diff --git a/.script/tests/KqlvalidationsTests/CustomFunctions/AWSCloudTrail.json b/.script/tests/KqlvalidationsTests/CustomFunctions/AWSCloudTrail.json index 9b4a4456d0b..4979a2ce6fb 100644 --- a/.script/tests/KqlvalidationsTests/CustomFunctions/AWSCloudTrail.json +++ b/.script/tests/KqlvalidationsTests/CustomFunctions/AWSCloudTrail.json @@ -146,6 +146,10 @@ "name": "EC2RoleDelivery", "type": "String" }, + { + "name": "UserIdentityAccessKeyId", + "type": "String" + }, { "name": "Session*", "type": "String" diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv index be750d761ab..8e8661122fd 100644 --- a/ASIM/dev/ASimTester/ASimTester.csv +++ b/ASIM/dev/ASimTester/ASimTester.csv @@ -723,7 +723,7 @@ EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|Clou EventProduct,string,Mandatory,Common,,, EventProduct,string,Mandatory,DhcpEvent,,BloxOne, EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne|FortiGate|BloxOne, -EventProduct,string,Mandatory,FileEvent,Enumerated,Security Events|Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne|Carbon Black Cloud|Workspace, +EventProduct,string,Mandatory,FileEvent,Enumerated,Security Events|Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne|Carbon Black Cloud|Workspace|Cloudtrail, EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|FalconHost|Carbon Black Cloud|Cortex Data Lake|Core|Azure NSG flows, EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne|Carbon Black Cloud|Vision One, EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Carbon Black Cloud|Vision One, @@ -842,7 +842,7 @@ EventType,string,Mandatory,Authentication,Enumerated,Logon|Logoff|Elevate, EventType,string,Mandatory,Common,Enumerated,Placeholder, EventType,string,Mandatory,DhcpEvent,Enumerated,Assign|Renew|Release|DNS Update|, EventType,string,Mandatory,Dns,Enumerated,Query|Status|Notify|Update|DNS Stateful Operations, -EventType,string,Mandatory,FileEvent,Enumerated,FileAccessed|FileCreated|FileModified|FileDeleted|FileRenamed|FileCopied|FileMoved|FolderCreated|FolderDeleted|FolderMoved|FolderCopied|FolderModified|FileCreatedOrModified|FileAttributesUpdated, +EventType,string,Mandatory,FileEvent,Enumerated,FileAccessed|FileCreated|FileModified|FileDeleted|FileRenamed|FileCopied|FileMoved|FolderCreated|FolderDeleted|FolderMoved|FolderCopied|FolderModified|FileCreatedOrModified|FileAttributesUpdated|FolderAttributesAccessed, EventType,string,Mandatory,NetworkSession,Enumerated,NetworkSession|L2NetworkSession|EndpointNetworkSession|Flow, EventType,string,Mandatory,ProcessEvent,Enumerated,ProcessCreated|ProcessTerminated, EventType,string,Mandatory,RegistryEvent,Enumerated,RegistryKeyCreated|RegistryKeyDeleted|RegistryKeyRenamed|RegistryValueDeleted|RegistryValueSet, @@ -866,7 +866,7 @@ EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda| EventVendor,string,Mandatory,Common,,, EventVendor,string,Mandatory,DhcpEvent,,Infoblox, EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne|Fortinet, -EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne|VMware|Google, +EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne|VMware|Google|AWS, EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|CrowdStrike|VMware|SonicWall|Illumio, EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft|SentinelOne|VMware|TrendMicro, EventVendor,string,Mandatory,RegistryEvent,Enumerated,Microsoft|SentinelOne|VMware|Trend Micro, diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json b/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json index fb2f5f114da..f13478af263 100644 --- a/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json +++ b/Parsers/ASimFileEvent/ARM/ASimFileEvent/ASimFileEvent.json @@ -27,7 +27,7 @@ "displayName": "File event ASIM parser", "category": "ASIM", "FunctionAlias": "ASimFileEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimFileEventEmpty,\n ASimFileEventLinuxSysmonFileCreated(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileCreated' in (DisabledParsers) ))),\n ASimFileEventLinuxSysmonFileDeleted(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileDeleted' in (DisabledParsers) ))),\n ASimFileEventAzureBlobStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureBlobStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoft365D' in (DisabledParsers) ))),\n ASimFileEventAzureFileStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureFileStorage' in (DisabledParsers) ))),\n ASimFileEventAzureQueueStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureQueueStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSharePoint(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSharePoint' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n ASimFileEventAzureTableStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureTableStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSecurityEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSecurityEvents' in (DisabledParsers) ))),\n ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))),\n ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) ))),\n ASimFileEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimFileEventGoogleWorkspace(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventGoogleWorkspace' in (DisabledParsers) )))\n };\n parser (pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimFileEventEmpty,\n ASimFileEventLinuxSysmonFileCreated(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileCreated' in (DisabledParsers) ))),\n ASimFileEventLinuxSysmonFileDeleted(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventLinuxSysmonFileDeleted' in (DisabledParsers) ))),\n ASimFileEventAzureBlobStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureBlobStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoft365D(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoft365D' in (DisabledParsers) ))),\n ASimFileEventAzureFileStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureFileStorage' in (DisabledParsers) ))),\n ASimFileEventAzureQueueStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureQueueStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSharePoint(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSharePoint' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmon(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmon' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSysmonWindowsEvent(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers) ))),\n ASimFileEventAzureTableStorage(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAzureTableStorage' in (DisabledParsers) ))),\n ASimFileEventMicrosoftWindowsEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftWindowsEvents' in (DisabledParsers) ))),\n ASimFileEventMicrosoftSecurityEvents(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventMicrosoftSecurityEvents' in (DisabledParsers) ))),\n ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))),\n ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) ))),\n ASimFileEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventVMwareCarbonBlackCloud' in (DisabledParsers) ))),\n ASimFileEventGoogleWorkspace(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventGoogleWorkspace' in (DisabledParsers) ))),\n ASimFileEventAWSCloudTrail(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAWSCloudTrail' in (DisabledParsers) )), pack)\n };\n parser (pack=pack)\n", "version": 1, "functionParameters": "pack:bool=False" } diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/ASimFileEventAWSCloudTrail.json b/Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/ASimFileEventAWSCloudTrail.json new file mode 100644 index 00000000000..4b1e3600b5a --- /dev/null +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/ASimFileEventAWSCloudTrail.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/ASimFileEventAWSCloudTrail')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "FileEvent ASIM parser for AWS Cloud Trail", + "category": "ASIM", + "FunctionAlias": "ASimFileEventAWSCloudTrail", + "query": "let ParseS3Events = (T: (EventSource: string, EventName: string, RequestParameters: dynamic, ResponseElements: dynamic, Resources: dynamic)) {\n let S3EventNameLookup = datatable(EventName: string, EventType: string, EventSubType: string)\n [ \n \"CompleteMultipartUpload\", \"FileCreated\", \"Checkin\",\n \"CopyObject\", \"FileCopied\", \"\",\n \"CreateBucket\", \"FolderCreated\", \"\",\n \"CreateBucketMetadataConfiguration\", \"FolderModified\", \"\",\n \"CreateBucketMetadataTableConfiguration\", \"FolderModified\", \"\",\n \"CreateMultipartUpload\", \"FileCreated\", \"Checkin\",\n \"DeleteBucket\", \"FolderDeleted\", \"\",\n \"DeleteBucketAnalyticsConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketCors\", \"FolderModified\", \"\",\n \"DeleteBucketEncryption\", \"FolderModified\", \"\",\n \"DeleteBucketIntelligentTieringConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketInventoryConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketLifecycle\", \"FolderModified\", \"\",\n \"DeleteBucketMetadataConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketMetadataTableConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketMetricsConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketOwnershipControls\", \"FolderModified\", \"\",\n \"DeleteBucketPolicy\", \"FolderModified\", \"\",\n \"DeleteBucketReplication\", \"FolderModified\", \"\",\n \"DeleteBucketTagging\", \"FolderModified\", \"\",\n \"DeleteBucketWebsite\", \"FolderModified\", \"\",\n \"DeleteObject\", \"FileDeleted\", \"\",\n \"DeleteObjects\", \"FileDeleted\", \"\",\n \"DeleteObjectTagging\", \"FileAttributesUpdated\", \"\",\n \"DeletePublicAccessBlock\", \"FileAttributesUpdated\", \"\",\"\"\n \"GetBucketAbac\", \"FolderAttributesAccessed\", \"\",\n \"GetBuckeAccelerateConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketAcl\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketAnalyticsConfiguation\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketCors\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketEncryption\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketIntelligentTieringConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketInventoryConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketLifecycle\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketLifecycleConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketLocation\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketLogging\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketMetadataConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketMetadataTableConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketMetricsConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketNotification\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketNotificationConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketOwnershipControls\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketPolicy\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketPolicyStatus\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketReplication\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketRequestPayment\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketTagging\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketVersioning\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketWebsite\", \"FolderAttributesAccessed\", \"\",\n \"GetObject\", \"FileAccessed\", \"Download\",\n \"GetObjectAcl\", \"FileAccessed\", \"\",\n \"GetObjectAttributes\", \"FileAccessed\", \"\",\n \"GetObjectLegalHold\", \"FileAccessed\", \"\",\n \"GetObjectLockConfiguration\", \"FileAccessed\", \"\",\n \"GetObjectRetention\", \"FileAccessed\", \"\",\n \"GetObjectTagging\", \"FileAccessed\", \"\",\n \"GetObjectTorrent\", \"FileAccessed\", \"\",\n \"GetPublicAccessBlock\", \"FolderAttributesAccessed\", \"\",\n \"HeadBucket\", \"FolderAttributesAccessed\", \"\",\n \"HeadObject\", \"FileAccessed\", \"\",\n \"ListBucketAnalyticsConfigurations\", \"FolderAttributesAccessed\", \"\",\n \"ListBucketIntelligentTieringConfigurations\", \"FolderAttributesAccessed\", \"\",\n \"ListBucketMetricsConfigurations\", \"FolderAttributesAccessed\", \"\",\n \"ListBuckets\", \"FolderAttributesAccessed\", \"\",\n \"ListDirectoryBuckets\", \"FolderAttributesAccessed\", \"\",\n \"ListObjects\", \"FileAccessed\", \"\",\n \"ListObjectsV2\", \"FileAccessed\", \"\",\n \"ListObjectversions\", \"FileAccessed\", \"\",\n \"ListParts\", \"FileAccessed\", \"\",\n \"PutBucketAbac\", \"FolderModified\", \"\",\n \"PutBucketAccelerateConfiguration\", \"FolderModified\", \"\",\n \"PutBucketAcl\", \"FolderModified\", \"\",\n \"PutBucketAnalayticsConfiguration\", \"FolderModified\", \"\",\n \"PutBucketCors\", \"FolderModified\", \"\",\n \"PutBucketEncryption\", \"FolderModified\", \"\",\n \"PutBucketIntelligentTieringConfiguration\", \"FolderModified\", \"\",\n \"PutBucketInventoryConfiguration\", \"FolderModified\", \"\",\n \"PutBucketLifecycle\", \"FolderModified\", \"\",\n \"PutBucketLifecycleConfiguration\", \"FolderModified\", \"\",\n \"PutBucketLogging\", \"FolderModified\", \"\",\n \"PutBucketMetricsConfiguration\", \"FolderModified\", \"\",\n \"PutBucketNotification\", \"FolderModified\", \"\",\n \"PutBucketNotificationConfiguration\", \"FolderModified\", \"\",\n \"PutBucketOwnershipControls\", \"FolderModified\", \"\",\n \"PutBucketPolicy\", \"FolderModified\", \"\",\n \"PutBucketReplication\", \"FolderModified\", \"\",\n \"PutBucketRequestPayment\", \"FolderModified\", \"\",\n \"PutBucketTagging\", \"FolderModified\", \"\",\n \"PutBucketVersioning\", \"FolderModified\", \"\",\n \"PutBucketWebsite\", \"FolderModified\", \"\",\n \"PutObject\", \"FileCreated\", \"Upload\",\n \"PutObjectAcl\", \"FileAttributesUpdated\", \"\",\n \"PutObjectLegalHold\", \"FileAttributesUpdated\", \"\",\n \"PutObjectLockConfiguration\", \"FileAttributesUpdated\", \"\",\n \"PutObjectRetention\", \"FileAttributesUpdated\", \"\",\n \"PutObjectTagging\", \"FileAttributesUpdated\", \"\",\n \"PutPublicAccessBlock\", \"FolderModified\", \"\",\n \"RenameObject\", \"FileRenamed\", \"\",\n \"RestoreObject\", \"FileCreated\", \"\",\n \"SelectObjectContent\", \"FileAccessed\", \"\",\n \"UpdateBucketMetadataInventoryTableConfiguration\", \"FolderModified\", \"\",\n \"UpdateBucketMetadataJournalTableConfiguration\", \"FolderModified\", \"\",\n \"UpdateObjectEncryption\", \"FileAttributesUpdated\", \"\",\n \"UploadPart\", \"FileCreated\", \"Upload\",\n \"UploadPartCopy\", \"FileCreated\", \"Upload\"\n // Omitted Actions\n // AbortMultipartUpload\n // CreateSession\n // ListMultipartUploads\n // WriteGetObjectResponse\n ];\n T\n | where EventSource == \"s3.amazonaws.com\"\n | lookup S3EventNameLookup on EventName\n | where isnotempty(EventType)\n | extend EventSubType = case(\n EventType == \"FileDeleted\" and ResponseElements[\"a-amz-delete-marker\"] == true, \"Versions\",\n EventSubType\n )\n | extend\n TargetFileDirectory = tostring(RequestParameters.bucketName),\n TargetFileName = coalesce(tostring(RequestParameters.key), tostring(RequestParameters.prefix))\n | extend\n TargetFilePathType = \"Unix\",\n TargetFilePath = strcat(TargetFileDirectory, \"/\", TargetFileName),\n TargetAppType = \"Service\"\n | extend\n SrcFilePath = tostring(RequestParameters[\"x-amz-copy-source\"])\n // Avoids using mv-apply as it filters insteads of assigning null\n // At most, the Resources array contains two objects: Bucket and Object\n // Resources may contain no objects, or just one of Bucket or Object\n | extend AdditionalData = iff(pack, bag_pack(\n \"BucketARN\", coalesce(\n iff(Resources[0].type == \"AWS::S3::Bucket\", tostring(Resources[0].ARN), \"\"),\n iff(Resources[1].type == \"AWS::S3::Bucket\", tostring(Resources[1].ARN), \"\")),\n \"ObjectARN\", coalesce(\n iff(Resources[0].type == \"AWS::S3::Object\", tostring(Resources[0].ARN), \"\"),\n iff(Resources[1].type == \"AWS::S3::Object\", tostring(Resources[1].ARN), \"\"))\n ), dynamic([]))\n};\nlet parser = (disabled: bool, pack: bool) {\nlet SupportedEventSources = dynamic([\n \"s3.amazonaws.com\"\n]);\nlet EventSourceNameLookup = datatable(EventSource: string, TargetAppName: string)\n[\n \"s3.amazonaws.com\", \"Amazon S3\"\n];\nlet SupportedEvents = AWSCloudTrail\n | where EventSource in (SupportedEventSources)\n | extend RequestParameters = todynamic(RequestParameters), ResponseElements = todynamic(ResponseElements), Resources = todynamic(Resources);\nunion isfuzzy=false\nParseS3Events(SupportedEvents)\n| extend\n Type = \"AWSCloudTrail\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = \"Informational\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventVendor = \"AWS\",\n EventProduct = \"CloudTrail\",\n Dvc = \"CloudTrail\",\n EventResult = iff(isempty(ErrorCode) and isempty(ErrorMessage), \"Success\", \"Failure\"),\n EventMessage = ErrorMessage\n| lookup EventSourceNameLookup on EventSource\n| project-rename\n EventOriginalSubType = EventTypeName,\n EventOriginalType = EventName,\n EventUid = AwsEventId,\n EventOriginalResultDetails = ErrorMessage,\n EventProductVersion = EventVersion\n| project-rename\n ActorUserId = UserIdentityAccountId,\n ActorUsername = UserIdentityUserName,\n ActorOriginalUserType = UserIdentityType,\n HttpUserAgent = UserAgent\n| extend\n ActorUserIdType = iff(isempty(ActorUserId), \"\", \"AWSId\"),\n ActorUsernameType = iff(isempty(ActorUsername), \"\", \"Simple\"),\n SrcIpAddr = iff(ipv4_is_in_range(SourceIpAddress, \"0.0.0.0/0\"), SourceIpAddress, \"\")\n| extend AdditionalFields = iff(pack, bag_pack(\n \"ActorAccessKeyId\", UserIdentityAccessKeyId,\n \"AWSRegion\", AWSRegion,\n \"APIVersion\", APIVersion,\n \"ManagementEvent\", ManagementEvent,\n \"ReadOnly\", ReadOnly,\n \"RequestParameters\", RequestParameters,\n \"ResponseElements\", ResponseElements\n), dynamic([]))\n| extend AdditionalFields = iff(pack, bag_merge(AdditionalFields, AdditionalData), dynamic([]))\n// Alias\n| extend\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Application = TargetAppName\n| project\n TimeGenerated,\n Type,\n EventCount,\n EventStartTime,\n EventEndTime,\n EventSeverity,\n EventSchema,\n EventSchemaVersion,\n EventVendor,\n EventProduct,\n Dvc,\n EventResult,\n EventMessage,\n TargetAppName,\n EventOriginalSubType,\n EventOriginalType,\n EventUid,\n EventOriginalResultDetails,\n EventProductVersion,\n ActorUserId,\n ActorUsername,\n ActorOriginalUserType,\n HttpUserAgent,\n ActorUserIdType,\n ActorUsernameType,\n SrcIpAddr,\n AdditionalFields,\n User,\n IpAddr,\n FileName,\n FilePath,\n Application,\n TargetAppType,\n EventType,\n EventSubType,\n TargetFileDirectory,\n TargetFileName,\n TargetFilePathType,\n TargetFilePath,\n SrcFilePath\n};\nparser(disabled=disabled, pack=pack)", + "version": 1, + "functionParameters": "disabled:bool=False,pack:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/README.md b/Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/README.md new file mode 100644 index 00000000000..2bd2dfd7cb1 --- /dev/null +++ b/Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/README.md @@ -0,0 +1,21 @@ +# AWS Cloud Trail ASIM FileEvent Normalization Parser + +ARM template for ASIM FileEvent schema parser for AWS Cloud Trail. + +This ASIM parser supports normalizing file activity in AWS Cloud Trail for the following event sources: (s3.amazonaws.com) + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM FileEvent normalization schema reference](https://aka.ms/ASimFileEventDoc) + +For the changelog, see: +- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/CHANGELOG/ASimFileEventAWSCloudTrail.md) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FASimFileEventAWSCloudTrail%2FASimFileEventAWSCloudTrail.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FASimFileEventAWSCloudTrail%2FASimFileEventAWSCloudTrail.json) diff --git a/Parsers/ASimFileEvent/ARM/FullDeploymentFileEvent.json b/Parsers/ASimFileEvent/ARM/FullDeploymentFileEvent.json index 96e66f419f2..5d65e8a226b 100644 --- a/Parsers/ASimFileEvent/ARM/FullDeploymentFileEvent.json +++ b/Parsers/ASimFileEvent/ARM/FullDeploymentFileEvent.json @@ -38,6 +38,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedASimFileEventAWSCloudTrail", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimFileEvent/ARM/ASimFileEventAWSCloudTrail/ASimFileEventAWSCloudTrail.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", @@ -378,6 +398,26 @@ } } }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "linkedvimFileEventAWSCloudTrail", + "properties": { + "mode": "Incremental", + "templateLink": { + "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/vimFileEventAWSCloudTrail.json", + "contentVersion": "1.0.0.0" + }, + "parameters": { + "Workspace": { + "value": "[parameters('Workspace')]" + }, + "WorkspaceRegion": { + "value": "[parameters('WorkspaceRegion')]" + } + } + } + }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", diff --git a/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json b/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json index b0f2d6397f2..fa36599ee2e 100644 --- a/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json +++ b/Parsers/ASimFileEvent/ARM/imFileEvent/imFileEvent.json @@ -27,7 +27,7 @@ "displayName": "ASIM Source Agnostic File Events Parser", "category": "ASIM", "FunctionAlias": "imFileEvent", - "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n| where SearchKey in ('Any', 'ExcludevimFile')\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n| distinct SourceSpecificParser\n| where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack: bool=false\n ) {\n union isfuzzy=true\n vimFileEventEmpty,\n vimFileEventLinuxSysmonFileCreated(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileCreated' in (DisabledParsers)))),\n vimFileEventLinuxSysmonFileDeleted(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileDeleted' in (DisabledParsers)))),\n vimFileEventAzureBlobStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureBlobStorage' in (DisabledParsers)))),\n vimFileEventMicrosoft365D(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoft365D' in (DisabledParsers)))),\n vimFileEventAzureFileStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureFileStorage' in (DisabledParsers)))),\n vimFileEventAzureQueueStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureQueueStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftSharePoint(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSharePoint' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmon(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmon' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmonWindowsEvent(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers)))),\n vimFileEventAzureTableStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureTableStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimFileEventMicrosoftSecurityEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimFileEventNative(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventNative' in (DisabledParsers)))),\n vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventSentinelOne' in (DisabledParsers)))),\n vimFileEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventVMwareCarbonBlackCloud' in (DisabledParsers)))),\n vimFileEventGoogleWorkspace(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventGoogleWorkspace' in (DisabledParsers))))\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack)\n", + "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers')\n| where SearchKey in ('Any', 'ExcludevimFile')\n| extend SourceSpecificParser=column_ifexists('SourceSpecificParser', '')\n| distinct SourceSpecificParser\n| where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers));\nlet parser=(\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n pack: bool=false\n ) {\n union isfuzzy=true\n vimFileEventEmpty,\n vimFileEventLinuxSysmonFileCreated(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileCreated' in (DisabledParsers)))),\n vimFileEventLinuxSysmonFileDeleted(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventLinuxSysmonFileDeleted' in (DisabledParsers)))),\n vimFileEventAzureBlobStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureBlobStorage' in (DisabledParsers)))),\n vimFileEventMicrosoft365D(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoft365D' in (DisabledParsers)))),\n vimFileEventAzureFileStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureFileStorage' in (DisabledParsers)))),\n vimFileEventAzureQueueStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureQueueStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftSharePoint(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSharePoint' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmon(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmon' in (DisabledParsers)))),\n vimFileEventMicrosoftSysmonWindowsEvent(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSysmonWindowsEvent' in (DisabledParsers)))),\n vimFileEventAzureTableStorage(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAzureTableStorage' in (DisabledParsers)))),\n vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))),\n vimFileEventMicrosoftSecurityEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSecurityEvents' in (DisabledParsers)))),\n vimFileEventNative(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventNative' in (DisabledParsers)))),\n vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventSentinelOne' in (DisabledParsers)))),\n vimFileEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventVMwareCarbonBlackCloud' in (DisabledParsers)))),\n vimFileEventGoogleWorkspace(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventGoogleWorkspace' in (DisabledParsers)))),\n vimFileEventAWSCloudTrail(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAWSCloudTrail' in (DisabledParsers))), pack)\n};\nparser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack)\n", "version": 1, "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" } diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/README.md b/Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/README.md new file mode 100644 index 00000000000..4ec827c357b --- /dev/null +++ b/Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/README.md @@ -0,0 +1,21 @@ +# AWS Cloud Trail ASIM FileEvent Normalization Parser + +ARM template for ASIM FileEvent schema parser for AWS Cloud Trail. + +This ASIM parser supports normalizing file activity in AWS Cloud Trail for the following event sources: (s3.amazonaws.com) + + +The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace. + +For more information, see: + +- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM) +- [Deploy all of ASIM](https://aka.ms/DeployASIM) +- [ASIM FileEvent normalization schema reference](https://aka.ms/ASimFileEventDoc) + +For the changelog, see: +- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/CHANGELOG/vimFileEventAWSCloudTrail.md) + +
+ +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FvimFileEventAWSCloudTrail%2FvimFileEventAWSCloudTrail.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimFileEvent%2FARM%2FvimFileEventAWSCloudTrail%2FvimFileEventAWSCloudTrail.json) diff --git a/Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/vimFileEventAWSCloudTrail.json b/Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/vimFileEventAWSCloudTrail.json new file mode 100644 index 00000000000..b9fed4ebefb --- /dev/null +++ b/Parsers/ASimFileEvent/ARM/vimFileEventAWSCloudTrail/vimFileEventAWSCloudTrail.json @@ -0,0 +1,36 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "Workspace": { + "type": "string", + "metadata": { + "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group." + } + }, + "WorkspaceRegion": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "The region of the selected workspace. The default value will use the Region selection above." + } + } + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/savedSearches", + "apiVersion": "2020-08-01", + "name": "[concat(parameters('Workspace'), '/vimFileEventAWSCloudTrail')]", + "location": "[parameters('WorkspaceRegion')]", + "properties": { + "etag": "*", + "displayName": "FileEvent ASIM filtersiltering parser for AWS Cloud Trail", + "category": "ASIM", + "FunctionAlias": "vimFileEventAWSCloudTrail", + "query": "let ParseS3Events = (T: (EventSource: string, EventName: string, RequestParameters: dynamic, ResponseElements: dynamic, Resources: dynamic)) {\n let S3EventNameLookup = datatable(EventName: string, EventType: string, EventSubType: string)\n [ \n \"CompleteMultipartUpload\", \"FileCreated\", \"Checkin\",\n \"CopyObject\", \"FileCopied\", \"\",\n \"CreateBucket\", \"FolderCreated\", \"\",\n \"CreateBucketMetadataConfiguration\", \"FolderModified\", \"\",\n \"CreateBucketMetadataTableConfiguration\", \"FolderModified\", \"\",\n \"CreateMultipartUpload\", \"FileCreated\", \"Checkin\",\n \"DeleteBucket\", \"FolderDeleted\", \"\",\n \"DeleteBucketAnalyticsConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketCors\", \"FolderModified\", \"\",\n \"DeleteBucketEncryption\", \"FolderModified\", \"\",\n \"DeleteBucketIntelligentTieringConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketInventoryConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketLifecycle\", \"FolderModified\", \"\",\n \"DeleteBucketMetadataConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketMetadataTableConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketMetricsConfiguration\", \"FolderModified\", \"\",\n \"DeleteBucketOwnershipControls\", \"FolderModified\", \"\",\n \"DeleteBucketPolicy\", \"FolderModified\", \"\",\n \"DeleteBucketReplication\", \"FolderModified\", \"\",\n \"DeleteBucketTagging\", \"FolderModified\", \"\",\n \"DeleteBucketWebsite\", \"FolderModified\", \"\",\n \"DeleteObject\", \"FileDeleted\", \"\",\n \"DeleteObjects\", \"FileDeleted\", \"\",\n \"DeleteObjectTagging\", \"FileAttributesUpdated\", \"\",\n \"DeletePublicAccessBlock\", \"FileAttributesUpdated\", \"\",\"\"\n \"GetBucketAbac\", \"FolderAttributesAccessed\", \"\",\n \"GetBuckeAccelerateConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketAcl\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketAnalyticsConfiguation\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketCors\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketEncryption\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketIntelligentTieringConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketInventoryConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketLifecycle\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketLifecycleConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketLocation\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketLogging\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketMetadataConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketMetadataTableConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketMetricsConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketNotification\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketNotificationConfiguration\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketOwnershipControls\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketPolicy\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketPolicyStatus\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketReplication\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketRequestPayment\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketTagging\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketVersioning\", \"FolderAttributesAccessed\", \"\",\n \"GetBucketWebsite\", \"FolderAttributesAccessed\", \"\",\n \"GetObject\", \"FileAccessed\", \"Download\",\n \"GetObjectAcl\", \"FileAccessed\", \"\",\n \"GetObjectAttributes\", \"FileAccessed\", \"\",\n \"GetObjectLegalHold\", \"FileAccessed\", \"\",\n \"GetObjectLockConfiguration\", \"FileAccessed\", \"\",\n \"GetObjectRetention\", \"FileAccessed\", \"\",\n \"GetObjectTagging\", \"FileAccessed\", \"\",\n \"GetObjectTorrent\", \"FileAccessed\", \"\",\n \"GetPublicAccessBlock\", \"FolderAttributesAccessed\", \"\",\n \"HeadBucket\", \"FolderAttributesAccessed\", \"\",\n \"HeadObject\", \"FileAccessed\", \"\",\n \"ListBucketAnalyticsConfigurations\", \"FolderAttributesAccessed\", \"\",\n \"ListBucketIntelligentTieringConfigurations\", \"FolderAttributesAccessed\", \"\",\n \"ListBucketMetricsConfigurations\", \"FolderAttributesAccessed\", \"\",\n \"ListBuckets\", \"FolderAttributesAccessed\", \"\",\n \"ListDirectoryBuckets\", \"FolderAttributesAccessed\", \"\",\n \"ListObjects\", \"FileAccessed\", \"\",\n \"ListObjectsV2\", \"FileAccessed\", \"\",\n \"ListObjectversions\", \"FileAccessed\", \"\",\n \"ListParts\", \"FileAccessed\", \"\",\n \"PutBucketAbac\", \"FolderModified\", \"\",\n \"PutBucketAccelerateConfiguration\", \"FolderModified\", \"\",\n \"PutBucketAcl\", \"FolderModified\", \"\",\n \"PutBucketAnalayticsConfiguration\", \"FolderModified\", \"\",\n \"PutBucketCors\", \"FolderModified\", \"\",\n \"PutBucketEncryption\", \"FolderModified\", \"\",\n \"PutBucketIntelligentTieringConfiguration\", \"FolderModified\", \"\",\n \"PutBucketInventoryConfiguration\", \"FolderModified\", \"\",\n \"PutBucketLifecycle\", \"FolderModified\", \"\",\n \"PutBucketLifecycleConfiguration\", \"FolderModified\", \"\",\n \"PutBucketLogging\", \"FolderModified\", \"\",\n \"PutBucketMetricsConfiguration\", \"FolderModified\", \"\",\n \"PutBucketNotification\", \"FolderModified\", \"\",\n \"PutBucketNotificationConfiguration\", \"FolderModified\", \"\",\n \"PutBucketOwnershipControls\", \"FolderModified\", \"\",\n \"PutBucketPolicy\", \"FolderModified\", \"\",\n \"PutBucketReplication\", \"FolderModified\", \"\",\n \"PutBucketRequestPayment\", \"FolderModified\", \"\",\n \"PutBucketTagging\", \"FolderModified\", \"\",\n \"PutBucketVersioning\", \"FolderModified\", \"\",\n \"PutBucketWebsite\", \"FolderModified\", \"\",\n \"PutObject\", \"FileCreated\", \"Upload\",\n \"PutObjectAcl\", \"FileAttributesUpdated\", \"\",\n \"PutObjectLegalHold\", \"FileAttributesUpdated\", \"\",\n \"PutObjectLockConfiguration\", \"FileAttributesUpdated\", \"\",\n \"PutObjectRetention\", \"FileAttributesUpdated\", \"\",\n \"PutObjectTagging\", \"FileAttributesUpdated\", \"\",\n \"PutPublicAccessBlock\", \"FolderModified\", \"\",\n \"RenameObject\", \"FileRenamed\", \"\",\n \"RestoreObject\", \"FileCreated\", \"\",\n \"SelectObjectContent\", \"FileAccessed\", \"\",\n \"UpdateBucketMetadataInventoryTableConfiguration\", \"FolderModified\", \"\",\n \"UpdateBucketMetadataJournalTableConfiguration\", \"FolderModified\", \"\",\n \"UpdateObjectEncryption\", \"FileAttributesUpdated\", \"\",\n \"UploadPart\", \"FileCreated\", \"Upload\",\n \"UploadPartCopy\", \"FileCreated\", \"Upload\"\n // Omitted Actions\n // AbortMultipartUpload\n // CreateSession\n // ListMultipartUploads\n // WriteGetObjectResponse\n ];\n T\n | where EventSource == \"s3.amazonaws.com\"\n | lookup S3EventNameLookup on EventName\n | where isnotempty(EventType)\n | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n | extend EventSubType = case(\n EventType == \"FileDeleted\" and ResponseElements[\"a-amz-delete-marker\"] == true, \"Versions\",\n EventSubType\n )\n | extend\n TargetFileDirectory = tostring(RequestParameters.bucketName),\n TargetFileName = coalesce(tostring(RequestParameters.key), tostring(RequestParameters.prefix))\n | extend\n TargetFilePathType = \"Unix\",\n TargetFilePath = strcat(TargetFileDirectory, \"/\", TargetFileName),\n TargetAppType = \"Service\"\n | where (array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any))\n | extend\n SrcFilePath = tostring(RequestParameters[\"x-amz-copy-source\"])\n // Post-filtering\n | where (array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any))\n // Avoids using mv-apply as it filters insteads of assigning null\n // At most, the Resources array contains two objects: Bucket and Object\n // Resources may contain no objects, or just one of Bucket or Object\n | extend AdditionalData = iff(pack, bag_pack(\n \"BucketARN\", coalesce(\n iff(Resources[0].type == \"AWS::S3::Bucket\", tostring(Resources[0].ARN), \"\"),\n iff(Resources[1].type == \"AWS::S3::Bucket\", tostring(Resources[1].ARN), \"\")),\n \"ObjectARN\", coalesce(\n iff(Resources[0].type == \"AWS::S3::Object\", tostring(Resources[0].ARN), \"\"),\n iff(Resources[1].type == \"AWS::S3::Object\", tostring(Resources[1].ARN), \"\"))\n ), dynamic([]))\n};\nlet parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false,\n pack: bool=false) {\nlet SupportedEventSources = dynamic([\n \"s3.amazonaws.com\"\n]);\nlet EventSourceNameLookup = datatable(EventSource: string, TargetAppName: string)\n[\n \"s3.amazonaws.com\", \"Amazon S3\"\n];\nlet SupportedEvents = AWSCloudTrail\n | where not(disabled)\n | where EventSource in (SupportedEventSources)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIpAddress, srcipaddr_has_any_prefix))\n and (array_length(actorusername_has_any) == 0 or UserIdentityUserName has_any (actorusername_has_any))\n | where (array_length(srcfilepath_has_any) == 0) or (RequestParameters has_any (srcfilepath_has_any))\n and (array_length(hashes_has_any) == 0) // Hash information is not stored\n and (array_length(dvchostname_has_any) == 0) // DvcHostname information is not stored\n // targetfilepath and eventtype filtering done later in parser\n | extend RequestParameters = todynamic(RequestParameters), ResponseElements = todynamic(ResponseElements), Resources = todynamic(Resources);\nunion isfuzzy=false\nParseS3Events(SupportedEvents)\n| extend\n Type = \"AWSCloudTrail\",\n EventCount = int(1),\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventSeverity = \"Informational\",\n EventSchema = \"FileEvent\",\n EventSchemaVersion = \"0.1.2\",\n EventVendor = \"AWS\",\n EventProduct = \"CloudTrail\",\n Dvc = \"CloudTrail\",\n EventResult = iff(isempty(ErrorCode) and isempty(ErrorMessage), \"Success\", \"Failure\"),\n EventMessage = ErrorMessage\n| lookup EventSourceNameLookup on EventSource\n| project-rename\n EventOriginalSubType = EventTypeName,\n EventOriginalType = EventName,\n EventUid = AwsEventId,\n EventOriginalResultDetails = ErrorMessage,\n EventProductVersion = EventVersion\n| project-rename\n ActorUserId = UserIdentityAccountId,\n ActorUsername = UserIdentityUserName,\n ActorOriginalUserType = UserIdentityType,\n HttpUserAgent = UserAgent\n| extend\n ActorUserIdType = iff(isempty(ActorUserId), \"\", \"AWSId\"),\n ActorUsernameType = iff(isempty(ActorUsername), \"\", \"Simple\"),\n SrcIpAddr = iff(ipv4_is_in_range(SourceIpAddress, \"0.0.0.0/0\"), SourceIpAddress, \"\")\n| extend AdditionalFields = iff(pack, bag_pack(\n \"ActorAccessKeyId\", UserIdentityAccessKeyId,\n \"AWSRegion\", AWSRegion,\n \"APIVersion\", APIVersion,\n \"ManagementEvent\", ManagementEvent,\n \"ReadOnly\", ReadOnly,\n \"RequestParameters\", RequestParameters,\n \"ResponseElements\", ResponseElements\n), dynamic([]))\n| extend AdditionalFields = iff(pack, bag_merge(AdditionalFields, AdditionalData), dynamic([]))\n// Alias\n| extend\n User = ActorUsername,\n IpAddr = SrcIpAddr,\n FileName = TargetFileName,\n FilePath = TargetFilePath,\n Application = TargetAppName\n| project\n TimeGenerated,\n Type,\n EventCount,\n EventStartTime,\n EventEndTime,\n EventSeverity,\n EventSchema,\n EventSchemaVersion,\n EventVendor,\n EventProduct,\n Dvc,\n EventResult,\n EventMessage,\n TargetAppName,\n EventOriginalSubType,\n EventOriginalType,\n EventUid,\n EventOriginalResultDetails,\n EventProductVersion,\n ActorUserId,\n ActorUsername,\n ActorOriginalUserType,\n HttpUserAgent,\n ActorUserIdType,\n ActorUsernameType,\n SrcIpAddr,\n AdditionalFields,\n User,\n IpAddr,\n FileName,\n FilePath,\n Application,\n TargetAppType,\n EventType,\n EventSubType,\n TargetFileDirectory,\n TargetFileName,\n TargetFilePathType,\n TargetFilePath,\n SrcFilePath\n};\nparser(\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled,\n pack=pack\n)", + "version": 1, + "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False" + } + } + ] +} \ No newline at end of file diff --git a/Parsers/ASimFileEvent/CHANGELOG/ASimFIleEventAWSCloudTrail.md b/Parsers/ASimFileEvent/CHANGELOG/ASimFIleEventAWSCloudTrail.md new file mode 100644 index 00000000000..7e0f690f069 --- /dev/null +++ b/Parsers/ASimFileEvent/CHANGELOG/ASimFIleEventAWSCloudTrail.md @@ -0,0 +1,6 @@ +# Changelog for ASimFileEventAWSCloudTrail.yaml + +## Version 0.1.0 +- (2026-02-04) [ASIM] FileEvent - AWSCloudTrail (New Parser) [PR #13569](https://github.com/Azure/Azure-Sentinel/pull/13569) +- Create parser for AWSCloudTrail +- Support the following EventSources: s3.amazonaws.com \ No newline at end of file diff --git a/Parsers/ASimFileEvent/CHANGELOG/ASimFileEvent.md b/Parsers/ASimFileEvent/CHANGELOG/ASimFileEvent.md index 421db927845..a83581201c0 100644 --- a/Parsers/ASimFileEvent/CHANGELOG/ASimFileEvent.md +++ b/Parsers/ASimFileEvent/CHANGELOG/ASimFileEvent.md @@ -1,5 +1,10 @@ # Changelog for ASimFileEvent.yaml +## Version 0.1.4 + +- (2026-02-04) [ASIM] FileEvent - AWSCloudTrail (New Parser) [PR #13569](https://github.com/Azure/Azure-Sentinel/pull/13569) +- Add ASimFileEventAWSCloudTrail parser + ## Version 0.1.3 - (2024-06-05) ASimFileEventMicrosoftWindowsEvents.yaml-28 - [PR #10594](https://github.com/Azure/Azure-Sentinel/pull/10594) diff --git a/Parsers/ASimFileEvent/CHANGELOG/imFileEvent.md b/Parsers/ASimFileEvent/CHANGELOG/imFileEvent.md index fa3c2cb7247..1128d43705d 100644 --- a/Parsers/ASimFileEvent/CHANGELOG/imFileEvent.md +++ b/Parsers/ASimFileEvent/CHANGELOG/imFileEvent.md @@ -1,8 +1,10 @@ # Changelog for imFileEvent.yaml -## Version 0.1.5 +## Version 0.2.2 -- (2024-06-06) ASimFileEventMicrosoftSysmon.yaml-27 - [PR #10605](https://github.com/Azure/Azure-Sentinel/pull/10605) +- (2026-02-04) [ASIM] FileEvent - AWSCloudTrail (New Parser) [PR #13569](https://github.com/Azure/Azure-Sentinel/pull/13569) +- Fix Exclude statement in some parsers in the disabled statement +- Add vimFileEventAWSCloudTrail parser ## Version 0.2.1 diff --git a/Parsers/ASimFileEvent/CHANGELOG/vimFileEventAWSCloudTrail.md b/Parsers/ASimFileEvent/CHANGELOG/vimFileEventAWSCloudTrail.md new file mode 100644 index 00000000000..8bb79cf684e --- /dev/null +++ b/Parsers/ASimFileEvent/CHANGELOG/vimFileEventAWSCloudTrail.md @@ -0,0 +1,6 @@ +# Changelog for vimFileEventAWSCloudTrail.yaml + +## Version 0.1.0 +- (2026-02-04) [ASIM] FileEvent - AWSCloudTrail (New Parser) [PR #13569](https://github.com/Azure/Azure-Sentinel/pull/13569) +- Create parser for AWSCloudTrail +- Support the following EventSources: s3.amazonaws.com \ No newline at end of file diff --git a/Parsers/ASimFileEvent/Parsers/ASimFileEvent.yaml b/Parsers/ASimFileEvent/Parsers/ASimFileEvent.yaml index 407282f50ba..39a1df7859a 100644 --- a/Parsers/ASimFileEvent/Parsers/ASimFileEvent.yaml +++ b/Parsers/ASimFileEvent/Parsers/ASimFileEvent.yaml @@ -1,6 +1,6 @@ Parser: Title: File event ASIM parser - Version: "0.1.3" + Version: "0.1.4" LastUpdated: Jun 6, 2024 Product: Name: Source agnostic @@ -38,6 +38,7 @@ Parsers: - _ASim_FileEvent_SentinelOne - _ASim_FileEvent_VMwareCarbonBlackCloud - _ASim_FileEvent_GoogleWorkspace + - _ASim_FileEvent_AWSCloudTrail ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimFile') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser)); let ASimBuiltInDisabled=toscalar('ExcludeASimFileEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); @@ -59,7 +60,8 @@ ParserQuery: | ASimFileEventNative(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventNative' in (DisabledParsers) ))), ASimFileEventSentinelOne(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventSentinelOne' in (DisabledParsers) ))), ASimFileEventVMwareCarbonBlackCloud(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventVMwareCarbonBlackCloud' in (DisabledParsers) ))), - ASimFileEventGoogleWorkspace(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventGoogleWorkspace' in (DisabledParsers) ))) + ASimFileEventGoogleWorkspace(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventGoogleWorkspace' in (DisabledParsers) ))), + ASimFileEventAWSCloudTrail(disabled=(ASimBuiltInDisabled or ('ExcludeASimFileEventAWSCloudTrail' in (DisabledParsers) )), pack) }; parser (pack=pack) diff --git a/Parsers/ASimFileEvent/Parsers/ASimFileEventAWSCloudTrail.yaml b/Parsers/ASimFileEvent/Parsers/ASimFileEventAWSCloudTrail.yaml new file mode 100644 index 00000000000..3942144b1b1 --- /dev/null +++ b/Parsers/ASimFileEvent/Parsers/ASimFileEventAWSCloudTrail.yaml @@ -0,0 +1,274 @@ +Parser: + Title: FileEvent ASIM parser for AWS Cloud Trail + Version: '0.1.0' + LastUpdated: Feb 04, 2026 +Product: + Name: AWS Cloud Trail +Normalization: + Schema: FileEvent + Version: "0.1.0" +References: +- Title: ASIM User Management Schema + Link: https://aka.ms/ASimFileEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +- Title: File Event (S3) Documentation in AWS CloudTrail logs + Link: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_Simple_Storage_Service.html +Description: | + This ASIM parser supports normalizing file activity in AWS Cloud Trail for the following event sources: (s3.amazonaws.com) +ParserName: ASimFileEventAWSCloudTrail +EquivalentBuiltInParser: _ASim_FileEvent_AWSCloudTrail +ParserParams: + - Name: disabled + Type: bool + Default: false + - Name: pack + Type: bool + Default: false +ParserQuery: | + let ParseS3Events = (T: (EventSource: string, EventName: string, RequestParameters: dynamic, ResponseElements: dynamic, Resources: dynamic)) { + let S3EventNameLookup = datatable(EventName: string, EventType: string, EventSubType: string) + [ + "CompleteMultipartUpload", "FileCreated", "Checkin", + "CopyObject", "FileCopied", "", + "CreateBucket", "FolderCreated", "", + "CreateBucketMetadataConfiguration", "FolderModified", "", + "CreateBucketMetadataTableConfiguration", "FolderModified", "", + "CreateMultipartUpload", "FileCreated", "Checkin", + "DeleteBucket", "FolderDeleted", "", + "DeleteBucketAnalyticsConfiguration", "FolderModified", "", + "DeleteBucketCors", "FolderModified", "", + "DeleteBucketEncryption", "FolderModified", "", + "DeleteBucketIntelligentTieringConfiguration", "FolderModified", "", + "DeleteBucketInventoryConfiguration", "FolderModified", "", + "DeleteBucketLifecycle", "FolderModified", "", + "DeleteBucketMetadataConfiguration", "FolderModified", "", + "DeleteBucketMetadataTableConfiguration", "FolderModified", "", + "DeleteBucketMetricsConfiguration", "FolderModified", "", + "DeleteBucketOwnershipControls", "FolderModified", "", + "DeleteBucketPolicy", "FolderModified", "", + "DeleteBucketReplication", "FolderModified", "", + "DeleteBucketTagging", "FolderModified", "", + "DeleteBucketWebsite", "FolderModified", "", + "DeleteObject", "FileDeleted", "", + "DeleteObjects", "FileDeleted", "", + "DeleteObjectTagging", "FileAttributesUpdated", "", + "DeletePublicAccessBlock", "FileAttributesUpdated", "","" + "GetBucketAbac", "FolderAttributesAccessed", "", + "GetBuckeAccelerateConfiguration", "FolderAttributesAccessed", "", + "GetBucketAcl", "FolderAttributesAccessed", "", + "GetBucketAnalyticsConfiguation", "FolderAttributesAccessed", "", + "GetBucketCors", "FolderAttributesAccessed", "", + "GetBucketEncryption", "FolderAttributesAccessed", "", + "GetBucketIntelligentTieringConfiguration", "FolderAttributesAccessed", "", + "GetBucketInventoryConfiguration", "FolderAttributesAccessed", "", + "GetBucketLifecycle", "FolderAttributesAccessed", "", + "GetBucketLifecycleConfiguration", "FolderAttributesAccessed", "", + "GetBucketLocation", "FolderAttributesAccessed", "", + "GetBucketLogging", "FolderAttributesAccessed", "", + "GetBucketMetadataConfiguration", "FolderAttributesAccessed", "", + "GetBucketMetadataTableConfiguration", "FolderAttributesAccessed", "", + "GetBucketMetricsConfiguration", "FolderAttributesAccessed", "", + "GetBucketNotification", "FolderAttributesAccessed", "", + "GetBucketNotificationConfiguration", "FolderAttributesAccessed", "", + "GetBucketOwnershipControls", "FolderAttributesAccessed", "", + "GetBucketPolicy", "FolderAttributesAccessed", "", + "GetBucketPolicyStatus", "FolderAttributesAccessed", "", + "GetBucketReplication", "FolderAttributesAccessed", "", + "GetBucketRequestPayment", "FolderAttributesAccessed", "", + "GetBucketTagging", "FolderAttributesAccessed", "", + "GetBucketVersioning", "FolderAttributesAccessed", "", + "GetBucketWebsite", "FolderAttributesAccessed", "", + "GetObject", "FileAccessed", "Download", + "GetObjectAcl", "FileAccessed", "", + "GetObjectAttributes", "FileAccessed", "", + "GetObjectLegalHold", "FileAccessed", "", + "GetObjectLockConfiguration", "FileAccessed", "", + "GetObjectRetention", "FileAccessed", "", + "GetObjectTagging", "FileAccessed", "", + "GetObjectTorrent", "FileAccessed", "", + "GetPublicAccessBlock", "FolderAttributesAccessed", "", + "HeadBucket", "FolderAttributesAccessed", "", + "HeadObject", "FileAccessed", "", + "ListBucketAnalyticsConfigurations", "FolderAttributesAccessed", "", + "ListBucketIntelligentTieringConfigurations", "FolderAttributesAccessed", "", + "ListBucketMetricsConfigurations", "FolderAttributesAccessed", "", + "ListBuckets", "FolderAttributesAccessed", "", + "ListDirectoryBuckets", "FolderAttributesAccessed", "", + "ListObjects", "FileAccessed", "", + "ListObjectsV2", "FileAccessed", "", + "ListObjectversions", "FileAccessed", "", + "ListParts", "FileAccessed", "", + "PutBucketAbac", "FolderModified", "", + "PutBucketAccelerateConfiguration", "FolderModified", "", + "PutBucketAcl", "FolderModified", "", + "PutBucketAnalayticsConfiguration", "FolderModified", "", + "PutBucketCors", "FolderModified", "", + "PutBucketEncryption", "FolderModified", "", + "PutBucketIntelligentTieringConfiguration", "FolderModified", "", + "PutBucketInventoryConfiguration", "FolderModified", "", + "PutBucketLifecycle", "FolderModified", "", + "PutBucketLifecycleConfiguration", "FolderModified", "", + "PutBucketLogging", "FolderModified", "", + "PutBucketMetricsConfiguration", "FolderModified", "", + "PutBucketNotification", "FolderModified", "", + "PutBucketNotificationConfiguration", "FolderModified", "", + "PutBucketOwnershipControls", "FolderModified", "", + "PutBucketPolicy", "FolderModified", "", + "PutBucketReplication", "FolderModified", "", + "PutBucketRequestPayment", "FolderModified", "", + "PutBucketTagging", "FolderModified", "", + "PutBucketVersioning", "FolderModified", "", + "PutBucketWebsite", "FolderModified", "", + "PutObject", "FileCreated", "Upload", + "PutObjectAcl", "FileAttributesUpdated", "", + "PutObjectLegalHold", "FileAttributesUpdated", "", + "PutObjectLockConfiguration", "FileAttributesUpdated", "", + "PutObjectRetention", "FileAttributesUpdated", "", + "PutObjectTagging", "FileAttributesUpdated", "", + "PutPublicAccessBlock", "FolderModified", "", + "RenameObject", "FileRenamed", "", + "RestoreObject", "FileCreated", "", + "SelectObjectContent", "FileAccessed", "", + "UpdateBucketMetadataInventoryTableConfiguration", "FolderModified", "", + "UpdateBucketMetadataJournalTableConfiguration", "FolderModified", "", + "UpdateObjectEncryption", "FileAttributesUpdated", "", + "UploadPart", "FileCreated", "Upload", + "UploadPartCopy", "FileCreated", "Upload" + // Omitted Actions + // AbortMultipartUpload + // CreateSession + // ListMultipartUploads + // WriteGetObjectResponse + ]; + T + | where EventSource == "s3.amazonaws.com" + | lookup S3EventNameLookup on EventName + | where isnotempty(EventType) + | extend EventSubType = case( + EventType == "FileDeleted" and ResponseElements["a-amz-delete-marker"] == true, "Versions", + EventSubType + ) + | extend + TargetFileDirectory = tostring(RequestParameters.bucketName), + TargetFileName = coalesce(tostring(RequestParameters.key), tostring(RequestParameters.prefix)) + | extend + TargetFilePathType = "Unix", + TargetFilePath = strcat(TargetFileDirectory, "/", TargetFileName), + TargetAppType = "Service" + | extend + SrcFilePath = tostring(RequestParameters["x-amz-copy-source"]) + // Avoids using mv-apply as it filters insteads of assigning null + // At most, the Resources array contains two objects: Bucket and Object + // Resources may contain no objects, or just one of Bucket or Object + | extend AdditionalData = iff(pack, bag_pack( + "BucketARN", coalesce( + iff(Resources[0].type == "AWS::S3::Bucket", tostring(Resources[0].ARN), ""), + iff(Resources[1].type == "AWS::S3::Bucket", tostring(Resources[1].ARN), "")), + "ObjectARN", coalesce( + iff(Resources[0].type == "AWS::S3::Object", tostring(Resources[0].ARN), ""), + iff(Resources[1].type == "AWS::S3::Object", tostring(Resources[1].ARN), "")) + ), dynamic([])) + }; + let parser = (disabled: bool, pack: bool) { + let SupportedEventSources = dynamic([ + "s3.amazonaws.com" + ]); + let EventSourceNameLookup = datatable(EventSource: string, TargetAppName: string) + [ + "s3.amazonaws.com", "Amazon S3" + ]; + let SupportedEvents = AWSCloudTrail + | where EventSource in (SupportedEventSources) + | extend RequestParameters = todynamic(RequestParameters), ResponseElements = todynamic(ResponseElements), Resources = todynamic(Resources); + union isfuzzy=false + ParseS3Events(SupportedEvents) + | extend + Type = "AWSCloudTrail", + EventCount = int(1), + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventSeverity = "Informational", + EventSchema = "FileEvent", + EventSchemaVersion = "0.1.2", + EventVendor = "AWS", + EventProduct = "CloudTrail", + Dvc = "CloudTrail", + EventResult = iff(isempty(ErrorCode) and isempty(ErrorMessage), "Success", "Failure"), + EventMessage = ErrorMessage + | lookup EventSourceNameLookup on EventSource + | project-rename + EventOriginalSubType = EventTypeName, + EventOriginalType = EventName, + EventUid = AwsEventId, + EventOriginalResultDetails = ErrorMessage, + EventProductVersion = EventVersion + | project-rename + ActorUserId = UserIdentityAccountId, + ActorUsername = UserIdentityUserName, + ActorOriginalUserType = UserIdentityType, + HttpUserAgent = UserAgent + | extend + ActorUserIdType = iff(isempty(ActorUserId), "", "AWSId"), + ActorUsernameType = iff(isempty(ActorUsername), "", "Simple"), + SrcIpAddr = iff(ipv4_is_in_range(SourceIpAddress, "0.0.0.0/0"), SourceIpAddress, "") + | extend AdditionalFields = iff(pack, bag_pack( + "ActorAccessKeyId", UserIdentityAccessKeyId, + "AWSRegion", AWSRegion, + "APIVersion", APIVersion, + "ManagementEvent", ManagementEvent, + "ReadOnly", ReadOnly, + "RequestParameters", RequestParameters, + "ResponseElements", ResponseElements + ), dynamic([])) + | extend AdditionalFields = iff(pack, bag_merge(AdditionalFields, AdditionalData), dynamic([])) + // Alias + | extend + User = ActorUsername, + IpAddr = SrcIpAddr, + FileName = TargetFileName, + FilePath = TargetFilePath, + Application = TargetAppName + | project + TimeGenerated, + Type, + EventCount, + EventStartTime, + EventEndTime, + EventSeverity, + EventSchema, + EventSchemaVersion, + EventVendor, + EventProduct, + Dvc, + EventResult, + EventMessage, + TargetAppName, + EventOriginalSubType, + EventOriginalType, + EventUid, + EventOriginalResultDetails, + EventProductVersion, + ActorUserId, + ActorUsername, + ActorOriginalUserType, + HttpUserAgent, + ActorUserIdType, + ActorUsernameType, + SrcIpAddr, + AdditionalFields, + User, + IpAddr, + FileName, + FilePath, + Application, + TargetAppType, + EventType, + EventSubType, + TargetFileDirectory, + TargetFileName, + TargetFilePathType, + TargetFilePath, + SrcFilePath + }; + parser(disabled=disabled, pack=pack) \ No newline at end of file diff --git a/Parsers/ASimFileEvent/Parsers/imFileEvent.yaml b/Parsers/ASimFileEvent/Parsers/imFileEvent.yaml index 9d893bd40a5..25bde4fafeb 100644 --- a/Parsers/ASimFileEvent/Parsers/imFileEvent.yaml +++ b/Parsers/ASimFileEvent/Parsers/imFileEvent.yaml @@ -1,7 +1,7 @@ Parser: Title: ASIM Source Agnostic File Events Parser - Version: "0.2.1" - LastUpdated: Jun 5, 2024 + Version: "0.2.2" + LastUpdated: Feb 06, 2026 Product: Name: Source Agnostic Normalization: @@ -68,6 +68,7 @@ Parsers: - _Im_FileEvent_SentinelOne - _Im_FileEvent_VMwareCarbonBlackCloud - _Im_FileEvent_GoogleWorkspace + - _Im_FileEvent_AWSCloudTrail ParserQuery: | let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimFile') @@ -102,8 +103,9 @@ ParserQuery: | vimFileEventMicrosoftWindowsEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftWindowsEvents' in (DisabledParsers)))), vimFileEventMicrosoftSecurityEvents(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventMicrosoftSecurityEvents' in (DisabledParsers)))), vimFileEventNative(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventNative' in (DisabledParsers)))), - vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventSentinelOne' in (DisabledParsers)))), - vimFileEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventVMwareCarbonBlackCloud' in (DisabledParsers)))), - vimFileEventGoogleWorkspace(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('vimFileEventGoogleWorkspace' in (DisabledParsers)))) + vimFileEventSentinelOne(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventSentinelOne' in (DisabledParsers)))), + vimFileEventVMwareCarbonBlackCloud(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventVMwareCarbonBlackCloud' in (DisabledParsers)))), + vimFileEventGoogleWorkspace(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventGoogleWorkspace' in (DisabledParsers)))), + vimFileEventAWSCloudTrail(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimFileEventAWSCloudTrail' in (DisabledParsers))), pack) }; parser(starttime=starttime, endtime=endtime, eventtype_in=eventtype_in, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, actorusername_has_any=actorusername_has_any, targetfilepath_has_any=targetfilepath_has_any, srcfilepath_has_any=srcfilepath_has_any, hashes_has_any=hashes_has_any, dvchostname_has_any=dvchostname_has_any, pack=pack) diff --git a/Parsers/ASimFileEvent/Parsers/vimFileEventAWSCloudTrail.yaml b/Parsers/ASimFileEvent/Parsers/vimFileEventAWSCloudTrail.yaml new file mode 100644 index 00000000000..ba9b668b9a9 --- /dev/null +++ b/Parsers/ASimFileEvent/Parsers/vimFileEventAWSCloudTrail.yaml @@ -0,0 +1,337 @@ +Parser: + Title: FileEvent ASIM filtersiltering parser for AWS Cloud Trail + Version: '0.1.0' + LastUpdated: Feb 04, 2026 +Product: + Name: AWS Cloud Trail +Normalization: + Schema: FileEvent + Version: "0.1.0" +References: +- Title: ASIM User Management Schema + Link: https://aka.ms/ASimFileEventDoc +- Title: ASIM + Link: https://aka.ms/AboutASIM +- Title: File Event (S3) Documentation in AWS CloudTrail logs + Link: https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations_Amazon_Simple_Storage_Service.html +Description: | + This ASIM parser supports normalizing file activity in AWS Cloud Trail for the following event sources: (s3.amazonaws.com) +ParserName: vimFileEventAWSCloudTrail +EquivalentBuiltInParser: _vim_FileEvent_AWSCloudTrail +ParserParams: + - Name: starttime + Type: datetime + Default: datetime(null) + - Name: endtime + Type: datetime + Default: datetime(null) + - Name: eventtype_in + Type: dynamic + Default: dynamic([]) + - Name: srcipaddr_has_any_prefix + Type: dynamic + Default: dynamic([]) + - Name: actorusername_has_any + Type: dynamic + Default: dynamic([]) + - Name: targetfilepath_has_any + Type: dynamic + Default: dynamic([]) + - Name: srcfilepath_has_any + Type: dynamic + Default: dynamic([]) + - Name: hashes_has_any + Type: dynamic + Default: dynamic([]) + - Name: dvchostname_has_any + Type: dynamic + Default: dynamic([]) + - Name: disabled + Type: bool + Default: false + - Name: pack + Type: bool + Default: false +ParserQuery: | + let ParseS3Events = (T: (EventSource: string, EventName: string, RequestParameters: dynamic, ResponseElements: dynamic, Resources: dynamic)) { + let S3EventNameLookup = datatable(EventName: string, EventType: string, EventSubType: string) + [ + "CompleteMultipartUpload", "FileCreated", "Checkin", + "CopyObject", "FileCopied", "", + "CreateBucket", "FolderCreated", "", + "CreateBucketMetadataConfiguration", "FolderModified", "", + "CreateBucketMetadataTableConfiguration", "FolderModified", "", + "CreateMultipartUpload", "FileCreated", "Checkin", + "DeleteBucket", "FolderDeleted", "", + "DeleteBucketAnalyticsConfiguration", "FolderModified", "", + "DeleteBucketCors", "FolderModified", "", + "DeleteBucketEncryption", "FolderModified", "", + "DeleteBucketIntelligentTieringConfiguration", "FolderModified", "", + "DeleteBucketInventoryConfiguration", "FolderModified", "", + "DeleteBucketLifecycle", "FolderModified", "", + "DeleteBucketMetadataConfiguration", "FolderModified", "", + "DeleteBucketMetadataTableConfiguration", "FolderModified", "", + "DeleteBucketMetricsConfiguration", "FolderModified", "", + "DeleteBucketOwnershipControls", "FolderModified", "", + "DeleteBucketPolicy", "FolderModified", "", + "DeleteBucketReplication", "FolderModified", "", + "DeleteBucketTagging", "FolderModified", "", + "DeleteBucketWebsite", "FolderModified", "", + "DeleteObject", "FileDeleted", "", + "DeleteObjects", "FileDeleted", "", + "DeleteObjectTagging", "FileAttributesUpdated", "", + "DeletePublicAccessBlock", "FileAttributesUpdated", "","" + "GetBucketAbac", "FolderAttributesAccessed", "", + "GetBuckeAccelerateConfiguration", "FolderAttributesAccessed", "", + "GetBucketAcl", "FolderAttributesAccessed", "", + "GetBucketAnalyticsConfiguation", "FolderAttributesAccessed", "", + "GetBucketCors", "FolderAttributesAccessed", "", + "GetBucketEncryption", "FolderAttributesAccessed", "", + "GetBucketIntelligentTieringConfiguration", "FolderAttributesAccessed", "", + "GetBucketInventoryConfiguration", "FolderAttributesAccessed", "", + "GetBucketLifecycle", "FolderAttributesAccessed", "", + "GetBucketLifecycleConfiguration", "FolderAttributesAccessed", "", + "GetBucketLocation", "FolderAttributesAccessed", "", + "GetBucketLogging", "FolderAttributesAccessed", "", + "GetBucketMetadataConfiguration", "FolderAttributesAccessed", "", + "GetBucketMetadataTableConfiguration", "FolderAttributesAccessed", "", + "GetBucketMetricsConfiguration", "FolderAttributesAccessed", "", + "GetBucketNotification", "FolderAttributesAccessed", "", + "GetBucketNotificationConfiguration", "FolderAttributesAccessed", "", + "GetBucketOwnershipControls", "FolderAttributesAccessed", "", + "GetBucketPolicy", "FolderAttributesAccessed", "", + "GetBucketPolicyStatus", "FolderAttributesAccessed", "", + "GetBucketReplication", "FolderAttributesAccessed", "", + "GetBucketRequestPayment", "FolderAttributesAccessed", "", + "GetBucketTagging", "FolderAttributesAccessed", "", + "GetBucketVersioning", "FolderAttributesAccessed", "", + "GetBucketWebsite", "FolderAttributesAccessed", "", + "GetObject", "FileAccessed", "Download", + "GetObjectAcl", "FileAccessed", "", + "GetObjectAttributes", "FileAccessed", "", + "GetObjectLegalHold", "FileAccessed", "", + "GetObjectLockConfiguration", "FileAccessed", "", + "GetObjectRetention", "FileAccessed", "", + "GetObjectTagging", "FileAccessed", "", + "GetObjectTorrent", "FileAccessed", "", + "GetPublicAccessBlock", "FolderAttributesAccessed", "", + "HeadBucket", "FolderAttributesAccessed", "", + "HeadObject", "FileAccessed", "", + "ListBucketAnalyticsConfigurations", "FolderAttributesAccessed", "", + "ListBucketIntelligentTieringConfigurations", "FolderAttributesAccessed", "", + "ListBucketMetricsConfigurations", "FolderAttributesAccessed", "", + "ListBuckets", "FolderAttributesAccessed", "", + "ListDirectoryBuckets", "FolderAttributesAccessed", "", + "ListObjects", "FileAccessed", "", + "ListObjectsV2", "FileAccessed", "", + "ListObjectversions", "FileAccessed", "", + "ListParts", "FileAccessed", "", + "PutBucketAbac", "FolderModified", "", + "PutBucketAccelerateConfiguration", "FolderModified", "", + "PutBucketAcl", "FolderModified", "", + "PutBucketAnalayticsConfiguration", "FolderModified", "", + "PutBucketCors", "FolderModified", "", + "PutBucketEncryption", "FolderModified", "", + "PutBucketIntelligentTieringConfiguration", "FolderModified", "", + "PutBucketInventoryConfiguration", "FolderModified", "", + "PutBucketLifecycle", "FolderModified", "", + "PutBucketLifecycleConfiguration", "FolderModified", "", + "PutBucketLogging", "FolderModified", "", + "PutBucketMetricsConfiguration", "FolderModified", "", + "PutBucketNotification", "FolderModified", "", + "PutBucketNotificationConfiguration", "FolderModified", "", + "PutBucketOwnershipControls", "FolderModified", "", + "PutBucketPolicy", "FolderModified", "", + "PutBucketReplication", "FolderModified", "", + "PutBucketRequestPayment", "FolderModified", "", + "PutBucketTagging", "FolderModified", "", + "PutBucketVersioning", "FolderModified", "", + "PutBucketWebsite", "FolderModified", "", + "PutObject", "FileCreated", "Upload", + "PutObjectAcl", "FileAttributesUpdated", "", + "PutObjectLegalHold", "FileAttributesUpdated", "", + "PutObjectLockConfiguration", "FileAttributesUpdated", "", + "PutObjectRetention", "FileAttributesUpdated", "", + "PutObjectTagging", "FileAttributesUpdated", "", + "PutPublicAccessBlock", "FolderModified", "", + "RenameObject", "FileRenamed", "", + "RestoreObject", "FileCreated", "", + "SelectObjectContent", "FileAccessed", "", + "UpdateBucketMetadataInventoryTableConfiguration", "FolderModified", "", + "UpdateBucketMetadataJournalTableConfiguration", "FolderModified", "", + "UpdateObjectEncryption", "FileAttributesUpdated", "", + "UploadPart", "FileCreated", "Upload", + "UploadPartCopy", "FileCreated", "Upload" + // Omitted Actions + // AbortMultipartUpload + // CreateSession + // ListMultipartUploads + // WriteGetObjectResponse + ]; + T + | where EventSource == "s3.amazonaws.com" + | lookup S3EventNameLookup on EventName + | where isnotempty(EventType) + | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in))) + | extend EventSubType = case( + EventType == "FileDeleted" and ResponseElements["a-amz-delete-marker"] == true, "Versions", + EventSubType + ) + | extend + TargetFileDirectory = tostring(RequestParameters.bucketName), + TargetFileName = coalesce(tostring(RequestParameters.key), tostring(RequestParameters.prefix)) + | extend + TargetFilePathType = "Unix", + TargetFilePath = strcat(TargetFileDirectory, "/", TargetFileName), + TargetAppType = "Service" + | where (array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)) + | extend + SrcFilePath = tostring(RequestParameters["x-amz-copy-source"]) + // Post-filtering + | where (array_length(srcfilepath_has_any) == 0) or (SrcFilePath has_any (srcfilepath_has_any)) + // Avoids using mv-apply as it filters insteads of assigning null + // At most, the Resources array contains two objects: Bucket and Object + // Resources may contain no objects, or just one of Bucket or Object + | extend AdditionalData = iff(pack, bag_pack( + "BucketARN", coalesce( + iff(Resources[0].type == "AWS::S3::Bucket", tostring(Resources[0].ARN), ""), + iff(Resources[1].type == "AWS::S3::Bucket", tostring(Resources[1].ARN), "")), + "ObjectARN", coalesce( + iff(Resources[0].type == "AWS::S3::Object", tostring(Resources[0].ARN), ""), + iff(Resources[1].type == "AWS::S3::Object", tostring(Resources[1].ARN), "")) + ), dynamic([])) + }; + let parser = ( + starttime: datetime=datetime(null), + endtime: datetime=datetime(null), + eventtype_in: dynamic=dynamic([]), + srcipaddr_has_any_prefix: dynamic=dynamic([]), + actorusername_has_any: dynamic=dynamic([]), + targetfilepath_has_any: dynamic=dynamic([]), + srcfilepath_has_any: dynamic=dynamic([]), + hashes_has_any: dynamic=dynamic([]), + dvchostname_has_any: dynamic=dynamic([]), + disabled: bool=false, + pack: bool=false) { + let SupportedEventSources = dynamic([ + "s3.amazonaws.com" + ]); + let EventSourceNameLookup = datatable(EventSource: string, TargetAppName: string) + [ + "s3.amazonaws.com", "Amazon S3" + ]; + let SupportedEvents = AWSCloudTrail + | where not(disabled) + | where EventSource in (SupportedEventSources) + | where (isnull(starttime) or TimeGenerated >= starttime) + and (isnull(endtime) or TimeGenerated <= endtime) + | where (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(SourceIpAddress, srcipaddr_has_any_prefix)) + and (array_length(actorusername_has_any) == 0 or UserIdentityUserName has_any (actorusername_has_any)) + | where (array_length(srcfilepath_has_any) == 0) or (RequestParameters has_any (srcfilepath_has_any)) + and (array_length(hashes_has_any) == 0) // Hash information is not stored + and (array_length(dvchostname_has_any) == 0) // DvcHostname information is not stored + // targetfilepath and eventtype filtering done later in parser + | extend RequestParameters = todynamic(RequestParameters), ResponseElements = todynamic(ResponseElements), Resources = todynamic(Resources); + union isfuzzy=false + ParseS3Events(SupportedEvents) + | extend + Type = "AWSCloudTrail", + EventCount = int(1), + EventStartTime = TimeGenerated, + EventEndTime = TimeGenerated, + EventSeverity = "Informational", + EventSchema = "FileEvent", + EventSchemaVersion = "0.1.2", + EventVendor = "AWS", + EventProduct = "CloudTrail", + Dvc = "CloudTrail", + EventResult = iff(isempty(ErrorCode) and isempty(ErrorMessage), "Success", "Failure"), + EventMessage = ErrorMessage + | lookup EventSourceNameLookup on EventSource + | project-rename + EventOriginalSubType = EventTypeName, + EventOriginalType = EventName, + EventUid = AwsEventId, + EventOriginalResultDetails = ErrorMessage, + EventProductVersion = EventVersion + | project-rename + ActorUserId = UserIdentityAccountId, + ActorUsername = UserIdentityUserName, + ActorOriginalUserType = UserIdentityType, + HttpUserAgent = UserAgent + | extend + ActorUserIdType = iff(isempty(ActorUserId), "", "AWSId"), + ActorUsernameType = iff(isempty(ActorUsername), "", "Simple"), + SrcIpAddr = iff(ipv4_is_in_range(SourceIpAddress, "0.0.0.0/0"), SourceIpAddress, "") + | extend AdditionalFields = iff(pack, bag_pack( + "ActorAccessKeyId", UserIdentityAccessKeyId, + "AWSRegion", AWSRegion, + "APIVersion", APIVersion, + "ManagementEvent", ManagementEvent, + "ReadOnly", ReadOnly, + "RequestParameters", RequestParameters, + "ResponseElements", ResponseElements + ), dynamic([])) + | extend AdditionalFields = iff(pack, bag_merge(AdditionalFields, AdditionalData), dynamic([])) + // Alias + | extend + User = ActorUsername, + IpAddr = SrcIpAddr, + FileName = TargetFileName, + FilePath = TargetFilePath, + Application = TargetAppName + | project + TimeGenerated, + Type, + EventCount, + EventStartTime, + EventEndTime, + EventSeverity, + EventSchema, + EventSchemaVersion, + EventVendor, + EventProduct, + Dvc, + EventResult, + EventMessage, + TargetAppName, + EventOriginalSubType, + EventOriginalType, + EventUid, + EventOriginalResultDetails, + EventProductVersion, + ActorUserId, + ActorUsername, + ActorOriginalUserType, + HttpUserAgent, + ActorUserIdType, + ActorUsernameType, + SrcIpAddr, + AdditionalFields, + User, + IpAddr, + FileName, + FilePath, + Application, + TargetAppType, + EventType, + EventSubType, + TargetFileDirectory, + TargetFileName, + TargetFilePathType, + TargetFilePath, + SrcFilePath + }; + parser( + starttime=starttime, + endtime=endtime, + eventtype_in=eventtype_in, + srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, + actorusername_has_any=actorusername_has_any, + targetfilepath_has_any=targetfilepath_has_any, + srcfilepath_has_any=srcfilepath_has_any, + hashes_has_any=hashes_has_any, + dvchostname_has_any=dvchostname_has_any, + disabled=disabled, + pack=pack + ) \ No newline at end of file