Azurekid - ConvertFrom-Asim

[azurekid]

Required items, please complete

Change(s):

• ConvertFrom-ASim.ps1

Reason for Change(s):

• Added a script for users to easily create an ARM template from an ASIM parser using PowerShell

Version Updated:

• N/A

Testing Completed:

• Added example in examples folder

Checked that the validations are passing and have addressed any issues that are present:

• Yes

[azurekid]

friendly reminder to pick this us.

[vakohl]

@azurekid Can you please add description for why we need this? For every schema we already have deploy to azure feature
https://github.com/Azure/Azure-Sentinel/tree/master/Parsers/ASimDns

[azurekid]

Hi Varun,

The reason I have created this, is because I regularly got questions on how to deploy the MS Sentinel github files.

On one of my projects (Achmea) we are building our own ASIM parsers and functions, and trying to stay as close as possible to the Microsoft standards

Therefore als parsers and functions are created in the YAML format. This function can be used to create deployable artifacts from the yaml files so these can be deployed through a DevOps or GitHub pipeline.

This is also the reason for my order PR where I updated all the ASIm templates

[azurekid]

Hey Guys,
Anything I can do to get this PR going?

[vakohl]

@azurekid Customers can deploy the existing ASIM parser for each schema, e.g. through the link I shared.

We make every parser ARM deployable as soon we get them merged on github. With this, every parser you see under their schemas are deployable already using the link I shared. I'm trying to understand when someone would need this script? Is this going to be used when someone like to deploy a custom parser they built?

[azurekid]

@azurekid Customers can deploy the existing ASIM parser for each schema, e.g. through the link I shared.

We make every parser ARM deployable as soon we get them merged on github. With this, every parser you see under their schemas are deployable already using the link I shared. I'm trying to understand when someone would need this script? Is this going to be used when someone like to deploy a custom parser they built?

Hi,

This is indeed the case.
For the projects I am working on, we are creating a lot of custom ASIM parsers like:

• BeyondTrust
• Blue Cedar Networks
• CommVault
• Infoblox NIOS
• Layer 7 SecureSpan Gateway
• NetApp
• Radware
• F5
• Darktrace
• Microsoft 365 Defender
• etc.

We have build over 60 ASIM parsers and converted these to deployable ARM templates using this script.

The whole idea behind this script is that organizations that build parsers or custom functions can easily deploy them and develop occurring the Microsoft Standards in YAML format, so these can easily be shared with the community.

[vakohl]

@azurekid Sounds good. I'll take a look.

[azurekid]

Hi @vakohl
Is there anything you are still waiting for from my side?
Please let me know 🙏🏼

[v-atulyadav]

Thanks @azurekid. Could you please update your branch by taking master's latest.

[v-atulyadav]

Hi @azurekid,
Validations are stuck in queue; please take the latest from the master's branch and push it again. Thanks

[azurekid]

Hi @azurekid, Validations are stuck in queue; please take the latest from the master's branch and push it again. Thanks

All tests are passed 👍

[vakohl]

@azurekid I still couldn't deploy. Used this command:
.\ConvertFrom-ASim.ps1 -FilesPath "C:\Users\vimAuditEventMicrosoftExchangeAdmin365.yaml"

[v-atulyadav]

Hi @azurekid,
Please check above comments. Thanks

[azurekid]

Hi @azurekid, Please check above comments. Thanks

Hi, I have been reverse engineering what is going wrong as it did work properly before without any real changes in the code. Seems like there has been some updates on the API and now doesn't recognize semantic versions as integers.

Updated the code for versioning and synced with the latest master.

Thanks for you patience ;-)

[v-atulyadav]

Hi @azurekid,
Make sure to synchronize your branch with the latest version of the master branch. Thanks

[v-atulyadav]

Hi @azurekid,
Please update your branch by pulling the latest changes from master branch. Thanks

[v-atulyadav]

Hi @azurekid,
Please ensure your branch is up to date by pulling the latest modifications from the master branch. Thanks

[v-atulyadav]

Hi @azurekid,
Make sure to update your branch by incorporating the latest changes from the master branch. Thanks

[v-atulyadav]

Hi @azurekid,
We wanted to check on the status of PR #8884. PR is pending for more than 30 days. Please let us know if you need any assistance to review this PR. Per our standard operating procedures if no response is received in the next 7 business days, we will close this PR. Thank you for your cooperation

[azurekid]

Hi @azurekid, We wanted to check on the status of PR #8884. PR is pending for more than 30 days. Please let us know if you need any assistance to review this PR. Per our standard operating procedures if no response is received in the next 7 business days, we will close this PR. Thank you for your cooperation

Hi and sorry for the delay.
I have just synced the master to incorporate the latest changes

[vakohl]

@azurekid sorry seems I missed approving this. Can you please re-trigger this validation. Will get this closed soon.

[azurekid]

No problem, will check it myself right now

[vakohl]

@v-atulyadav validations not triggering here

[azurekid]

Retrigger validation

[v-atulyadav]

Hi @azurekid,
Make sure to get the latest from the master branch and push it again. Thanks