AdditionalFields,\n EventSubType,\n EventEndTime,\n EventStartTime,\n EventProduct,\n EventVendor,\n EventSchema,\n EventSchemaVersion,\n EventType,\n EventCount,\n IpAddr,\n Hostname,\n User,\n ASimMatchingIpAddr\n};\nparser(\n starttime = starttime, \n endtime = endtime, \n ipaddr_has_any_prefix = ipaddr_has_any_prefix,\n hostname_has_any = hostname_has_any,\n username_has_any = username_has_any,\n attacktactics_has_any = attacktactics_has_any,\n attacktechniques_has_any = attacktechniques_has_any,\n threatcategory_has_any = threatcategory_has_any,\n alertverdict_has_any = alertverdict_has_any,\n eventseverity_has_any = eventseverity_has_any,\n disabled = disabled\n)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),ipaddr_has_any_prefix:dynamic=dynamic([]),hostname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),attacktactics_has_any:dynamic=dynamic([]),attacktechniques_has_any:dynamic=dynamic([]),threatcategory_has_any:dynamic=dynamic([]),alertverdict_has_any:dynamic=dynamic([]),eventseverity_has_any:dynamic=dynamic([]),disabled:bool=False" } diff --git a/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml index 00b2d8ca3f7..82a468407d8 100644 --- a/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml +++ b/Parsers/ASimAlertEvent/Parsers/ASimAlertEventMicrosoftDefenderXDR.yaml @@ -1,7 +1,7 @@ Parser: Title: Alert Event ASIM parser for Microsoft Defender XDR - Version: '0.1.0' - LastUpdated: Oct 09, 2024 + Version: '0.2.0' + LastUpdated: Jan 09, 2026 Product: Name: Microsoft Defender XDR Normalization: @@ -54,157 +54,217 @@ ParserQuery: | let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]); let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); let parser = ( - disabled: bool=false) { - AlertEvidence - | where not(disabled) - // Mapping Inspection Fields - | extend - EventUid = AlertId, - AlertName = Title, - AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict), - AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate), - AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@"[\[\]\""]", "", Categories), ""), - AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState), - AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == "Active", "Active", "Closed"), ""), - DetectionMethod = DetectionSource - | lookup AlertVerdictLookup on AlertVerdict_Custom - | lookup IndicatorTypeLookup on EntityType - | lookup IndicatorAssociationLookup on EvidenceRole - // Mapping Threat Fields - | extend - ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), "") - // Mapping User Entity - | extend - UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)), - UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)), - Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)), - UserSessionId = tostring(AdditionalFields.SessionId), - UserScopeId = tostring(AdditionalFields.AadTenantId), - HttpUserAgent_s = tostring(AdditionalFields.UserAgent) - | extend - UserIdType = iif(isnotempty(UserId), "EntraUserID", iif(isnotempty(UserSid), "SID", "")), - UserId = coalesce(UserId, UserSid), - UserType = _ASIM_GetUserType(Username, UserSid), - UsernameType = _ASIM_GetUsernameType(Username) - // Mapping Device Entity - | extend - DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)), - DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP), - DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)), - DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)), - DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)), - DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2]))) - | extend DvcIdType = iif(isnotempty(DvcId), "MDEid", "") - | invoke _ASIM_ResolveDvcFQDN("DeviceName") - // Mapping Additional Fields - | extend - GeoCity_s = AdditionalFields.Location.City, - GeoCountry_s = AdditionalFields.Location.CountryCode, - GeoLatitude_s = AdditionalFields.Location.Latitude, - GeoLongitude_s = AdditionalFields.Location.Longitude, - GeoRegion_s = AdditionalFields.Location.State - // Mapping Process Entity - | extend - ProcessId = AdditionalFields.ProcessId, - ProcessCommandLine, - ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""), - ProcessFileCompany = AdditionalFields.Publisher, - // Parent Process Fields - ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId, - ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine, - ParentProcessName_s = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""), - ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1, - ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256, - ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5 - // Mapping File Entity - | extend - FileName, - FileDirectory = FolderPath, - FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), - FileSHA1 = SHA1, - FileSHA256 = SHA256, - FileMD5 = AdditionalFields.FileHashes[1].Value, - FileSize = FileSize - // Mapping Url Entity - | extend - Url = RemoteUrl - // Mapping Registry Entity - | extend - RegistryKey, - RegistryValue = RegistryValueName, - RegistryValueData, - ValueType = tostring(AdditionalFields.ValueType) - | lookup RegistryValueTypeLookup on ValueType - // Mapping Application Entity - | extend - AppId_s = ApplicationId, - AppName_s = Application - // Mapping Email Entity - | extend - EmailMessageId = NetworkMessageId, - EmailSubject - | extend AdditionalFields = bag_pack( - "AlertVerdictDate", - AlertVerdictDate_s, - "HttpUserAgent", - HttpUserAgent_s, - "GeoCity", - GeoCity_s, - "GeoCountry", - GeoCountry_s, - "GeoLatitude", - GeoLatitude_s, - "GeoLongitude", - GeoLongitude_s, - "GeoRegion", - GeoRegion_s, - "ParentProcessId", - ParentProcessId_s, - "ParentProcessCommandLine", - ParentProcessCommandLine_s, - "ParentProcessName", - ParentProcessName_s, - "ParentProcessSHA256", - ParentProcessSHA256_s, - "ParentProcessMD5", - ParentProcessMD5_s - ) - // Mapping common event fields - | extend - EventSubType = "Threat", // All events in AlertEvidence contains threat info - EventEndTime = TimeGenerated, - EventStartTime = TimeGenerated, - EventProduct = ServiceSource, - EventVendor = 'Microsoft', - EventSchema = 'AlertEvent', - EventSchemaVersion = '0.1', - EventType = 'Alert', - EventCount = int(1) - // MApping Alias - | extend - IpAddr = DvcIpAddr, - Hostname = DvcHostname, - User = Username - | project-away - Title, - Categories, - EntityType, - EvidenceRole, - DetectionSource, - ServiceSource, - ThreatFamily, - RemoteIP, - RemoteUrl, - AccountName, - AccountDomain, - DeviceName, - LocalIP, - AlertVerdict_Custom, - EvidenceDirection, - Account*, - ApplicationId, - Application, - *_s + disabled: bool=false) { + AlertEvidence + | where not(disabled) + // Mapping Inspection Fields + | project-rename + AlertName = Title, + DetectionMethod = DetectionSource + | extend + EventUid = AlertId, + AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict), + AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate), + AttackTactics = iff(Categories has_any (AttackTacticSet), replace_regex(Categories, @"[\[\]\""]", ""), ""), + AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState) + | extend + AlertStatus = case( + AlertOriginalStatus == "Active", "Active", + isempty(AlertOriginalStatus), "", + "Closed" + ) + | lookup AlertVerdictLookup on AlertVerdict_Custom + | lookup IndicatorTypeLookup on EntityType + | lookup IndicatorAssociationLookup on EvidenceRole + // Mapping Threat Fields + | extend + ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace_regex(Categories, @"[\[\]\""]", ""), "") + // Mapping User Entity + | extend + UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)), + UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)), + Username = coalesce(AccountName, tostring(AdditionalFields.Account.UserPrincipalName)), + UserSessionId = tostring(AdditionalFields.SessionId), + UserScopeId = tostring(AdditionalFields.AadTenantId), + HttpUserAgent_s = tostring(AdditionalFields.UserAgent) + | extend + UserIdType = iif(isnotempty(UserId), "EntraUserID", iif(isnotempty(UserSid), "SID", "")), + UserId = coalesce(UserId, UserSid), + UserType = _ASIM_GetUserType(Username, UserSid), + UsernameType = _ASIM_GetUsernameType(Username) + // Mapping Device Entity + | extend + DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)), + DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP), + DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)), + DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)), + DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)), + DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2]))) + | extend DvcIdType = iif(isnotempty(DvcId), "FQDN", "") + | invoke _ASIM_ResolveDvcFQDN("DeviceName") + // Mapping Additional Fields + | extend + GeoCity_s = AdditionalFields.Location.City, + GeoCountry_s = AdditionalFields.Location.CountryCode, + GeoLatitude_s = AdditionalFields.Location.Latitude, + GeoLongitude_s = AdditionalFields.Location.Longitude, + GeoRegion_s = AdditionalFields.Location.State + // Mapping Process Entity + | extend + ProcessId = tostring(AdditionalFields.ProcessId), + ProcessCommandLine, + ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""), + ProcessFileCompany = tostring(AdditionalFields.Publisher), + // Parent Process Fields + ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId, + ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine, + ParentProcessName_s = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""), + ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1, + ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256, + ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5 + // Mapping File Entity + | extend + FileName, + FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), + FileMD5 = tostring(AdditionalFields.FileHashes[1].Value), + FileSize + | project-rename + FileDirectory = FolderPath, + FileSHA1 = SHA1, + FileSHA256 = SHA256, + Url = RemoteUrl + // Mapping Registry Entity + | extend + RegistryKey, + RegistryValueData, + ValueType = tostring(AdditionalFields.ValueType) + | lookup RegistryValueTypeLookup on ValueType + // Mapping Application Entity + | extend + AppId_s = ApplicationId, + AppName_s = Application + // Mapping Email Entity + | extend + EmailSubject + // Creating IpAddress list in AdditionalFields + | extend IpAddresses = pack_array(RemoteIP, LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address)) + | mv-apply IpAddress = IpAddresses on (where isnotempty(IpAddress) | summarize IpAddresses = make_list(IpAddress)) + | extend AdditionalFields = bag_pack( + "AlertVerdictDate", + AlertVerdictDate_s, + "HttpUserAgent", + HttpUserAgent_s, + "GeoCity", + GeoCity_s, + "GeoCountry", + GeoCountry_s, + "GeoLatitude", + GeoLatitude_s, + "GeoLongitude", + GeoLongitude_s, + "GeoRegion", + GeoRegion_s, + "ParentProcessId", + ParentProcessId_s, + "ParentProcessCommandLine", + ParentProcessCommandLine_s, + "ParentProcessName", + ParentProcessName_s, + "ParentProcessSHA256", + ParentProcessSHA256_s, + "ParentProcessMD5", + ParentProcessMD5_s, + "AppId", + AppId_s, + "AppName", + AppName_s, + "FileDirectory", + FileDirectory, + "IpAddresses", + IpAddresses + ) + | project-rename + RegistryValue = RegistryValueName, + EmailMessageId = NetworkMessageId + // Mapping common event fields + | extend + Type = "AlertEvidence", + EventSubType = "Threat", // All events in AlertEvidence contains threat info + TimeGenerated = Timestamp, + EventEndTime = Timestamp, + EventStartTime = Timestamp, + EventProduct = ServiceSource, + EventVendor = 'Microsoft', + EventSchema = 'AlertEvent', + EventSchemaVersion = '0.1', + EventType = 'Alert', + EventCount = int(1) + // Mapping Alias + | extend + IpAddr = DvcIpAddr, + Hostname = DvcHostname, + User = Username, + AlertId = EventUid + | project + TimeGenerated, + Type, + AlertId, + EventUid, + AlertName, + AttackTactics, + AlertOriginalStatus, + AlertStatus, + DetectionMethod, + AlertVerdict, + IndicatorType, + IndicatorAssociation, + ThreatCategory, + UserId, + Username, + UserSessionId, + UserIdType, + UserType, + UsernameType, + DvcId, + DvcIpAddr, + DvcOs, + DvcOsVersion, + DvcScopeId, + DvcIdType, + DvcHostname, + DvcDomain, + DvcFQDN, + DvcDomainType, + ProcessId, + ProcessCommandLine, + ProcessName, + ProcessFileCompany, + FileName, + FilePath, + FileSHA1, + FileSHA256, + FileMD5, + FileSize, + Url, + RegistryKey, + RegistryValue, + RegistryValueData, + RegistryValueType, + EmailMessageId, + EmailSubject, + AdditionalFields, + EventSubType, + EventEndTime, + EventStartTime, + EventProduct, + EventVendor, + EventSchema, + EventSchemaVersion, + EventType, + EventCount, + IpAddr, + Hostname, + User }; parser( disabled = disabled diff --git a/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml b/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml index b494510f4cf..4d9045a2a49 100644 --- a/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml +++ b/Parsers/ASimAlertEvent/Parsers/vimAlertEventMicrosoftDefenderXDR.yaml @@ -1,7 +1,7 @@ Parser: Title: Alert Event ASIM filtering parser for Microsoft Defender XDR - Version: '0.1.0' - LastUpdated: Oct 09, 2024 + Version: '0.2.0' + LastUpdated: Jan 09, 2026 Product: Name: Microsoft Defender XDR Normalization: @@ -51,225 +51,300 @@ ParserParams: Type: bool Default: false ParserQuery: | - let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string) - [ - "User", "User", - "Machine", "Host", - "Process", "Process", - "File", "File", - "Ip", "Ip", - "Url", "Url", - "RegistryValue", "Registry", - "CloudLogonSession", "LogonSession", - "CloudApplication", "Application", - "Mailbox", "Mailbox", - "MailMessage", "Email", - "CloudResource", "Cloud Resource" - ]; - let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string) - [ - "Related", "Associated", - "Impacted", "Targeted" - ]; - let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string) - [ - "ExpandString", "Reg_Expand_Sz" - ]; - let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string) - [ - "Malicious", "True Positive", - "Suspicious", "True Positive", - "NoThreatsFound", "Benign Positive" - ]; - let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]); - let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); - let parser = ( - starttime: datetime=datetime(null), - endtime: datetime=datetime(null), - ipaddr_has_any_prefix: dynamic=dynamic([]), - hostname_has_any: dynamic=dynamic([]), - username_has_any: dynamic=dynamic([]), - attacktactics_has_any: dynamic=dynamic([]), - attacktechniques_has_any: dynamic=dynamic([]), - threatcategory_has_any: dynamic=dynamic([]), - alertverdict_has_any: dynamic=dynamic([]), - eventseverity_has_any: dynamic=dynamic([]), - disabled: bool=false) { - AlertEvidence - | where not(disabled) - | where (isnull(starttime) or TimeGenerated >= starttime) - and (isnull(endtime) or TimeGenerated <= endtime) - and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix))) - and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any))) - and ((array_length(username_has_any) == 0) or (AccountUpn has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any))) - and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any))) - and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any))) - // ThreatCategory filtering done later in the parser - // AlertVerdict filtering done later in the parser - and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser. - // Mapping Inspection Fields - | extend - EventUid = AlertId, - AlertName = Title, - AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict), - AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate), - AttackTactics = iff(Categories has_any (AttackTacticSet), replace(@"[\[\]\""]", "", Categories), ""), - AlertOriginalStatus = tostring(AdditionalFields.LastRemediationState), - AlertStatus = iif(isnotempty(AdditionalFields.LastRemediationState), iif(AdditionalFields.LastRemediationState == "Active", "Active", "Closed"), ""), - DetectionMethod = DetectionSource - | lookup AlertVerdictLookup on AlertVerdict_Custom - // Filter for AlertVerdict - | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any))) - | lookup IndicatorTypeLookup on EntityType - | lookup IndicatorAssociationLookup on EvidenceRole - // Mapping Threat Fields - | extend - ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), "") - // Filter for ThreatCategory - | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any))) - // Mapping User Entity - | extend - UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)), - UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)), - Username = coalesce(AccountUpn, tostring(AdditionalFields.Account.UserPrincipalName)), - UserSessionId = tostring(AdditionalFields.SessionId), - UserScopeId = tostring(AdditionalFields.AadTenantId), - HttpUserAgent_s = tostring(AdditionalFields.UserAgent) - | extend - UserIdType = iif(isnotempty(UserId), "EntraUserID", iif(isnotempty(UserSid), "SID", "")), - UserId = coalesce(UserId, UserSid), - UserType = _ASIM_GetUserType(Username, UserSid), - UsernameType = _ASIM_GetUsernameType(Username) - // Mapping Device Entity - | extend - DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)), - DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP), - DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)), - DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)), - DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)), - DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2]))) - | extend DvcIdType = iif(isnotempty(DvcId), "MDEid", "") - | invoke _ASIM_ResolveDvcFQDN("DeviceName") - // Mapping Additional Fields - | extend - GeoCity_s = AdditionalFields.Location.City, - GeoCountry_s = AdditionalFields.Location.CountryCode, - GeoLatitude_s = AdditionalFields.Location.Latitude, - GeoLongitude_s = AdditionalFields.Location.Longitude, - GeoRegion_s = AdditionalFields.Location.State - // Mapping Process Entity - | extend - ProcessId = AdditionalFields.ProcessId, - ProcessCommandLine, - ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""), - ProcessFileCompany = AdditionalFields.Publisher, - // Parent Process Fields - ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId, - ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine, - ParentProcessName_s = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""), - ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1, - ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256, - ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5 - // Mapping File Entity - | extend - FileName, - FileDirectory = FolderPath, - FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), - FileSHA1 = SHA1, - FileSHA256 = SHA256, - FileMD5 = AdditionalFields.FileHashes[1].Value, - FileSize = FileSize - // Mapping Url Entity - | extend - Url = RemoteUrl - // Mapping Registry Entity - | extend - RegistryKey, - RegistryValue = RegistryValueName, - RegistryValueData, - ValueType = tostring(AdditionalFields.ValueType) - | lookup RegistryValueTypeLookup on ValueType - // Mapping Application Entity - | extend - AppId_s = ApplicationId, - AppName_s = Application - // Mapping Email Entity - | extend - EmailMessageId = NetworkMessageId, - EmailSubject - | extend AdditionalFields = bag_pack( - "AlertVerdictDate", - AlertVerdictDate_s, - "HttpUserAgent", - HttpUserAgent_s, - "GeoCity", - GeoCity_s, - "GeoCountry", - GeoCountry_s, - "GeoLatitude", - GeoLatitude_s, - "GeoLongitude", - GeoLongitude_s, - "GeoRegion", - GeoRegion_s, - "ParentProcessId", - ParentProcessId_s, - "ParentProcessCommandLine", - ParentProcessCommandLine_s, - "ParentProcessName", - ParentProcessName_s, - "ParentProcessSHA256", - ParentProcessSHA256_s, - "ParentProcessMD5", - ParentProcessMD5_s - ) - // Mapping common event fields - | extend - EventSubType = "Threat", // All events in AlertEvidence contains threat info - EventEndTime = TimeGenerated, - EventStartTime = TimeGenerated, - EventProduct = ServiceSource, - EventVendor = 'Microsoft', - EventSchema = 'AlertEvent', - EventSchemaVersion = '0.1', - EventType = 'Alert', - EventCount = int(1) - // MApping Alias - | extend - IpAddr = DvcIpAddr, - Hostname = DvcHostname, - User = Username - | project-away - Title, - Categories, - EntityType, - EvidenceRole, - DetectionSource, - ServiceSource, - ThreatFamily, - RemoteIP, - RemoteUrl, - AccountName, - AccountDomain, - DeviceName, - LocalIP, - AlertVerdict_Custom, - EvidenceDirection, - Account*, - ApplicationId, - Application, - *_s - }; - parser( - starttime = starttime, - endtime = endtime, - ipaddr_has_any_prefix = ipaddr_has_any_prefix, - hostname_has_any = hostname_has_any, - username_has_any = username_has_any, - attacktactics_has_any = attacktactics_has_any, - attacktechniques_has_any = attacktechniques_has_any, - threatcategory_has_any = threatcategory_has_any, - alertverdict_has_any = alertverdict_has_any, - eventseverity_has_any = eventseverity_has_any, - disabled = disabled + let IndicatorTypeLookup = datatable (EntityType: string, IndicatorType: string) + [ + "User", "User", + "Machine", "Host", + "Process", "Process", + "File", "File", + "Ip", "Ip", + "Url", "Url", + "RegistryValue", "Registry", + "CloudLogonSession", "LogonSession", + "CloudApplication", "Application", + "Mailbox", "Mailbox", + "MailMessage", "Email", + "CloudResource", "Cloud Resource" + ]; + let IndicatorAssociationLookup = datatable (EvidenceRole: string, IndicatorAssociation: string) + [ + "Related", "Associated", + "Impacted", "Targeted" + ]; + let RegistryValueTypeLookup = datatable (ValueType: string, RegistryValueType: string) + [ + "ExpandString", "Reg_Expand_Sz" + ]; + let AlertVerdictLookup = datatable (AlertVerdict_Custom: string, AlertVerdict: string) + [ + "Malicious", "True Positive", + "Suspicious", "True Positive", + "NoThreatsFound", "Benign Positive" + ]; + let AttackTacticSet = dynamic(["Exfiltration", "PrivilegeEscalation", "Persistence", "LateralMovement", "Execution", "Discovery", "InitialAccess", "CredentialAccess", "DefenseEvasion", "CommandAndControl", "Impact"]); + let ThreatCategorySet = dynamic(["Malware", "Ransomware", "Trojan", "Virus", "Worm", "Adware", "Spyware", "Rootkit", "Cryptominor", "Phishing", "Spam", "MaliciousUrl", "Spoofing", "Security Policy Violation", "Unknown", "SuspiciousActivity"]); + let parser = (starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + ipaddr_has_any_prefix: dynamic=dynamic([]), + hostname_has_any: dynamic=dynamic([]), + username_has_any: dynamic=dynamic([]), + attacktactics_has_any: dynamic=dynamic([]), + attacktechniques_has_any: dynamic=dynamic([]), + threatcategory_has_any: dynamic=dynamic([]), + alertverdict_has_any: dynamic=dynamic([]), + eventseverity_has_any: dynamic=dynamic([]), + disabled: bool=false) { + AlertEvidence + | where not(disabled) + // Mapping Inspection Fields + | where (isnull(starttime) or Timestamp >= starttime) + and (isnull(endtime) or Timestamp <= endtime) + and ((array_length(ipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix)) or (has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix))) + and ((array_length(hostname_has_any) == 0) or (DeviceName has_any (hostname_has_any)) or (tostring(AdditionalFields.Host.NetBiosName) has_any (hostname_has_any))) + and ((array_length(username_has_any) == 0) or (AccountName has_any (username_has_any)) or (tostring(AdditionalFields.Account.UserPrincipalName) has_any (username_has_any))) + and ((array_length(attacktactics_has_any) == 0) or (Categories has_any (attacktactics_has_any))) + and ((array_length(attacktechniques_has_any) == 0) or (AttackTechniques has_any (attacktechniques_has_any))) + // ThreatCategory filtering done later in the parser + // AlertVerdict filtering done later in the parser + and ((array_length(eventseverity_has_any) == 0)) // EventSeverity detail not available in this parser. + | extend + temp_LocalMatch = has_any_ipv4_prefix(LocalIP, ipaddr_has_any_prefix), + temp_RemoteMatch = has_any_ipv4_prefix(RemoteIP, ipaddr_has_any_prefix), + temp_AdditionalFieldsMatch = has_any_ipv4_prefix(tostring(AdditionalFields.Host.IpInterfaces[0].Address), ipaddr_has_any_prefix) + | extend ASimMatchingIpAddr = case( + array_length(ipaddr_has_any_prefix) == 0, "-", + temp_LocalMatch, "Local", + temp_RemoteMatch, "Remote", + temp_AdditionalFieldsMatch, "AdditionalFields", + "No match" ) + | project-rename + AlertName = Title, + DetectionMethod = DetectionSource + | extend + EventUid = AlertId, + AlertVerdict_Custom = tostring(AdditionalFields.ThreatAnalysisSummary[0].Verdict), + AlertVerdictDate_s = todatetime(AdditionalFields.ThreatAnalysisSummary[0].AnalysisDate), + AttackTactics = iff(Categories has_any (AttackTacticSet), replace_regex(Categories, @"[\[\]\""]", ""), ""), + | extend + AlertStatus = case( + AlertOriginalStatus == "Active", "Active", + isempty(AlertOriginalStatus), "", + "Closed" + ) + // Filter for AlertVerdict + | lookup AlertVerdictLookup on AlertVerdict_Custom + | where ((array_length(alertverdict_has_any) == 0) or (AlertVerdict has_any (alertverdict_has_any))) + | lookup IndicatorTypeLookup on EntityType + | lookup IndicatorAssociationLookup on EvidenceRole + // Mapping Threat Fields + | extend + ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace(@"[\[\]\""]", "", Categories), "") + // Filter for ThreatCategory + | where ((array_length(threatcategory_has_any) == 0) or (ThreatCategory has_any (threatcategory_has_any))) + | lookup IndicatorTypeLookup on EntityType + | lookup IndicatorAssociationLookup on EvidenceRole + // Mapping Threat Fields + | extend + ThreatCategory = iif(Categories has_any (ThreatCategorySet), replace_regex(Categories, @"[\[\]\""]", ""), "") + // Mapping User Entity + | extend + UserId = coalesce(AccountObjectId, tostring(AdditionalFields.Account.AadUserId)), + UserSid = coalesce(AccountSid, tostring(AdditionalFields.Account.Sid)), + Username = coalesce(AccountName, tostring(AdditionalFields.Account.UserPrincipalName)), + UserSessionId = tostring(AdditionalFields.SessionId), + UserScopeId = tostring(AdditionalFields.AadTenantId), + HttpUserAgent_s = tostring(AdditionalFields.UserAgent) + | extend + UserIdType = iif(isnotempty(UserId), "EntraUserID", iif(isnotempty(UserSid), "SID", "")), + UserId = coalesce(UserId, UserSid), + UserType = _ASIM_GetUserType(Username, UserSid), + UsernameType = _ASIM_GetUsernameType(Username) + // Mapping Device Entity + | extend + DvcId = coalesce(DeviceId, tostring(AdditionalFields.Host.MachineId)), + DvcIpAddr = coalesce(LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address), RemoteIP), + DvcOs = tostring(coalesce(AdditionalFields.OSFamily, AdditionalFields.Host.OSFamily)), + DvcOsVersion = tostring(coalesce(AdditionalFields.OSVersion, AdditionalFields.Host.OSVersion)), + DeviceName = coalesce(DeviceName, tostring(AdditionalFields.Host.NetBiosName)), + DvcScopeId = coalesce(tostring(split(AdditionalFields.AzureID, "/")[2]), (tostring(split(AdditionalFields.ResourceId, "/")[2]))) + | extend DvcIdType = iif(isnotempty(DvcId), "FQDN", "") + | invoke _ASIM_ResolveDvcFQDN("DeviceName") + // Mapping Additional Fields + | extend + GeoCity_s = AdditionalFields.Location.City, + GeoCountry_s = AdditionalFields.Location.CountryCode, + GeoLatitude_s = AdditionalFields.Location.Latitude, + GeoLongitude_s = AdditionalFields.Location.Longitude, + GeoRegion_s = AdditionalFields.Location.State + // Mapping Process Entity + | extend + ProcessId = tostring(AdditionalFields.ProcessId), + ProcessCommandLine, + ProcessName = iif(IndicatorType == "Process", iif(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), ""), + ProcessFileCompany = tostring(AdditionalFields.Publisher), + // Parent Process Fields + ParentProcessId_s = AdditionalFields.ParentProcess.ProcessId, + ParentProcessCommandLine_s = AdditionalFields.ParentProcess.CommandLine, + ParentProcessName_s = iif(IndicatorType == "Process", iif(isnotempty(AdditionalFields.ParentProcess.ImageFile.Directory) and isnotempty(AdditionalFields.ParentProcess.ImageFile.Name), strcat (AdditionalFields.ParentProcess.ImageFile.Directory, "\\", AdditionalFields.ParentProcess.ImageFile.Name), coalesce(AdditionalFields.ParentProcess.ImageFile.Name, AdditionalFields.ParentProcess.FriendlyName)), ""), + ParentProcessSHA1_s = AdditionalFields.ParentProcess.ImageFile[0].SHA1, + ParentProcessSHA256_s = AdditionalFields.ParentProcess.ImageFile[2].SHA256, + ParentProcessMD5_s = AdditionalFields.ParentProcess.ImageFile[1].MD5 + // Mapping File Entity + | extend + FileName, + FilePath = iff(isnotempty(FolderPath) and isnotempty(FileName), strcat(FolderPath, '\\', FileName), FileName), + FileMD5 = tostring(AdditionalFields.FileHashes[1].Value), + FileSize + | project-rename + FileDirectory = FolderPath, + FileSHA1 = SHA1, + FileSHA256 = SHA256, + Url = RemoteUrl + // Mapping Registry Entity + | extend + RegistryKey, + RegistryValueData, + ValueType = tostring(AdditionalFields.ValueType) + | lookup RegistryValueTypeLookup on ValueType + // Mapping Application Entity + | extend + AppId_s = ApplicationId, + AppName_s = Application + // Mapping Email Entity + | extend + EmailSubject + // Creating IpAddress list in AdditionalFields + | extend IpAddresses = pack_array(RemoteIP, LocalIP, tostring(AdditionalFields.Host.IpInterfaces[0].Address)) + | mv-apply IpAddress = IpAddresses on (where isnotempty(IpAddress) | summarize IpAddresses = make_set(IpAddress)) + | extend AdditionalFields = bag_pack( + "AlertVerdictDate", + AlertVerdictDate_s, + "HttpUserAgent", + HttpUserAgent_s, + "GeoCity", + GeoCity_s, + "GeoCountry", + GeoCountry_s, + "GeoLatitude", + GeoLatitude_s, + "GeoLongitude", + GeoLongitude_s, + "GeoRegion", + GeoRegion_s, + "ParentProcessId", + ParentProcessId_s, + "ParentProcessCommandLine", + ParentProcessCommandLine_s, + "ParentProcessName", + ParentProcessName_s, + "ParentProcessSHA256", + ParentProcessSHA256_s, + "ParentProcessMD5", + ParentProcessMD5_s, + "AppId", + AppId_s, + "AppName", + AppName_s, + "FileDirectory", + FileDirectory, + "IpAddresses", + IpAddresses + ) + | project-rename + RegistryValue = RegistryValueName, + EmailMessageId = NetworkMessageId + // Mapping common event fields + | extend + Type = "AlertEvidence", + EventSubType = "Threat", // All events in AlertEvidence contains threat info + TimeGenerated = Timestamp, + EventEndTime = Timestamp, + EventStartTime = Timestamp, + EventProduct = ServiceSource, + EventVendor = 'Microsoft', + EventSchema = 'AlertEvent', + EventSchemaVersion = '0.1', + EventType = 'Alert', + EventCount = int(1) + // Mapping Alias + | extend + IpAddr = DvcIpAddr, + Hostname = DvcHostname, + User = Username, + AlertId = EventUid + | project + TimeGenerated, + Type, + AlertId, + EventUid, + AlertName, + AttackTactics, + AlertOriginalStatus, + AlertStatus, + DetectionMethod, + AlertVerdict, + IndicatorType, + IndicatorAssociation, + ThreatCategory, + UserId, + Username, + UserSessionId, + UserIdType, + UserType, + UsernameType, + DvcId, + DvcIpAddr, + DvcOs, + DvcOsVersion, + DvcScopeId, + DvcIdType, + DvcHostname, + DvcDomain, + DvcFQDN, + DvcDomainType, + ProcessId, + ProcessCommandLine, + ProcessName, + ProcessFileCompany, + FileName, + FilePath, + FileSHA1, + FileSHA256, + FileMD5, + FileSize, + Url, + RegistryKey, + RegistryValue, + RegistryValueData, + RegistryValueType, + EmailMessageId, + EmailSubject, + AdditionalFields, + EventSubType, + EventEndTime, + EventStartTime, + EventProduct, + EventVendor, + EventSchema, + EventSchemaVersion, + EventType, + EventCount, + IpAddr, + Hostname, + User, + ASimMatchingIpAddr + }; + parser( + starttime = starttime, + endtime = endtime, + ipaddr_has_any_prefix = ipaddr_has_any_prefix, + hostname_has_any = hostname_has_any, + username_has_any = username_has_any, + attacktactics_has_any = attacktactics_has_any, + attacktechniques_has_any = attacktechniques_has_any, + threatcategory_has_any = threatcategory_has_any, + alertverdict_has_any = alertverdict_has_any, + eventseverity_has_any = eventseverity_has_any, + disabled = disabled + )