Skip to content

Commit ab82652

Browse files
v-atulyadavv-atulyadav
authored
Merge pull request Azure#12393 from Azure/v-tsawant/ASIM-vimAuthenticationM365DefenderV2
Resolved Semantic error for M365Defender ASIM _ItemId field V2
2 parents 08a3a14 + 8bc4140 commit ab82652

File tree

8 files changed

+54
-21
lines changed

8 files changed

+54
-21
lines changed

.script/tests/asimParsersTest/ExclusionListForASimTests.csv

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,6 @@ ParserName
22
_ASim_NetworkSession_NTANetAnalytics
33
_Im_NetworkSession_NTANetAnalytics
44
_Im_NetworkSession_AzureFirewall
5-
_ASim_NetworkSession_AzureFirewall
5+
_ASim_NetworkSession_AzureFirewall
6+
_ASim_Authentication_M365Defender
7+
_Im_Authentication_M365Defender

Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
"displayName": "Authentication ASIM parser for M365 Defender Device Logon Events",
2828
"category": "ASIM",
2929
"FunctionAlias": "ASimAuthenticationM365Defender",
30-
"query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Batch', 'Service',\n 'CachedInteractive', 'Interactive',\n 'Interactive', 'Interactive',\n 'Network', 'Remote',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'RemoteInteractive', 'RemoteInteractive',\n 'Service', 'Service',\n 'Unknown', ''\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonAttempted', 'NA',\n 'LogonFailed', 'Failure',\n 'LogonSuccess', 'Success'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n ActorUsernameType = \"Simple\",\n TargetDvcOs = \"Linux\",\n TargetUsernameType = \"Simple\"\n | project-rename \n ActingProcessName = InitiatingProcessFolderPath,\n ActorUsername = InitiatingProcessAccountName,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\n ActorUserIdType = 'SID',\n ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n ),\n ActorUsernameType = iff (\n InitiatingProcessAccountDomain == '','Simple',\n 'Windows'\n ),\n TargetDvcOs = \"Windows\",\n TargetUserIdType = 'SID',\n TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ),\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n | project-rename \n ActorUserId = InitiatingProcessAccountSid,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n TargetWindowsUsername = TargetUsername,\n ActorWindowsUsername = ActorUsername,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | project-rename \n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n EventOriginalResultDetails = FailureReason,\n EventOriginalType = LogonType,\n EventUid = _ItemId,\n LogonProtocol = Protocol,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n ParentProcessName = InitiatingProcessParentFileName,\n SrcHostname = RemoteDeviceName,\n SrcPortNumber = RemotePort,\n TargetDvcId = DeviceId\n | extend \n ActingProcessId = tostring (InitiatingProcessId),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalUid = tostring (ReportId),\n EventProduct = 'M365 Defender for EndPoint',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n ParentProcessId = tostring (InitiatingProcessParentId),\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\n TargetDvcIdType = 'MDEid',\n TargetSessionId = tostring (LogonId)\n | extend\n Hash = coalesce(\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetDomain = Domain, \n TargetDomainType = DomainType,\n TargetFQDN = FQDN,\n TargetHostname = ExtractedHostname\n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n DvcMDEid = TargetDvcId,\n TargetDvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n ActingAppName = ActingProcessName,\n ActingAppType = \"Process\",\n Dvc = coalesce (TargetFQDN, TargetHostname),\n IpAddr = SrcIpAddr,\n Prcess = ActingProcessName,\n Src = coalesce (SrcIpAddr, SrcHostname),\n User = TargetUsername,\n // -- Alias Dvc to Target,\n DvcDomain = TargetDomain,\n DvcDomainType = TargetDomainType,\n DvcFQDN = TargetFQDN,\n DvcHostname = TargetHostname,\n DvcId = TargetDvcId,\n DvcIdType = TargetDvcIdType,\n DvcOs = TargetDvcOs\n | extend \n Dst = Dvc,\n LogonTarget = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)",
30+
"query": "let EventResultDetailsLookup=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n 'InvalidUserNameOrPassword','No such user or password'\n];\nlet EventSubTypeLookup = datatable (EventOriginalType:string, EventSubType:string) [ \n 'Batch', 'Service',\n 'CachedInteractive', 'Interactive',\n 'Interactive', 'Interactive',\n 'Network', 'Remote',\n 'Remote interactive (RDP) logons', 'RemoteInteractive',\n 'RemoteInteractive', 'RemoteInteractive',\n 'Service', 'Service',\n 'Unknown', ''\n];\nlet EventResultLookup = datatable (ActionType:string, EventResult:string) [ \n 'LogonAttempted', 'NA',\n 'LogonFailed', 'Failure',\n 'LogonSuccess', 'Success'\n];\nlet parser = (\n disabled:bool=false\n){\n let UnixDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath startswith \"/\"\n | extend \n ActorUsernameType = \"Simple\",\n TargetDvcOs = \"Linux\",\n TargetUsernameType = \"Simple\"\n | project-rename \n ActingProcessName = InitiatingProcessFolderPath,\n ActorUsername = InitiatingProcessAccountName,\n TargetUsername = AccountName\n | project-away \n InitiatingProcessAccountSid, AccountDomain, InitiatingProcessAccountDomain, InitiatingProcessFileName, AccountSid\n };\n let WindowsDeviceLogonEvents = (disabled:bool=false) {\n DeviceLogonEvents \n | where not(disabled)\n | where InitiatingProcessFolderPath !startswith \"/\"\n | extend \n ActingProcessName = strcat (InitiatingProcessFolderPath,'\\\\',InitiatingProcessFileName),\n ActorUserIdType = 'SID',\n ActorUsername = case (\n isempty(InitiatingProcessAccountName), \"\",\n isempty(InitiatingProcessAccountDomain), InitiatingProcessAccountName,\n strcat(InitiatingProcessAccountDomain, '\\\\', InitiatingProcessAccountName)\n ),\n ActorUsernameType = iff (\n InitiatingProcessAccountDomain == '','Simple',\n 'Windows'\n ),\n TargetDvcOs = \"Windows\",\n TargetUserIdType = 'SID',\n TargetUsername = iff (\n isempty(AccountDomain), AccountName,\n strcat(AccountDomain, '\\\\', AccountName)\n ),\n TargetUsernameType = iff (AccountDomain == '','Simple', 'Windows')\n | project-rename \n ActorUserId = InitiatingProcessAccountSid,\n TargetUserId = AccountSid\n // -- Specific identifiers aliases\n | extend \n TargetUserSid = TargetUserId,\n ActorUserSid = ActorUserId,\n TargetWindowsUsername = TargetUsername,\n ActorWindowsUsername = ActorUsername,\n ActorUserType = _ASIM_GetWindowsUserType (ActorUsername, ActorUserId)\n | extend \n TargetUserType = iff(IsLocalAdmin, \n 'Admin',\n _ASIM_GetWindowsUserType (TargetWindowsUsername, TargetUserSid)\n )\n | project-away InitiatingProcessAccountName, InitiatingProcessAccountDomain, AccountDomain, AccountName, InitiatingProcessFolderPath, InitiatingProcessFileName\n };\n union \n WindowsDeviceLogonEvents (disabled=disabled),\n UnixDeviceLogonEvents (disabled=disabled)\n | project-away SourceSystem, TenantId, Timestamp, MachineGroup\n | extend ItemId = columnifexists('_ItemId', \"\")\n | project-rename \n ActingProcessCommandLine = InitiatingProcessCommandLine,\n ActingProcessCreationTime = InitiatingProcessCreationTime,\n ActingProcessIntegrityLevel = InitiatingProcessIntegrityLevel,\n ActingProcessMD5 = InitiatingProcessMD5,\n ActingProcessSHA1 = InitiatingProcessSHA1 ,\n ActingProcessSHA256 = InitiatingProcessSHA256,\n ActingProcessTokenElevation = InitiatingProcessTokenElevation,\n ActorUserAadId = InitiatingProcessAccountObjectId,\n ActorUserUpn = InitiatingProcessAccountUpn,\n EventOriginalResultDetails = FailureReason,\n EventOriginalType = LogonType,\n EventUid = ItemId,\n LogonProtocol = Protocol,\n ParentProcessCreationTime = InitiatingProcessParentCreationTime,\n ParentProcessName = InitiatingProcessParentFileName,\n SrcHostname = RemoteDeviceName,\n SrcPortNumber = RemotePort,\n TargetDvcId = DeviceId\n | extend \n ActingProcessId = tostring (InitiatingProcessId),\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalUid = tostring (ReportId),\n EventProduct = 'M365 Defender for EndPoint',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.3',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'Microsoft',\n ParentProcessId = tostring (InitiatingProcessParentId),\n SrcIpAddr = iff (RemoteIP == '-', '', RemoteIP),\n TargetDvcIdType = 'MDEid',\n TargetSessionId = tostring (LogonId)\n | extend\n Hash = coalesce(\n ActingProcessMD5,\n ActingProcessSHA1,\n ActingProcessSHA256\n )\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\"])[array_index_of(pack_array(ActingProcessSHA256, ActingProcessSHA1, ActingProcessMD5),Hash)]) \n | invoke _ASIM_ResolveFQDN('DeviceName')\n | project-rename \n TargetDomain = Domain, \n TargetDomainType = DomainType,\n TargetFQDN = FQDN,\n TargetHostname = ExtractedHostname\n | project-away DeviceName\n | lookup EventResultDetailsLookup on EventOriginalResultDetails \n | lookup EventSubTypeLookup on EventOriginalType\n | lookup EventResultLookup on ActionType\n | extend\n EventSeverity = iff (EventResult == \"Success\", \"Informational\", \"Low\")\n // -- Specific identifiers aliases\n | extend\n DvcMDEid = TargetDvcId,\n TargetDvcMDEid = TargetDvcId\n // -- Aliases\n | extend \n ActingAppName = ActingProcessName,\n ActingAppType = \"Process\",\n Dvc = coalesce (TargetFQDN, TargetHostname),\n IpAddr = SrcIpAddr,\n Prcess = ActingProcessName,\n Src = coalesce (SrcIpAddr, SrcHostname),\n User = TargetUsername,\n // -- Alias Dvc to Target,\n DvcDomain = TargetDomain,\n DvcDomainType = TargetDomainType,\n DvcFQDN = TargetFQDN,\n DvcHostname = TargetHostname,\n DvcId = TargetDvcId,\n DvcIdType = TargetDvcIdType,\n DvcOs = TargetDvcOs\n | extend \n Dst = Dvc,\n LogonTarget = Dvc\n | project-away ReportId, LogonId, InitiatingProcessId, InitiatingProcessParentId, ActionType, InitiatingProcessFileSize, InitiatingProcessVersionInfoCompanyName, InitiatingProcessVersionInfoFileDescription, InitiatingProcessVersionInfoInternalFileName, InitiatingProcessVersionInfoOriginalFileName, InitiatingProcessVersionInfoProductName, InitiatingProcessVersionInfoProductVersion, AppGuardContainerId, RemoteIPType, IsLocalAdmin, RemoteIP\n};\nparser (\n disabled = disabled\n)",
3131
"version": 1,
3232
"functionParameters": "disabled:bool=False"
3333
}

Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
ARM template for ASIM Authentication schema parser for M365 Defender for EndPoint.
44

5-
This ASIM parser supports normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
5+
This ASIM parser supports normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
66

77

88
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.

Parsers/ASimAuthentication/ARM/vimAuthenticationM365Defender/README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
ARM template for ASIM Authentication schema parser for M365 Defender for EndPoint.
44

5-
This ASIM parser supports filtering and normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
5+
This ASIM parser supports filtering and normalizing endpoint authentication events, collected by Microsoft 365 Defender for Endpoint, stored in the DeviceLogonEvents table, to the ASIM Authentication schema.
66

77

88
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.

0 commit comments

Comments
 (0)