ASIM Authentication Fixes (Azure#13232)

* ASIM Authentication Fixes

* Filtering on srchostname done later in parser

* Add back prefiltering

---------

Co-authored-by: Derrick Lee <[email protected]>

Author: yummyblabla

Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json

@@ -100,7 +100,7 @@ ParserQuery: |
           LogonGuid                 = tostring(EventData.LogonGuid),
           LogonProtocol             = tostring(EventData.AuthenticationPackageName),
           LogonType                 = toint(EventData.LogonType),
-          SrcHostname            = tostring(EventData.WorkstationName),
+          SrcHostname               = tostring(iff(EventData.WorkstationName in ('-', ''), Computer, EventData.WorkstationName)),
           SrcIpAddr              = tostring(EventData.IpAddress),
           Status                    = tostring(EventData.Status),
           SubStatus                 = tostring(EventData.SubStatus),
@@ -151,9 +151,10 @@ ParserQuery: |
       /// ** Aliases 
       | extend
           Dvc         = SrcHostname,
+          DvcHostName = SrcHostname,
           LogonTarget = TargetDvcHostname,
           User        = TargetUsername,
-          IpAddr   = SrcIpAddr
+          IpAddr      = SrcIpAddr
       | project-away
           EventData,
           LogonGuid,
@@ -200,7 +201,6 @@ ParserQuery: |
           EventOriginalType = EventID,
           EventOriginalUid  = EventOriginId,
           LogonProtocol     = AuthenticationPackageName,
-          SrcHostname    = WorkstationName,
           SrcIpAddr      = IpAddress,
           TargetDvcHostname = Computer,
           TargetSessionId   = TargetLogonId,
@@ -220,6 +220,7 @@ ParserQuery: |
           EventType          = iff(EventOriginalType in (LogoffEvents), 'Logoff', 'Logon'),
           EventVendor        = 'Microsoft',
           SrcDvcOs           = 'Windows',
+          SrcHostname        = iff (WorkstationName in ('-', ''), TargetDvcHostname, WorkstationName),
           TargetUserIdType   = 'SID',
           TargetUsername     = iff (TargetDomainName in ('-', ''), trim(@'\\', TargetUserName), trim(@'\\', TargetAccount)),
           TargetUsernameType = iff (TargetDomainName in ('-', ''), 'Simple', 'Windows')
@@ -233,6 +234,7 @@ ParserQuery: |
       /// ** Aliases 
       | extend
           Dvc         = SrcHostname,
+          DvcHostName = SrcHostname,
           LogonTarget = TargetDvcHostname,
           User        = TargetUsername,
           IpAddr   = SrcIpAddr

Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json

@@ -192,7 +192,7 @@ ParserQuery: |
     | extend
         Dst                   = coalesce (DvcFQDN, DvcHostname, DvcIpAddr),
         Dvc                   = DvcHostname,
-        IpAddr                = DvcIpAddr,
+        IpAddr                = SrcIpAddr,
         TargetDomain          = DvcDomain,
         TargetDomainType      = DvcDomainType,
         TargetDvcId           = DvcId,

Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json

@@ -135,7 +135,7 @@ ParserQuery: |
           and ((array_length(username_has_any) == 0) or (tostring(EventData.TargetUserName) has_any (username_has_any)) or (tostring(EventData.TargetDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.TargetDomainName), '\\', tostring(EventData.TargetUserName)) has_any (username_has_any)) or (tostring(EventData.SubjectUserName) has_any (username_has_any)) or (tostring(EventData.SubjectDomainName) has_any (username_has_any)) or (strcat(tostring(EventData.SubjectDomainName), '\\', tostring(EventData.SubjectUserName)) has_any (username_has_any)))
           and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source
           and ((array_length(srcipaddr_has_any_prefix) == 0) or (has_any_ipv4_prefix(tostring(EventData.IpAddress), srcipaddr_has_any_prefix)))
-          and (array_length(srchostname_has_any) == 0 or tostring(EventData.WorkstationName) has_any (srchostname_has_any))
+          and (array_length(srchostname_has_any) == 0 or tostring(EventData.WorkstationName) has_any (srchostname_has_any) or Computer has_any (srchostname_has_any))
       // eventtype_in filtering done later in the parser
       // eventresultdetails_in filtering done later in the parser
       // eventresult filtering done later in the parser
@@ -181,8 +181,10 @@ ParserQuery: |
                                       "No match"
                                   )
       | extend 
-          SrcHostname = tostring(EventData.WorkstationName),
+          SrcHostname = tostring(iff(EventData.WorkstationName in ('-', ''), Computer, EventData.WorkstationName)),
           EventProduct = "Security Events"
+      // Filtering on SrcHostname
+      | where (array_length(srchostname_has_any) == 0 or SrcHostname has_any (srchostname_has_any))
       | extend EventStatus= iff(SubStatus == '0x0', Status, SubStatus)
       // -- creating EventMessage matching EventMessage in SecurityEvent table
       | extend
@@ -246,12 +248,10 @@ ParserQuery: |
       | lookup LogonTypes on LogonType
       /// ** Aliases 
       | extend
-          User=TargetUsername
-          ,
-          LogonTarget=TargetDvcHostname
-          ,
-          Dvc=SrcHostname
-          ,
+          User=TargetUsername,
+          LogonTarget=TargetDvcHostname,
+          Dvc=SrcHostname,
+          DvcHostName=SrcHostname,
           IpAddr=SrcIpAddr
       | project-away
           EventData,
@@ -285,7 +285,7 @@ ParserQuery: |
           and ((array_length(username_has_any) == 0) or (TargetUserName has_any (username_has_any)) or (TargetDomainName has_any (username_has_any)) or (strcat(TargetDomainName, '\\', TargetUserName) has_any (username_has_any)) or (SubjectUserName has_any (username_has_any)) or (SubjectDomainName has_any (username_has_any)) or (strcat(SubjectDomainName, '\\', SubjectUserName) has_any (username_has_any)))
           and (array_length(targetappname_has_any) == 0) // TargetAppName not available in source
           and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(IpAddress, srcipaddr_has_any_prefix))
-          and ((array_length(srchostname_has_any) == 0) or (WorkstationName has_any (srchostname_has_any)))
+          and ((array_length(srchostname_has_any) == 0) or (WorkstationName has_any (srchostname_has_any)) or (Computer has_any (srchostname_has_any)))
       // eventtype_in filtering done later in the parser
       // eventresultdetails_in filtering done later in the parser
       // eventresult filtering done later in the parser
@@ -329,8 +329,6 @@ ParserQuery: |
           ,
           TargetUserId =TargetUserSid
           ,
-          SrcHostname = WorkstationName
-          ,
           TargetDvcHostname = Computer
           ,
           EventOriginalUid = EventOriginId
@@ -373,6 +371,8 @@ ParserQuery: |
           ,
           SrcDvcOs = 'Windows'
           ,
+          SrcHostname = iff (WorkstationName in ('-', ''), TargetDvcHostname, WorkstationName)
+          ,
           EventStatus= iff(SubStatus == '0x0', Status, SubStatus)
       // mapping ASimMatchingUsername
       | extend
@@ -408,12 +408,10 @@ ParserQuery: |
       | lookup LogonTypes on LogonType
       /// ** Aliases 
       | extend
-          User=TargetUsername
-          ,
-          LogonTarget=TargetDvcHostname
-          ,
-          Dvc=SrcHostname
-          ,
+          User=TargetUsername,
+          LogonTarget=TargetDvcHostname,
+          Dvc=SrcHostname,
+          DvcHostName = SrcHostname,
           IpAddr=SrcIpAddr
       | project-away
           EventStatus,

Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json

@@ -367,7 +367,7 @@ ParserQuery: |
           ,
           TargetDvcIdType       = DvcIdType
           ,
-          IpAddr                = DvcIpAddr
+          IpAddr                = SrcIpAddr
           ,
           TargetIpAddr          = DvcIpAddr
           ,