Skip to content

Commit 4120a35

Browse files
v-atulyadavv-atulyadav
authored
Merge branch 'master' into v-tsawant/ASIM-vimAuthenticationSshd
2 parents 175706f + ab82652 commit 4120a35

File tree

8 files changed

+54
-21
lines changed

8 files changed

+54
-21
lines changed

.script/tests/asimParsersTest/ExclusionListForASimTests.csv

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,4 +3,6 @@ _ASim_NetworkSession_NTANetAnalytics
33
_Im_NetworkSession_NTANetAnalytics
44
_Im_NetworkSession_AzureFirewall
55
_ASim_NetworkSession_AzureFirewall
6-
_Im_Authentication_Sshd
6+
_Im_Authentication_Sshd
7+
_ASim_Authentication_M365Defender
8+
_Im_Authentication_M365Defender

Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
"displayName": "Authentication ASIM parser for M365 Defender Device Logon Events",
2828
"category": "ASIM",
2929
"FunctionAlias": "ASimAuthenticationM365Defender",
30-
"query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Batch', 'Service',\n 'CachedInteractive', 'Interactive',\n 'Interactive', 'Interactive',\n 'Network', 'Remote',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'RemoteInteractive', 'RemoteInteractive',\n 'Service', 'Service',\n 'Unknown', ''\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonAttempted', 'NA',\n 'LogonFailed', 'Failure',\n 'LogonSuccess', 'Success'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n ActorUsernameType = \"Simple\",\n TargetDvcOs = \"Linux\",\n TargetUsernameType = \"Simple\"\n | project-rename \n ActingProcessName = InitiatingProcessFolderPath,\n ActorUsername = InitiatingProcessAccountName,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\n ActorUserIdType = 'SID',\n ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n ),\n ActorUsernameType = iff (\n InitiatingProcessAccountDomain == '','Simple',\n 'Windows'\n ),\n TargetDvcOs = \"Windows\",\n TargetUserIdType = 'SID',\n TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ),\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n | project-rename \n ActorUserId = InitiatingProcessAccountSid,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n TargetWindowsUsername = TargetUsername,\n ActorWindowsUsername = ActorUsername,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n EventOriginalResultDetails = FailureReason,\n EventOriginalType = LogonType,\n EventUid = _ItemId,\n LogonProtocol = Protocol,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n ParentProcessName = InitiatingProcessParentFileName,\n SrcHostname = RemoteDeviceName,\n SrcPortNumber = RemotePort,\n TargetDvcId = DeviceId\n | extend \n ActingProcessId = tostring (InitiatingProcessId),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalUid = tostring (ReportId),\n EventProduct = 'M365 Defender for EndPoint',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n ParentProcessId = tostring (InitiatingProcessParentId),\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\n TargetDvcIdType = 'MDEid',\n TargetSessionId = tostring (LogonId)\n | extend\n Hash = coalesce(\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetDomain = Domain, \n TargetDomainType = DomainType,\n TargetFQDN = FQDN,\n TargetHostname = ExtractedHostname\n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n DvcMDEid = TargetDvcId,\n TargetDvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n ActingAppName = ActingProcessName,\n ActingAppType = \"Process\",\n Dvc = coalesce (TargetFQDN, TargetHostname),\n IpAddr = SrcIpAddr,\n Prcess = ActingProcessName,\n Src = coalesce (SrcIpAddr, SrcHostname),\n User = TargetUsername,\n // -- Alias Dvc to Target,\n DvcDomain = TargetDomain,\n DvcDomainType = TargetDomainType,\n DvcFQDN = TargetFQDN,\n DvcHostname = TargetHostname,\n DvcId = TargetDvcId,\n DvcIdType = TargetDvcIdType,\n DvcOs = TargetDvcOs\n | extend \n Dst = Dvc,\n LogonTarget = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)",
30+
"query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Batch', 'Service',\n 'CachedInteractive', 'Interactive',\n 'Interactive', 'Interactive',\n 'Network', 'Remote',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'RemoteInteractive', 'RemoteInteractive',\n 'Service', 'Service',\n 'Unknown', ''\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonAttempted', 'NA',\n 'LogonFailed', 'Failure',\n 'LogonSuccess', 'Success'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n ActorUsernameType = \"Simple\",\n TargetDvcOs = \"Linux\",\n TargetUsernameType = \"Simple\"\n | project-rename \n ActingProcessName = InitiatingProcessFolderPath,\n ActorUsername = InitiatingProcessAccountName,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\n ActorUserIdType = 'SID',\n ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n ),\n ActorUsernameType = iff (\n InitiatingProcessAccountDomain == '','Simple',\n 'Windows'\n ),\n TargetDvcOs = \"Windows\",\n TargetUserIdType = 'SID',\n TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ),\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n | project-rename \n ActorUserId = InitiatingProcessAccountSid,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n TargetWindowsUsername = TargetUsername,\n ActorWindowsUsername = ActorUsername,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | extend ItemId = columnifexists('_ItemId', \"\")\n | project-rename \n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n EventOriginalResultDetails = FailureReason,\n EventOriginalType = LogonType,\n EventUid = ItemId,\n LogonProtocol = Protocol,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n ParentProcessName = InitiatingProcessParentFileName,\n SrcHostname = RemoteDeviceName,\n SrcPortNumber = RemotePort,\n TargetDvcId = DeviceId\n | extend \n ActingProcessId = tostring (InitiatingProcessId),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalUid = tostring (ReportId),\n EventProduct = 'M365 Defender for EndPoint',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n ParentProcessId = tostring (InitiatingProcessParentId),\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\n TargetDvcIdType = 'MDEid',\n TargetSessionId = tostring (LogonId)\n | extend\n Hash = coalesce(\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetDomain = Domain, \n TargetDomainType = DomainType,\n TargetFQDN = FQDN,\n TargetHostname = ExtractedHostname\n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n DvcMDEid = TargetDvcId,\n TargetDvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n ActingAppName = ActingProcessName,\n ActingAppType = \"Process\",\n Dvc = coalesce (TargetFQDN, TargetHostname),\n IpAddr = SrcIpAddr,\n Prcess = ActingProcessName,\n Src = coalesce (SrcIpAddr, SrcHostname),\n User = TargetUsername,\n // -- Alias Dvc to Target,\n DvcDomain = TargetDomain,\n DvcDomainType = TargetDomainType,\n DvcFQDN = TargetFQDN,\n DvcHostname = TargetHostname,\n DvcId = TargetDvcId,\n DvcIdType = TargetDvcIdType,\n DvcOs = TargetDvcOs\n | extend \n Dst = Dvc,\n LogonTarget = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)",
3131
"version": 1,
3232
"functionParameters": "disabled:bool=False"
3333
}

Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
ARM template for ASIM Authentication schema parser for M365 Defender for EndPoint.
44

5-
This ASIM parser supports normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
5+
This ASIM parser supports normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
66

77

88
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.

Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
ARM template for ASIM Authentication schema parser for M365 Defender for EndPoint.
44

5-
This ASIM parser supports filtering and normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
5+
This ASIM parser supports filtering and normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
66

77

88
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.

0 commit comments

Comments
 (0)