diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json
index 7b265e73b14..994f6f2ef85 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json
@@ -27,7 +27,7 @@
"displayName": "Authentication ASIM parser for Microsoft Entra ID managed identity sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs",
- "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Managed Identity\",\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser (disabled=disabled)",
+ "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (disabled:bool=false) {\n AADManagedIdentitySignInLogs \n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsoft',\n EventCount = int(1),\n EventProduct = 'AAD',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Managed Identity\",\n TargetAppType = \"Resource\",\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser (disabled=disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json
index ef61277dcf6..0384b3f8993 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json
@@ -27,7 +27,7 @@
"displayName": "Authentication ASIM parser for Microsoft Entra ID non-interactive sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADNonInteractiveUserSignInLogs",
- "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password' ,\n '700016', 'No such user or password'\n ];\nlet parser=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs \n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'NonInteractive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcDvcHostname = tostring(todynamic(DeviceDetail).displayName),\n SrcDvcId = tostring(todynamic(DeviceDetail).deviceId),\n SrcDvcOs = tostring(todynamic(DeviceDetail).operatingSystem),\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'UPN'\n | extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n SrcDvcIpAddr = IPAddress,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n | lookup FailedReason on ResultType\n // -- Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = ResourceIdentity,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n};\nparser \n (\n disabled = disabled\n )",
+ "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password' ,\n '700016', 'No such user or password'\n ];\nlet parser=(disabled:bool=false){\n AADNonInteractiveUserSignInLogs \n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'AAD',\n EventResult = iff (ResultType ==0, 'Success', 'Failure'),\n EventSchemaVersion = '0.1.0',\n EventStartTime = TimeGenerated,\n EventSubType = 'NonInteractive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Location = todynamic(LocationDetails),\n SrcDvcHostname = tostring(todynamic(DeviceDetail).displayName),\n SrcDvcId = tostring(todynamic(DeviceDetail).deviceId),\n SrcDvcOs = tostring(todynamic(DeviceDetail).operatingSystem),\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'UPN'\n | extend\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id,\n EventUid = _ItemId,\n HttpUserAgent = UserAgent,\n LogonMethod = AuthenticationRequirement,\n SrcDvcIpAddr = IPAddress,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName\n | lookup FailedReason on ResultType\n // -- Aliases\n | extend \n Dvc = EventVendor,\n LogonTarget = ResourceIdentity,\n User = TargetUsername,\n // -- Entity identifier explicit aliases\n TargetUserAadId = TargetUserId,\n TargetUserUpn = TargetUsername\n};\nparser \n (\n disabled = disabled\n )",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json
index 18df0f025f9..bd4ea1aae11 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json
@@ -27,7 +27,7 @@
"displayName": "Authentication ASIM parser for Microsoft Entra ID service principal sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationAADServicePrincipalSignInLogs",
- "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (\n disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsft/Entra ID',\n EventCount = int(1),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Service Principal\",\n LocationDetails = todynamic(LocationDetails),\n TargetAppType = \"Resource\",\n TargetUserIdType = 'EntraID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | extend\n SrcGeoCity = tostring(LocationDetails.city),\n SrcGeoCountry = Location,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude),\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser \n(\n disabled = disabled\n)",
+ "query": "let AADResultTypes = (T:(ResultType:string)) {\n let AADResultTypesLookup = datatable (ResultType:string, EventResultDetails:string, EventType:string, EventResult:string, EventOriginalResultDetails:string, EventSeverity:string)\n [\n \"0\" ,\"\" ,\"Logon\" ,\"Success\" ,\"\", \"Informational\",\n \"50005\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50005 - DevicePolicyError\", \"Low\",\n \"50011\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50020\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50020 - UserUnauthorized\", \"Low\",\n \"50034\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50034 - UserAccountNotFound\", \"Low\",\n \"50053\" ,\"User locked\" ,\"Logon\" ,\"Failure\" ,\"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\" ,\"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"50056 - Invalid or null password\", \"Low\",\n \"50057\" ,\"User disabled\" ,\"Logon\" ,\"Failure\" ,\"50057 - UserDisabled\", \"Low\",\n \"50058\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50058 - UserInformationNotProvided\", \"Low\",\n \"50059\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50061\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50061 - SignoutInvalidRequest\", \"Low\",\n \"50064\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50064 - CredentialAuthenticationError\", \"Low\",\n \"50068\" ,\"\" ,\"Logoff\" ,\"Failure\" ,\"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50072\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50074\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"50076\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50078\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50078 - UserStrongAuthExpired\", \"Low\",\n \"50079\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\" ,\"No such user or password\" ,\"Logon\" ,\"Failure\" ,\"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\" ,\"Password expired\" ,\"Logon\" ,\"Failure\" ,\"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"50173 -FreshTokenNeeded\", \"Low\",\n \"51004\" ,\"No such user\" ,\"Logon\" ,\"Failure\" ,\"51004 - UserAccountNotInDirectory\", \"Low\",\n \"53003\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"53003 - BlockedByConditionalAccess\", \"Low\",\n \"70008\" ,\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"70021\", \"No such user\" ,\"Logon\" ,\"Failure\" ,\"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"80012\" ,\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"90024\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\",\n \"90033\", \"Transient error\" ,\"Logon\" ,\"Failure\" ,\"90033 - A transient error has occurred\", \"Informational\",\n \"100003\",\"Other\" ,\"Logon\" ,\"Failure\" ,\"100003\", \"Low\",\n \"500011\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"500341\", \"User disabled\" ,\"Logon\" ,\"Failure\" ,\"500341 - The user account has been deleted from the directory\", \"Low\",\n \"530032\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"530034\",\"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"700016\",\"No such user\" ,\"Logon\" ,\"Failure\" ,\"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"700027\",\"Incorrect key\" ,\"Logon\" ,\"Failure\" ,\"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"700082\",\"Session expired\" ,\"Logon\" ,\"Failure\" ,\"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"1002016\", \"Logon violates policy\" ,\"Logon\" ,\"Failure\" ,\"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\" ,\"Logon\" ,\"Failure\" ,\"7000215 - Invalid client secret is provided\", \"Low\",\n \"7000222\", \"Session expired\" ,\"Logon\" ,\"Failure\" ,\"7000222 - The provided client secret keys are expired\", \"Low\"\n ];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails),\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult),\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity),\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n};\nlet parser = (\n disabled:bool=false\n ) {\n AADServicePrincipalSignInLogs\n | where not(disabled)\n | invoke AADResultTypes()\n | project-rename\n ActingAppId = AppId,\n EventOriginalUid = Id,\n EventProductVersion = OperationVersion,\n EventUid = _ItemId,\n SrcIpAddr = IPAddress,\n TargetAppId = ResourceIdentity ,\n TargetAppName = ResourceDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = ServicePrincipalId,\n TargetUsername = ServicePrincipalName\n | extend \n Dvc = 'Microsoft',\n EventCount = int(1),\n EventProduct = 'AAD',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventVendor = 'Microsoft',\n LogonMethod = \"Service Principal\",\n LocationDetails = todynamic(LocationDetails),\n TargetAppType = \"Resource\",\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'Simple',\n TargetUserType = 'Service'\n | extend\n SrcGeoCity = tostring(LocationDetails.city),\n SrcGeoCountry = Location,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude),\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId\n // \n // -- Aliases\n | extend \n Application = TargetAppName,\n Dst = TargetAppName,\n EventEndTime = TimeGenerated,\n EventStartTime = TimeGenerated,\n IpAddr = SrcIpAddr,\n LogonTarget = TargetAppName,\n Src = SrcIpAddr,\n TargetSimpleUsername = TargetUsername,\n TargetUserAadId = TargetUserId,\n User = TargetUsername\n};\nparser \n(\n disabled = disabled\n)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
index 367751571fb..e2177d32b64 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
@@ -27,7 +27,7 @@
"displayName": "Authentication ASIM parser for Microsoft Entra ID interactive sign-in logs",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationSigninLogs",
- "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password',\n '700016', 'No such user or password', \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Guest','Guest', \n 'Member', 'Regular',\n '',''\n];\nlet ActingAppType = datatable (ActingOriginalAppType: string, ActingAppType: string) [\n 'Mobile Apps and Desktop clients', 'Process',\n 'Browser', 'Service',\n 'Authenticated STMP', 'CSP',\n 'Exchange Active Sync', 'CSP',\n 'Other', 'Other',\n 'Unknown', 'Other'\n];\nlet LogonMethodLookup = datatable(OriginalLogonMethod: string, LogonMethod: string)\n[\n \"singleFactorAuthentication\", \"Username & Password\",\n \"multiFactorAuthentication\", \"Multi factor authentication\"\n];\nlet parser=(disabled:bool=false) {\n SigninLogs\n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventResult = iff (ResultType == 0, 'Success', 'Failure'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Type = 'SigninLogs',\n Location = todynamic(LocationDetails),\n SrcHostname = tostring(DeviceDetail.displayName),\n SrcDvcId = tostring(DeviceDetail.deviceId),\n SrcDvcIdType = \"\",\n SrcIpAddr = IPAddress,\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'UPN',\n OriginalLogonMethod = coalesce(AuthenticationMethodsUsed, AuthenticationRequirement),\n TargetAppType = \"\"\n | extend\n SrcDvcIdType = iif(isempty(SrcDvcId), \"\", \"Other\"),\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | lookup LogonMethodLookup on OriginalLogonMethod\n | project-rename\n EventOriginalUid = Id,\n HttpUserAgent = UserAgent,\n TargetAppId = AppId,\n TargetAppName = AppDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName,\n ActingOriginalAppType = ClientAppUsed\n | lookup ActingAppType on ActingOriginalAppType\n | extend EventUid = column_ifexists(\"_ItemId\", \"\")\n | lookup UserTypeLookup on UserType\n // ** Aliases\n | extend \n Application = TargetAppName,\n IpAddr = SrcIpAddr,\n Dvc = EventVendor,\n LogonTarget = TargetAppName,\n User = TargetUsername\n | project\n TimeGenerated,\n EventSchema,\n Type,\n EventVendor,\n EventProduct,\n EventCount,\n EventSchemaVersion,\n EventResult,\n EventOriginalResultDetails,\n EventStartTime,\n EventEndTime,\n EventType,\n Application,\n IpAddr,\n SrcDvcId,\n SrcDvcIdType,\n SrcHostname,\n SrcDvcOs,\n TargetUsernameType,\n TargetUserIdType,\n SrcIpAddr,\n LogonMethod,\n SrcGeoCity,\n SrcGeoCountry,\n SrcGeoLatitude,\n SrcGeoLongitude,\n EventOriginalUid,\n EventUid,\n HttpUserAgent,\n TargetSessionId,\n TargetUserId,\n TargetUsername,\n TargetAppId,\n TargetAppName,\n TargetAppType,\n ActingAppType,\n ActingOriginalAppType,\n TargetUserType,\n User,\n LogonTarget,\n Dvc\n};\nparser \n(\n disabled = disabled\n)",
+ "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password',\n '700016', 'No such user or password', \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Guest','Guest', \n 'Member', 'Regular',\n '',''\n];\nlet ActingAppType = datatable (ActingOriginalAppType: string, ActingAppType: string) [\n 'Mobile Apps and Desktop clients', 'Process',\n 'Browser', 'Service',\n 'Authenticated STMP', 'CSP',\n 'Exchange Active Sync', 'CSP',\n 'Other', 'Other',\n 'Unknown', 'Other'\n];\nlet LogonMethodLookup = datatable(OriginalLogonMethod: string, LogonMethod: string)\n[\n \"singleFactorAuthentication\", \"Username & Password\",\n \"multiFactorAuthentication\", \"Multi factor authentication\"\n];\nlet parser=(disabled:bool=false) {\n SigninLogs\n | where not(disabled)\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'AAD',\n EventResult = iff (ResultType == 0, 'Success', 'Failure'),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Type = 'SigninLogs',\n Location = todynamic(LocationDetails),\n SrcHostname = tostring(DeviceDetail.displayName),\n SrcDvcId = tostring(DeviceDetail.deviceId),\n SrcDvcIdType = \"\",\n SrcIpAddr = IPAddress,\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'UPN',\n OriginalLogonMethod = coalesce(AuthenticationMethodsUsed, AuthenticationRequirement),\n TargetAppType = \"\"\n | extend\n SrcDvcIdType = iif(isempty(SrcDvcId), \"\", \"Other\"),\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | lookup LogonMethodLookup on OriginalLogonMethod\n | project-rename\n EventOriginalUid = Id,\n HttpUserAgent = UserAgent,\n TargetAppId = AppId,\n TargetAppName = AppDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName,\n ActingOriginalAppType = ClientAppUsed\n | lookup ActingAppType on ActingOriginalAppType\n | extend EventUid = column_ifexists(\"_ItemId\", \"\")\n | lookup UserTypeLookup on UserType\n // ** Aliases\n | extend \n Application = TargetAppName,\n IpAddr = SrcIpAddr,\n Dvc = EventVendor,\n LogonTarget = TargetAppName,\n User = TargetUsername\n | project\n TimeGenerated,\n EventSchema,\n Type,\n EventVendor,\n EventProduct,\n EventCount,\n EventSchemaVersion,\n EventResult,\n EventOriginalResultDetails,\n EventStartTime,\n EventEndTime,\n EventType,\n Application,\n IpAddr,\n SrcDvcId,\n SrcDvcIdType,\n SrcHostname,\n SrcDvcOs,\n TargetUsernameType,\n TargetUserIdType,\n SrcIpAddr,\n LogonMethod,\n SrcGeoCity,\n SrcGeoCountry,\n SrcGeoLatitude,\n SrcGeoLongitude,\n EventOriginalUid,\n EventUid,\n HttpUserAgent,\n TargetSessionId,\n TargetUserId,\n TargetUsername,\n TargetAppId,\n TargetAppName,\n TargetAppType,\n ActingAppType,\n ActingOriginalAppType,\n TargetUserType,\n User,\n LogonTarget,\n Dvc\n};\nparser \n(\n disabled = disabled\n)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json
index 8ced9c304dc..59105bd3da3 100644
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json
@@ -27,7 +27,7 @@
"displayName": "Authentication ASIM filtering parser for Microsoft Entra ID managed identity sign-in logs",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs",
- "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADManagedIdentitySignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsft/Entra ID'\n ,\n LogonMethod = \"Managed Identity\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Application'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'EntraID'\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)",
+ "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADManagedIdentitySignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'AAD'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsoft'\n ,\n LogonMethod = \"Managed Identity\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Application'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'AADID'\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser (\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json
index 417776c5e91..63ab28f73c5 100644
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json
@@ -27,7 +27,7 @@
"displayName": "Authentication ASIM filtering parser for Microsoft Entra ID non-interactive sign-in logs",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs",
- "query": "let FailedReason=datatable(ResultType: string, EventResultDetails: string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n];\nlet AADNIAuthentication=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n AADNonInteractiveUserSignInLogs\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(todynamic(DeviceDetail).displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventCount=int(1)\n ,\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\n ,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime= TimeGenerated\n ,\n EventType= 'Logon'\n ,\n SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n ,\n SrcHostname =tostring(todynamic(DeviceDetail).displayName)\n ,\n SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n ,\n Location = todynamic(LocationDetails)\n ,\n TargetAppId = ResourceIdentity \n ,\n EventSubType = 'NonInteractive'\n ,\n TargetUsernameType='UPN'\n ,\n TargetUserIdType='EntraID'\n ,\n TargetAppName=ResourceDisplayName\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n SrcGeoCity=tostring(Location.city)\n ,\n SrcGeoCountry=tostring(Location.countryOrRegion)\n ,\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n ,\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n ,\n LogonMethod = AuthenticationRequirement\n ,\n HttpUserAgent=UserAgent\n ,\n TargetSessionId=CorrelationId\n ,\n TargetUserId = UserId\n ,\n TargetUsername=UserPrincipalName\n ,\n SrcIpAddr = IPAddress\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | lookup FailedReason on ResultType\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n User=TargetUsername\n ,\n LogonTarget=ResourceIdentity\n ,\n Dvc=EventVendor\n // -- Entity identifier explicit aliases\n ,\n TargetUserUpn = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nAADNIAuthentication(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)",
+ "query": "let FailedReason=datatable(ResultType: string, EventResultDetails: string)[\n '0', 'Success',\n '53003', 'Logon violates policy',\n '50034', 'No such user or password',\n '50059', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50064', 'No such user or password',\n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '80012', 'Logon violates policy',\n '51004', 'No such user or password',\n '50072', 'Logon violates policy',\n '50005', 'Logon violates policy',\n '50020', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '70008', 'Password expired',\n '700016', 'No such user or password', \n '500011', 'No such user or password' \n];\nlet AADNIAuthentication=(starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false) {\n AADNonInteractiveUserSignInLogs\n | where not(disabled)\n // ************************************************************************* \n // \n // *************************************************************************\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(todynamic(DeviceDetail).displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n // eventresultdetails_in filtering done later in the parser\n // eventresult filtering done later in the parser\n // ************************************************************************* \n // \n // ************************************************************************* \n | extend\n EventVendor = 'Microsoft'\n ,\n EventProduct = 'AAD'\n ,\n EventSchemaVersion='0.1.0'\n ,\n EventCount=int(1)\n ,\n EventResult = iff (ResultType == 0, 'Success', 'Failure')\n ,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime= TimeGenerated\n ,\n EventType= 'Logon'\n ,\n SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n ,\n SrcHostname =tostring(todynamic(DeviceDetail).displayName)\n ,\n SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n ,\n Location = todynamic(LocationDetails)\n ,\n TargetAppId = ResourceIdentity \n ,\n EventSubType = 'NonInteractive'\n ,\n TargetUsernameType='UPN'\n ,\n TargetUserIdType='AADID'\n ,\n TargetAppName=ResourceDisplayName\n // Filtering on 'eventresult'\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | extend\n SrcGeoCity=tostring(Location.city)\n ,\n SrcGeoCountry=tostring(Location.countryOrRegion)\n ,\n SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n ,\n SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid =Id\n ,\n LogonMethod = AuthenticationRequirement\n ,\n HttpUserAgent=UserAgent\n ,\n TargetSessionId=CorrelationId\n ,\n TargetUserId = UserId\n ,\n TargetUsername=UserPrincipalName\n ,\n SrcIpAddr = IPAddress\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | lookup FailedReason on ResultType\n // filtering on 'eventresultdetails_in'\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n User=TargetUsername\n ,\n LogonTarget=ResourceIdentity\n ,\n Dvc=EventVendor\n // -- Entity identifier explicit aliases\n ,\n TargetUserUpn = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nAADNIAuthentication(starttime=starttime, endtime=endtime, username_has_any=username_has_any, targetappname_has_any=targetappname_has_any, srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, srchostname_has_any=srchostname_has_any, eventtype_in=eventtype_in, eventresultdetails_in=eventresultdetails_in, eventresult=eventresult, disabled=disabled)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json
index 15646573784..9fe5f136b3c 100644
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json
@@ -27,7 +27,7 @@
"displayName": "Authentication ASIM filtering parser for Microsoft Entra ID service principal sign-in logs",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs",
- "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\",\n \"7000222\", \"Session expired\", \"Logon\", \"Failure\", \"7000222 - The provided client secret keys are expired\", \"Low\",\n \"70021\", \"No such user\", \"Logon\", \"Failure\", \"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"500341\", \"User disabled\", \"Logon\", \"Failure\", \"500341 - The user account has been deleted from the directory\", \"Low\",\n \"1002016\", \"Logon violates policy\", \"Logon\", \"Failure\", \"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\", \"Logon\", \"Failure\", \"7000215 - Invalid client secret is provided\", \"Low\",\n \"90033\", \"Transient error\", \"Logon\", \"Failure\", \"90033 - A transient error has occurred\", \"Informational\",\n \"90024\", \"Transient error\", \"Logon\", \"Failure\", \"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADServicePrincipalSignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'Entra ID'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsft/Entra ID'\n ,\n LogonMethod = \"Service Principal\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Service'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'EntraID'\n | extend\n LocationDetails = todynamic(LocationDetails)\n | extend\n SrcGeoCity = tostring(LocationDetails.city)\n ,\n SrcGeoCountry = Location\n ,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude)\n ,\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude)\n ,\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser \n(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)",
+ "query": "let AADResultTypes = (T: (ResultType: string))\n{\n let AADResultTypesLookup = datatable\n(\n ResultType: string,\n EventResultDetails: string,\n EventType: string,\n EventResult: string,\n EventOriginalResultDetails: string,\n EventSeverity: string\n)\n[\n \"0\", \"\", \"Logon\", \"Success\", \"\", \"Informational\",\n \"53003\", \"Logon violates policy\", \"Logon\", \"Failure\", \"53003 - BlockedByConditionalAccess\", \"Low\",\n \"50034\", \"No such user\", \"Logon\", \"Failure\", \"50034 - UserAccountNotFound\", \"Low\",\n \"50059\", \"No such user\", \"Logon\", \"Failure\", \"50059 - MissingTenantRealmAndNoUserInformationProvided\", \"Low\",\n \"50053\", \"User locked\", \"Logon\", \"Failure\", \"50053 - IdsLocked or IP address with malicious activity\", \"Low\",\n \"50055\", \"Password expired\", \"Logon\", \"Failure\", \"50055 - InvalidPasswordExpiredPassword\", \"Low\",\n \"50056\", \"Incorrect password\", \"Logon\", \"Failure\", \"50056 - Invalid or null password\", \"Low\",\n \"50057\", \"User disabled\", \"Logon\", \"Failure\", \"50057 - UserDisabled\", \"Low\",\n \"50058\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50058 - UserInformationNotProvided\", \"Low\",\n \"50011\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50011 - The redirect URI specified in the request does not match\", \"Low\",\n \"50064\", \"No such user or password\", \"Logon\", \"Failure\", \"50064 - CredentialAuthenticationError\", \"Low\",\n \"50076\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50076 - UserStrongAuthClientAuthNRequired\", \"Low\",\n \"50079\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50079 - UserStrongAuthEnrollmentRequired\", \"Low\",\n \"50105\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50105 - EntitlementGrantsNotFound\", \"Low\",\n \"50126\", \"No such user or password\", \"Logon\", \"Failure\", \"50126 - InvalidUserNameOrPassword\", \"Low\",\n \"50132\", \"Password expired\", \"Logon\", \"Failure\", \"50132 - SsoArtifactInvalidOrExpired\", \"Low\",\n \"50133\", \"Password expired\", \"Logon\", \"Failure\", \"50133 - SsoArtifactRevoked\", \"Low\",\n \"50144\", \"Password expired\", \"Logon\", \"Failure\", \"50144 - InvalidPasswordExpiredOnPremPassword\", \"Low\",\n \"50173\", \"Session expired\", \"Logon\", \"Failure\", \"50173 -FreshTokenNeeded\", \"Low\",\n \"80012\", \"Logon violates policy\", \"Logon\", \"Failure\", \"80012 - OnPremisePasswordValidationAccountLogonInvalidHours\", \"Low\",\n \"51004\", \"No such user\", \"Logon\", \"Failure\", \"51004 - UserAccountNotInDirectory\", \"Low\",\n \"50072\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50072 - UserStrongAuthEnrollmentRequiredInterrupt\", \"Low\",\n \"50005\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50005 - DevicePolicyError\", \"Low\",\n \"50020\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50020 - UserUnauthorized\", \"Low\",\n \"50074\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50074 - UserStrongAuthClientAuthNRequiredInterrupt\", \"Low\",\n \"70008\", \"Session expired\", \"Logon\", \"Failure\", \"70008 - ExpiredOrRevokedGrant\", \"Low\",\n \"700016\", \"No such user\", \"Logon\", \"Failure\", \"700016 - UnauthorizedClient_DoesNotMatchRequest\", \"Low\",\n \"500011\", \"No such user\", \"Logon\", \"Failure\", \"500011 - InvalidResourceServicePrincipalNotFound\", \"Low\",\n \"700027\", \"Incorrect key\", \"Logon\", \"Failure\", \"700027 - The certificate with identifier used to sign the client assertion is not registered on application\", \"Low\",\n \"100003\", \"Other\", \"Logon\", \"Failure\", \"100003\", \"Low\",\n \"700082\", \"Session expired\", \"Logon\", \"Failure\", \"700082 - ExpiredOrRevokedGrantInactiveToken\", \"Low\",\n \"530034\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530034 - DelegatedAdminBlockedDueToSuspiciousActivity\", \"Low\",\n \"530032\", \"Logon violates policy\", \"Logon\", \"Failure\", \"530032 - BlockedByConditionalAccessOnSecurityPolicy\", \"Low\",\n \"50061\", \"\", \"Logoff\", \"Failure\", \"50061 - SignoutInvalidRequest\", \"Low\",\n \"50068\", \"\", \"Logoff\", \"Failure\", \"50068 - SignoutInitiatorNotParticipant\", \"Low\",\n \"50078\", \"Logon violates policy\", \"Logon\", \"Failure\", \"50078 - UserStrongAuthExpired\", \"Low\",\n \"7000222\", \"Session expired\", \"Logon\", \"Failure\", \"7000222 - The provided client secret keys are expired\", \"Low\",\n \"70021\", \"No such user\", \"Logon\", \"Failure\", \"70021 - No matching federated identity record found for presented assertion\", \"Low\",\n \"500341\", \"User disabled\", \"Logon\", \"Failure\", \"500341 - The user account has been deleted from the directory\", \"Low\",\n \"1002016\", \"Logon violates policy\", \"Logon\", \"Failure\", \"1002016 - You are using TLS version 1.0, 1.1 and/or 3DES cipher\", \"Low\",\n \"7000215\", \"Incorrect password\", \"Logon\", \"Failure\", \"7000215 - Invalid client secret is provided\", \"Low\",\n \"90033\", \"Transient error\", \"Logon\", \"Failure\", \"90033 - A transient error has occurred\", \"Informational\",\n \"90024\", \"Transient error\", \"Logon\", \"Failure\", \"90024 - RequestBudgetExceededError - A transient error has occurred\", \"Informational\"\n];\n T \n | lookup AADResultTypesLookup on ResultType\n | extend\n EventType = iff(isempty(EventType), \"Logon\", EventType)\n ,\n EventResult = iff(isempty(EventResult), \"Failure\", EventResult)\n ,\n EventOriginalResultDetails = iff(isempty(EventOriginalResultDetails), EventType, EventOriginalResultDetails)\n ,\n EventSeverity = iff(isempty(EventSeverity), \"Low\", EventSeverity)\n};\nlet parser = (\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic = dynamic([]),\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n )\n{\n AADServicePrincipalSignInLogs\n | where not(disabled)\n and (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n and ((array_length(username_has_any) == 0) or ServicePrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0) // SrcHostname not available in source\n | invoke AADResultTypes()\n | where ((array_length(eventtype_in) == 0) or EventType in~ (eventtype_in))\n and (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n and (eventresult == \"*\" or (EventResult == eventresult))\n | project-rename\n ActingAppId = AppId\n ,\n TargetAppId = ResourceIdentity \n ,\n TargetAppName = ResourceDisplayName\n ,\n TargetUsername = ServicePrincipalName\n ,\n TargetUserId = ServicePrincipalId\n ,\n EventOriginalUid = Id\n ,\n TargetSessionId = CorrelationId\n ,\n SrcIpAddr = IPAddress\n ,\n EventUid = _ItemId\n ,\n EventProductVersion = OperationVersion\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n // ActorUsername not coming from source. Hence, not mapped.\n | extend ASimMatchingUsername = case\n (\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n | extend \n EventVendor = 'Microsoft'\n ,\n EventProduct = 'AAD'\n ,\n EventSchema = 'Authentication'\n ,\n EventSchemaVersion = '0.1.3'\n ,\n Dvc = 'Microsoft'\n ,\n LogonMethod = \"Service Principal\"\n ,\n TargetAppType = \"Resource\"\n ,\n EventCount = int(1)\n ,\n TargetUserType = 'Service'\n ,\n TargetUsernameType = 'Simple'\n ,\n TargetUserIdType = 'AADID'\n | extend\n LocationDetails = todynamic(LocationDetails)\n | extend\n SrcGeoCity = tostring(LocationDetails.city)\n ,\n SrcGeoCountry = Location\n ,\n SrcGeoLatitude = toreal(LocationDetails.geoCoordinates.latitude)\n ,\n SrcGeoLongitude = toreal(LocationDetails.geoCoordinates.longitude)\n ,\n SrcGeoRegion = tostring(LocationDetails.state)\n | project-away\n OperationName,\n Category,\n Result*,\n ServicePrincipal*,\n SourceSystem,\n DurationMs,\n Resource*,\n Location*,\n UniqueTokenIdentifier,\n FederatedCredentialId,\n Conditional*,\n Authentication*,\n Identity,\n Level,\n TenantId,\n temp*\n // \n // -- Aliases\n | extend \n User = TargetUsername\n ,\n LogonTarget = TargetAppName\n ,\n EventStartTime = TimeGenerated\n ,\n EventEndTime = TimeGenerated\n ,\n Application = TargetAppName\n ,\n Dst = TargetAppName\n ,\n Src = SrcIpAddr\n ,\n IpAddr = SrcIpAddr\n ,\n TargetSimpleUsername = TargetUsername\n ,\n TargetUserAadId = TargetUserId\n};\nparser \n(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json
index 73e147f75c1..54573c60c63 100644
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json
@@ -27,7 +27,7 @@
"displayName": "Authentication ASIM filtering parser for Microsoft Entra ID interactive sign-in logs",
"category": "ASIM",
"FunctionAlias": "vimAuthenticationSigninLogs",
- "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password',\n '700016', 'No such user or password', \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Guest','Guest', \n 'Member', 'Regular',\n '',''\n];\nlet ActingAppType = datatable (ActingOriginalAppType: string, ActingAppType: string) [\n 'Mobile Apps and Desktop clients', 'Process',\n 'Browser', 'Service',\n 'Authenticated STMP', 'CSP',\n 'Exchange Active Sync', 'CSP',\n 'Other', 'Other',\n 'Unknown', 'Other'\n];\nlet LogonMethodLookup = datatable(OriginalLogonMethod: string, LogonMethod: string)\n[\n \"singleFactorAuthentication\", \"Username & Password\",\n \"multiFactorAuthentication\", \"Multi factor authentication\"\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic,\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n) {\n SigninLogs\n | where not(disabled)\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(DeviceDetail.displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n | extend EventResult = iff (ResultType == 0, 'Success', 'Failure')\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | lookup FailedReason on ResultType\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'Entra ID',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Type = 'SigninLogs',\n Location = todynamic(LocationDetails),\n SrcHostname = tostring(DeviceDetail.displayName),\n SrcDvcId = tostring(DeviceDetail.deviceId),\n SrcDvcIdType = \"\",\n SrcIpAddr = IPAddress,\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'UPN',\n OriginalLogonMethod = coalesce(AuthenticationMethodsUsed, AuthenticationRequirement),\n TargetAppType = \"\"\n | lookup LogonMethodLookup on OriginalLogonMethod\n | extend\n SrcDvcIdType = iif(isempty(SrcDvcId), \"\", \"Other\"),\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id,\n HttpUserAgent = UserAgent,\n TargetAppId = AppId,\n TargetAppName = AppDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName,\n ActingOriginalAppType = ClientAppUsed\n | lookup ActingAppType on ActingOriginalAppType\n | extend EventUid = column_ifexists(\"_ItemId\", \"\")\n | lookup UserTypeLookup on UserType\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n Application = TargetAppName,\n IpAddr = SrcIpAddr,\n Dvc = EventVendor,\n LogonTarget = TargetAppName,\n User = TargetUsername\n | project\n TimeGenerated,\n EventSchema,\n Type,\n EventVendor,\n EventProduct,\n EventCount,\n EventSchemaVersion,\n EventResult,\n EventOriginalResultDetails,\n EventStartTime,\n EventEndTime,\n EventType,\n Application,\n IpAddr,\n SrcDvcId,\n SrcDvcIdType,\n SrcHostname,\n SrcDvcOs,\n TargetUsernameType,\n TargetUserIdType,\n SrcIpAddr,\n LogonMethod,\n SrcGeoCity,\n SrcGeoCountry,\n SrcGeoLatitude,\n SrcGeoLongitude,\n EventOriginalUid,\n EventUid,\n HttpUserAgent,\n TargetSessionId,\n TargetUserId,\n TargetUsername,\n TargetAppId,\n TargetAppName,\n TargetAppType,\n ActingAppType,\n ActingOriginalAppType,\n TargetUserType,\n User,\n LogonTarget,\n Dvc,\n ASimMatchingUsername\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)",
+ "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n '0', 'Success',\n '50005', 'Logon violates policy',\n '50011', 'Logon violates policy', \n '50020', 'Logon violates policy',\n '50034', 'No such user or password',\n '50053', 'User locked',\n '50055', 'Password expired',\n '50056', 'Incorrect password',\n '50057', 'User disabled',\n '50058', 'Logon violates policy',\n '50059', 'No such user or password',\n '50064', 'No such user or password',\n '50072', 'Logon violates policy',\n '50074', 'Logon violates policy', \n '50076', 'Logon violates policy',\n '50079', 'Logon violates policy',\n '50105', 'Logon violates policy',\n '50126', 'No such user or password',\n '50132', 'Password expired',\n '50133', 'Password expired',\n '50144', 'Password expired',\n '50173', 'Password expired',\n '51004', 'No such user or password',\n '53003', 'Logon violates policy',\n '70008', 'Password expired',\n '80012', 'Logon violates policy',\n '500011', 'No such user or password',\n '700016', 'No such user or password', \n ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n 'Guest','Guest', \n 'Member', 'Regular',\n '',''\n];\nlet ActingAppType = datatable (ActingOriginalAppType: string, ActingAppType: string) [\n 'Mobile Apps and Desktop clients', 'Process',\n 'Browser', 'Service',\n 'Authenticated STMP', 'CSP',\n 'Exchange Active Sync', 'CSP',\n 'Other', 'Other',\n 'Unknown', 'Other'\n];\nlet LogonMethodLookup = datatable(OriginalLogonMethod: string, LogonMethod: string)\n[\n \"singleFactorAuthentication\", \"Username & Password\",\n \"multiFactorAuthentication\", \"Multi factor authentication\"\n];\nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n username_has_any: dynamic = dynamic([]),\n targetappname_has_any: dynamic = dynamic([]),\n srcipaddr_has_any_prefix: dynamic,\n srchostname_has_any: dynamic = dynamic([]),\n eventtype_in: dynamic = dynamic([]),\n eventresultdetails_in: dynamic = dynamic([]),\n eventresult: string = '*',\n disabled: bool=false\n) {\n SigninLogs\n | where not(disabled)\n | where \n (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime) \n and ((array_length(username_has_any) == 0) or UserPrincipalName has_any (username_has_any))\n and ((array_length(targetappname_has_any) == 0) or ResourceDisplayName has_any (targetappname_has_any))\n and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(IPAddress, srcipaddr_has_any_prefix)))\n and (array_length(srchostname_has_any) == 0 or tostring(DeviceDetail.displayName) has_any (srchostname_has_any))\n and ((array_length(eventtype_in) == 0) or \"Logon\" in~ (eventtype_in))\n | extend EventResult = iff (ResultType == 0, 'Success', 'Failure')\n | where (eventresult == \"*\" or (EventResult == eventresult))\n | lookup FailedReason on ResultType\n | where (array_length(eventresultdetails_in) == 0 or EventResultDetails in~ (eventresultdetails_in))\n | extend\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n EventProduct = 'AAD',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventSubType = 'Interactive',\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n Type = 'SigninLogs',\n Location = todynamic(LocationDetails),\n SrcHostname = tostring(DeviceDetail.displayName),\n SrcDvcId = tostring(DeviceDetail.deviceId),\n SrcDvcIdType = \"\",\n SrcIpAddr = IPAddress,\n SrcDvcOs = tostring(DeviceDetail.operatingSystem),\n TargetUserIdType = 'AADID',\n TargetUsernameType = 'UPN',\n OriginalLogonMethod = coalesce(AuthenticationMethodsUsed, AuthenticationRequirement),\n TargetAppType = \"\"\n | lookup LogonMethodLookup on OriginalLogonMethod\n | extend\n SrcDvcIdType = iif(isempty(SrcDvcId), \"\", \"Other\"),\n SrcGeoCity = tostring(Location.city),\n SrcGeoCountry = tostring(Location.countryOrRegion),\n SrcGeoLatitude = toreal(Location.geoCoordinates.latitude),\n SrcGeoLongitude = toreal(Location.geoCoordinates.longitude)\n | project-rename\n EventOriginalUid = Id,\n HttpUserAgent = UserAgent,\n TargetAppId = AppId,\n TargetAppName = AppDisplayName,\n TargetSessionId = CorrelationId,\n TargetUserId = UserId,\n TargetUsername = UserPrincipalName,\n ActingOriginalAppType = ClientAppUsed\n | lookup ActingAppType on ActingOriginalAppType\n | extend EventUid = column_ifexists(\"_ItemId\", \"\")\n | lookup UserTypeLookup on UserType\n // mapping ASimMatchingUsername\n | extend temp_isMatchTargetUsername=TargetUsername has_any(username_has_any)\n | extend ASimMatchingUsername = case(\n array_length(username_has_any) == 0,\n \"-\",\n temp_isMatchTargetUsername,\n \"TargetUsername\",\n \"No match\"\n )\n // ** Aliases\n | extend \n Application = TargetAppName,\n IpAddr = SrcIpAddr,\n Dvc = EventVendor,\n LogonTarget = TargetAppName,\n User = TargetUsername\n | project\n TimeGenerated,\n EventSchema,\n Type,\n EventVendor,\n EventProduct,\n EventCount,\n EventSchemaVersion,\n EventResult,\n EventOriginalResultDetails,\n EventStartTime,\n EventEndTime,\n EventType,\n Application,\n IpAddr,\n SrcDvcId,\n SrcDvcIdType,\n SrcHostname,\n SrcDvcOs,\n TargetUsernameType,\n TargetUserIdType,\n SrcIpAddr,\n LogonMethod,\n SrcGeoCity,\n SrcGeoCountry,\n SrcGeoLatitude,\n SrcGeoLongitude,\n EventOriginalUid,\n EventUid,\n HttpUserAgent,\n TargetSessionId,\n TargetUserId,\n TargetUsername,\n TargetAppId,\n TargetAppName,\n TargetAppType,\n ActingAppType,\n ActingOriginalAppType,\n TargetUserType,\n User,\n LogonTarget,\n Dvc,\n ASimMatchingUsername\n};\nparser(\n starttime=starttime,\n endtime=endtime,\n username_has_any=username_has_any,\n targetappname_has_any=targetappname_has_any,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n srchostname_has_any=srchostname_has_any,\n eventtype_in=eventtype_in,\n eventresultdetails_in=eventresultdetails_in,\n eventresult=eventresult,\n disabled=disabled\n)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),username_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADManagedIdentity.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADManagedIdentity.md
index 71ef1e87303..d6af2677b8f 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADManagedIdentity.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADManagedIdentity.md
@@ -1,5 +1,11 @@
# Changelog for ASimAuthenticationAADManagedIdentity.yaml
+## Version 0.2.3
+
+- (2026-02-24) [ASIM] Authentication - EntraID enumeration changes - [PR #13571](https://github.com/Azure/Azure-Sentinel/pull/13571)
+- Enumeration change from `Entra ID` to `AAD` for EventProduct
+- Enumeration change from `EntraID` to `AADID` for TargetUserIdType
+
## Version 0.2.2
- (2024-03-26) Authentication parsers update - [PR #10129](https://github.com/Azure/Azure-Sentinel/pull/10129)
diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADNonInteractive.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADNonInteractive.md
index d8422d26194..e3094f08705 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADNonInteractive.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADNonInteractive.md
@@ -1,5 +1,11 @@
# Changelog for ASimAuthenticationAADNonInteractive.yaml
+## Version 0.2.3
+
+- (2026-02-24) [ASIM] Authentication - EntraID enumeration changes - [PR #13571](https://github.com/Azure/Azure-Sentinel/pull/13571)
+- Enumeration change from `Entra ID` to `AAD` for EventProduct
+- Enumeration change from `EntraID` to `AADID` for TargetUserIdType
+-
## Version 0.2.2
- (2024-03-26) Authentication parsers update - [PR #10129](https://github.com/Azure/Azure-Sentinel/pull/10129)
diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADServicePrincipalSignInLogs.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADServicePrincipalSignInLogs.md
index 77da4d756ec..af391c97cd6 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADServicePrincipalSignInLogs.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADServicePrincipalSignInLogs.md
@@ -1,5 +1,11 @@
# Changelog for ASimAuthenticationAADServicePrincipalSignInLogs.yaml
+## Version 0.2.3
+
+- (2026-02-24) [ASIM] Authentication - EntraID enumeration changes - [PR #13571](https://github.com/Azure/Azure-Sentinel/pull/13571)
+- Enumeration change from `Entra ID` to `AAD` for EventProduct
+- Enumeration change from `EntraID` to `AADID` for TargetUserIdType
+-
## Version 0.2.2
- (2024-03-26) Authentication parsers update - [PR #10129](https://github.com/Azure/Azure-Sentinel/pull/10129)
diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADSigninLogs.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADSigninLogs.md
index 186952231d7..790ed759115 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADSigninLogs.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationAADSigninLogs.md
@@ -1,8 +1,16 @@
# Changelog for ASimAuthenticationAADSigninLogs.yaml
+## Version 0.4.1
+
+- (2026-02-24) [ASIM] Authentication - EntraID enumeration changes - [PR #13571](https://github.com/Azure/Azure-Sentinel/pull/13571)
+- Enumeration change from `Entra ID` to `AAD` for EventProduct
+- Enumeration change from `EntraID` to `AADID` for TargetUserIdType
+-
## Version 0.4.0
- (2026-01-14) [ASIM] Authentication AADSigninLogs parser rewrite - [PR #13409](https://github.com/Azure/Azure-Sentinel/pull/13409)
+- Add the normalized columns: `LogonMethod`, `ActingAppName`, `TargetAppId`
+- Remove unnormalized columns
## Version 0.3.2
diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCrowdStrikeFalconHost.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCrowdStrikeFalconHost.md
index f3d82d428b8..92e96af2164 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCrowdStrikeFalconHost.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationCrowdStrikeFalconHost.md
@@ -3,6 +3,8 @@
## Version 0.2.0
- (2026-01-19) [ASIM] Authentication - Crowdstrike FalconHost Parser changes - [PR #13462](https://github.com/Azure/Azure-Sentinel/pull/13462)
+- Align `LogonMethod` enumerations with what is expected from schema
+- Remove unnormalized columns
## Version 0.1.0
diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationM365Defender.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationM365Defender.md
index ba6b971fd8e..35ad7ffc52d 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationM365Defender.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationM365Defender.md
@@ -3,6 +3,8 @@
## Version 0.2.0
- (2026-01-22) [ASIM] Authentication M365Defender - Parser Fixes - [PR #13441](https://github.com/Azure/Azure-Sentinel/pull/13441)
+- Remove unnormalized columns
+- Previously unnormalized columns were added to AdditionalFields in case there are needed
## Version 0.1.3
diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationPaloAltoCortexDataLake.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationPaloAltoCortexDataLake.md
index f49d865f6a8..994d53bb0db 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationPaloAltoCortexDataLake.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationPaloAltoCortexDataLake.md
@@ -3,6 +3,8 @@
## Version 0.2.0
- (2026-01-22) [ASIM] Authentication - Palo Alto Cortex data lake parser edits - [PR #13410](https://github.com/Azure/Azure-Sentinel/pull/13410)
+- Use `TimeGenerated` as `EventStartTime` if `start` is not populated
+- Remove unnormalized columns
## Version 0.1.0
diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSshd.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSshd.md
index 24d37e76646..2fe4294542f 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSshd.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSshd.md
@@ -8,6 +8,8 @@
## Version 0.3.0
- (2026-01-20) [ASIM] Authentication - Sshd Parser fixes - [PR #13460](https://github.com/Azure/Azure-Sentinel/pull/13460)
+- Populate `LogonMethod` column if the event is an accepted event
+- Add `Dvc`, `Src` columns
## Version 0.2.4
diff --git a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSu.md b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSu.md
index bd53ebf331a..3c14cd5c099 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSu.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSu.md
@@ -3,6 +3,9 @@
## Version 0.3.0
- (2026-01-22) [ASIM] Authentication su parser fixes - [PR #13453](https://github.com/Azure/Azure-Sentinel/pull/13453)
+- Re-evaluate successful su events as `Logon` instead of `Elevate`
+- Normalized failed su events as Logon failures
+- Remove unnormalized columns
## Version 0.2.1
diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADManagedIdentity.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADManagedIdentity.md
index 9f460bbc778..4f31dbdd38c 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADManagedIdentity.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADManagedIdentity.md
@@ -1,5 +1,11 @@
# Changelog for vimAuthenticationAADManagedIdentity.yaml
+## Version 0.2.3
+
+- (2026-02-24) [ASIM] Authentication - EntraID enumeration changes - [PR #13571](https://github.com/Azure/Azure-Sentinel/pull/13571)
+- Enumeration change from `Entra ID` to `AAD` for EventProduct
+- Enumeration change from `EntraID` to `AADID` for TargetUserIdType
+-
## Version 0.2.2
- (2024-03-26) Authentication parsers update - [PR #10129](https://github.com/Azure/Azure-Sentinel/pull/10129)
diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADNonInteractive.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADNonInteractive.md
index 4f6f4e139c8..0db63153809 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADNonInteractive.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADNonInteractive.md
@@ -1,5 +1,11 @@
# Changelog for vimAuthenticationAADNonInteractive.yaml
+## Version 0.2.3
+
+- (2026-02-24) [ASIM] Authentication - EntraID enumeration changes - [PR #13571](https://github.com/Azure/Azure-Sentinel/pull/13571)
+- Enumeration change from `Entra ID` to `AAD` for EventProduct
+- Enumeration change from `EntraID` to `AADID` for TargetUserIdType
+-
## Version 0.2.2
- (2024-03-26) Authentication parsers update - [PR #10129](https://github.com/Azure/Azure-Sentinel/pull/10129)
diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADServicePrincipalSignInLogs.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADServicePrincipalSignInLogs.md
index 0aabd0de7a2..8ed1de10c9a 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADServicePrincipalSignInLogs.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADServicePrincipalSignInLogs.md
@@ -1,5 +1,11 @@
# Changelog for vimAuthenticationAADServicePrincipalSignInLogs.yaml
+## Version 0.2.3
+
+- (2026-02-24) [ASIM] Authentication - EntraID enumeration changes - [PR #13571](https://github.com/Azure/Azure-Sentinel/pull/13571)
+- Enumeration change from `Entra ID` to `AAD` for EventProduct
+- Enumeration change from `EntraID` to `AADID` for TargetUserIdType
+-
## Version 0.2.2
- (2024-03-26) Authentication parsers update - [PR #10129](https://github.com/Azure/Azure-Sentinel/pull/10129)
diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADSigninLogs.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADSigninLogs.md
index 1d7346fd198..521786ab9fa 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADSigninLogs.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationAADSigninLogs.md
@@ -1,8 +1,16 @@
# Changelog for vimAuthenticationAADSigninLogs.yaml
+## Version 0.4.1
+
+- (2026-02-24) [ASIM] Authentication - EntraID enumeration changes - [PR #13571](https://github.com/Azure/Azure-Sentinel/pull/13571)
+- Enumeration change from `Entra ID` to `AAD` for EventProduct
+- Enumeration change from `EntraID` to `AADID` for TargetUserIdType
+-
## Version 0.4.0
- (2026-01-14) [ASIM] Authentication AADSigninLogs parser rewrite - [PR #13409](https://github.com/Azure/Azure-Sentinel/pull/13409)
+- Add the normalized columns: `LogonMethod`, `ActingAppName`, `TargetAppId`
+- Remove unnormalized columns
## Version 0.3.2
diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCrowdStrikeFalconHost.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCrowdStrikeFalconHost.md
index 15a1b70639c..83b4337f91b 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCrowdStrikeFalconHost.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationCrowdStrikeFalconHost.md
@@ -3,6 +3,8 @@
## Version 0.1.1
- (2024-04-11) Authentication parser filter update - [PR #10243](https://github.com/Azure/Azure-Sentinel/pull/10243)
+- Align `LogonMethod` enumerations with what is expected from schema
+- Remove unnormalized columns
## Version 0.1.0
diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationM365Defender.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationM365Defender.md
index d0f85dfacc9..f01767c72a5 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationM365Defender.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationM365Defender.md
@@ -3,6 +3,8 @@
## Version 0.2.0
- (2026-01-22) [ASIM] Authentication M365Defender - Parser Fixes - [PR #13441](https://github.com/Azure/Azure-Sentinel/pull/13441)
+- Remove unnormalized columns
+- Previously unnormalized columns were added to AdditionalFields in case there are needed
## Version 0.1.3
diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationPaloAltoCortexDataLake.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationPaloAltoCortexDataLake.md
index a8375be1297..85837842a34 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationPaloAltoCortexDataLake.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationPaloAltoCortexDataLake.md
@@ -3,6 +3,8 @@
## Version 0.2.0
- (2026-01-22) [ASIM] Authentication - Palo Alto Cortex data lake parser edits - [PR #13410](https://github.com/Azure/Azure-Sentinel/pull/13410)
+- Use `TimeGenerated` as `EventStartTime` if `start` is not populated
+- Remove unnormalized columns
## Version 0.1.1
diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSshd.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSshd.md
index 2f362a9adae..46f1f08d785 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSshd.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSshd.md
@@ -8,6 +8,8 @@
## Version 0.3.0
- (2026-01-20) [ASIM] Authentication - Sshd Parser fixes - [PR #13460](https://github.com/Azure/Azure-Sentinel/pull/13460)
+- Populate `LogonMethod` column if the event is an accepted event
+- Add `Dvc`, `Src` columns
## Version 0.2.4
diff --git a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSu.md b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSu.md
index 95a626e156a..83f8f191d5f 100644
--- a/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSu.md
+++ b/Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSu.md
@@ -3,6 +3,9 @@
## Version 0.3.0
- (2026-01-22) [ASIM] Authentication su parser fixes - [PR #13453](https://github.com/Azure/Azure-Sentinel/pull/13453)
+- Re-evaluate successful su events as `Logon` instead of `Elevate`
+- Normalized failed su events as Logon failures
+- Remove unnormalized columns
## Version 0.2.2
diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADManagedIdentity.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADManagedIdentity.yaml
index 455587be5e9..cabd8196151 100644
--- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADManagedIdentity.yaml
+++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADManagedIdentity.yaml
@@ -1,12 +1,12 @@
Parser:
Title: Authentication ASIM parser for Microsoft Entra ID managed identity sign-in logs
- Version: '0.2.2'
- LastUpdated: Mar 20 2024
+ Version: '0.2.3'
+ LastUpdated: Feb 04, 2026
Product:
Name: Microsoft Entra ID
Normalization:
Schema: Authentication
- Version: 0.1.0'
+ Version: '0.1.0'
References:
- Title: ASIM Authentication Schema
Link: https://aka.ms/ASimAuthenticationDoc
@@ -85,15 +85,15 @@ ParserQuery: |
TargetUserId = ServicePrincipalId,
TargetUsername = ServicePrincipalName
| extend
- Dvc = 'Microsft/Entra ID',
+ Dvc = 'Microsoft',
EventCount = int(1),
- EventProduct = 'Entra ID',
+ EventProduct = 'AAD',
EventSchema = 'Authentication',
EventSchemaVersion = '0.1.3',
EventVendor = 'Microsoft',
LogonMethod = "Managed Identity",
TargetAppType = "Resource",
- TargetUserIdType = 'EntraID',
+ TargetUserIdType = 'AADID',
TargetUsernameType = 'Simple',
TargetUserType = 'Service'
| project-away OperationName, Category, Result*, ServicePrincipal*,SourceSystem, DurationMs, Resource*, Location*, UniqueTokenIdentifier, FederatedCredentialId, Conditional*, Authentication*, Identity, Level, TenantId
diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADNonInteractive.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADNonInteractive.yaml
index c7fa7f58916..7e3bdb50873 100644
--- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADNonInteractive.yaml
+++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADNonInteractive.yaml
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM parser for Microsoft Entra ID non-interactive sign-in logs
- Version: '0.2.2'
- LastUpdated: Mar 19 2024
+ Version: '0.2.3'
+ LastUpdated: Feb 04, 2026
Product:
Name: Microsoft Entra ID
Normalization:
@@ -58,7 +58,7 @@ ParserQuery: |
EventCount = int(1),
EventEndTime = TimeGenerated,
EventOriginalResultDetails = coalesce(ResultDescription, ResultType),
- EventProduct = 'Entra ID',
+ EventProduct = 'AAD',
EventResult = iff (ResultType ==0, 'Success', 'Failure'),
EventSchemaVersion = '0.1.0',
EventStartTime = TimeGenerated,
@@ -71,7 +71,7 @@ ParserQuery: |
SrcDvcOs = tostring(todynamic(DeviceDetail).operatingSystem),
TargetAppId = ResourceIdentity ,
TargetAppName = ResourceDisplayName,
- TargetUserIdType = 'EntraID',
+ TargetUserIdType = 'AADID',
TargetUsernameType = 'UPN'
| extend
SrcGeoCity = tostring(Location.city),
diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADServicePrincipalSignInLogs.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADServicePrincipalSignInLogs.yaml
index fe9dfd33a40..2b921dac516 100644
--- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADServicePrincipalSignInLogs.yaml
+++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADServicePrincipalSignInLogs.yaml
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM parser for Microsoft Entra ID service principal sign-in logs
- Version: '0.2.2'
- LastUpdated: Mar 20 2024
+ Version: '0.2.3'
+ LastUpdated: Feb 04, 2026
Product:
Name: Microsoft Entra ID
Normalization:
@@ -94,16 +94,16 @@ ParserQuery: |
TargetUserId = ServicePrincipalId,
TargetUsername = ServicePrincipalName
| extend
- Dvc = 'Microsft/Entra ID',
+ Dvc = 'Microsoft',
EventCount = int(1),
- EventProduct = 'Entra ID',
+ EventProduct = 'AAD',
EventSchema = 'Authentication',
EventSchemaVersion = '0.1.3',
EventVendor = 'Microsoft',
LogonMethod = "Service Principal",
LocationDetails = todynamic(LocationDetails),
TargetAppType = "Resource",
- TargetUserIdType = 'EntraID',
+ TargetUserIdType = 'AADID',
TargetUsernameType = 'Simple',
TargetUserType = 'Service'
| extend
diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADSigninLogs.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADSigninLogs.yaml
index 906a2b65b83..d4b1f4ed970 100644
--- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADSigninLogs.yaml
+++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationAADSigninLogs.yaml
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM parser for Microsoft Entra ID interactive sign-in logs
- Version: '0.4.0'
- LastUpdated: Jan 08, 2026
+ Version: '0.4.1'
+ LastUpdated: Feb 04, 2026
Product:
Name: Microsoft Entra ID
Normalization:
@@ -76,7 +76,7 @@ ParserQuery: |
EventCount = int(1),
EventEndTime = TimeGenerated,
EventOriginalResultDetails = coalesce(ResultDescription, ResultType),
- EventProduct = 'Entra ID',
+ EventProduct = 'AAD',
EventResult = iff (ResultType == 0, 'Success', 'Failure'),
EventSchema = 'Authentication',
EventSchemaVersion = '0.1.3',
diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADManagedIdentity.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADManagedIdentity.yaml
index 31a7aed46cd..3d057f6cb96 100644
--- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADManagedIdentity.yaml
+++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADManagedIdentity.yaml
@@ -1,12 +1,12 @@
Parser:
Title: Authentication ASIM filtering parser for Microsoft Entra ID managed identity sign-in logs
- Version: '0.2.2'
- LastUpdated: Mar 20, 2024
+ Version: '0.2.3'
+ LastUpdated: Feb 04, 2026
Product:
Name: Microsoft Entra ID
Normalization:
Schema: Authentication
- Version: 0.1.0'
+ Version: '0.1.0'
References:
- Title: ASIM Authentication Schema
Link: https://aka.ms/ASimAuthenticationDoc
@@ -167,13 +167,13 @@ ParserQuery: |
| extend
EventVendor = 'Microsoft'
,
- EventProduct = 'Entra ID'
+ EventProduct = 'AAD'
,
EventSchema = 'Authentication'
,
EventSchemaVersion = '0.1.3'
,
- Dvc = 'Microsft/Entra ID'
+ Dvc = 'Microsoft'
,
LogonMethod = "Managed Identity"
,
@@ -185,7 +185,7 @@ ParserQuery: |
,
TargetUsernameType = 'Simple'
,
- TargetUserIdType = 'EntraID'
+ TargetUserIdType = 'AADID'
| project-away
OperationName,
Category,
diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADNonInteractive.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADNonInteractive.yaml
index 2643cb74eb0..6a94ca33147 100644
--- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADNonInteractive.yaml
+++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADNonInteractive.yaml
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for Microsoft Entra ID non-interactive sign-in logs
- Version: '0.2.2'
- LastUpdated: Mar 19, 2024
+ Version: '0.2.3'
+ LastUpdated: Feb 04, 2026
Product:
Name: Microsoft Entra ID
Normalization:
@@ -109,7 +109,7 @@ ParserQuery: |
| extend
EventVendor = 'Microsoft'
,
- EventProduct = 'Entra ID'
+ EventProduct = 'AAD'
,
EventSchemaVersion='0.1.0'
,
@@ -139,7 +139,7 @@ ParserQuery: |
,
TargetUsernameType='UPN'
,
- TargetUserIdType='EntraID'
+ TargetUserIdType='AADID'
,
TargetAppName=ResourceDisplayName
// Filtering on 'eventresult'
diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADServicePrincipalSignInLogs.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADServicePrincipalSignInLogs.yaml
index 90733601f4a..064e119f859 100644
--- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADServicePrincipalSignInLogs.yaml
+++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADServicePrincipalSignInLogs.yaml
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for Microsoft Entra ID service principal sign-in logs
- Version: '0.2.2'
- LastUpdated: Mar 20, 2024
+ Version: '0.2.3'
+ LastUpdated: Feb 04, 2026
Product:
Name: Microsoft Entra ID
Normalization:
@@ -174,13 +174,13 @@ ParserQuery: |
| extend
EventVendor = 'Microsoft'
,
- EventProduct = 'Entra ID'
+ EventProduct = 'AAD'
,
EventSchema = 'Authentication'
,
EventSchemaVersion = '0.1.3'
,
- Dvc = 'Microsft/Entra ID'
+ Dvc = 'Microsoft'
,
LogonMethod = "Service Principal"
,
@@ -192,7 +192,7 @@ ParserQuery: |
,
TargetUsernameType = 'Simple'
,
- TargetUserIdType = 'EntraID'
+ TargetUserIdType = 'AADID'
| extend
LocationDetails = todynamic(LocationDetails)
| extend
diff --git a/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADSigninLogs.yaml b/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADSigninLogs.yaml
index ba74dfa3a9d..3ab9eb50052 100644
--- a/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADSigninLogs.yaml
+++ b/Parsers/ASimAuthentication/Parsers/vimAuthenticationAADSigninLogs.yaml
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM filtering parser for Microsoft Entra ID interactive sign-in logs
- Version: '0.4.0'
- LastUpdated: Jan 08, 2026
+ Version: '0.4.1'
+ LastUpdated: Feb 04, 2026
Product:
Name: Microsoft Entra ID
Normalization:
@@ -126,7 +126,7 @@ ParserQuery: |
EventCount = int(1),
EventEndTime = TimeGenerated,
EventOriginalResultDetails = coalesce(ResultDescription, ResultType),
- EventProduct = 'Entra ID',
+ EventProduct = 'AAD',
EventSchema = 'Authentication',
EventSchemaVersion = '0.1.3',
EventStartTime = TimeGenerated,