Merge pull request Azure#11561 from Azure/native_Audit_Parser

Audit Native Parser

.script/tests/KqlvalidationsTests/CustomTables/ASimAuditEventLogs.json

@@ -5,6 +5,26 @@
       "Name": "TimeGenerated",
       "Type": "DateTime"
     },
+    {
+      "Name": "_ItemId",
+      "Type": "String"
+    },
+    {
+      "Name": "TenantId",
+      "Type": "String"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "String"
+    },
+    {
+      "Name": "_ResourceId",
+      "Type": "String"
+    },
+    {
+      "Name": "_SubscriptionId",
+      "Type": "String"
+    },
     {
       "Name": "AdditionalFields",
       "Type": "Dynamic"

ASIM/dev/ASimTester/ASimTester.csv

@@ -869,7 +869,6 @@ ParentProcessSHA256,string,Optional,ProcessEvent,SHA256,,
 ParentProcessSHA512,string,Optional,ProcessEvent,SHA512,,
 ParentProcessTokenElevation,string,Optional,ProcessEvent,,,
 PreviousPropertyValue,string,Optional,UserManagement,,,
-Process,string,Alias,AuditEvent,,,ActingProcessName
 Process,string,Alias,Dns,,,SrcProcessName
 Process,string,Alias,FileEvent,,,ActingProcessName
 Process,string,Alias,ProcessEvent,,,TargetProcessName

Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json

@@ -27,10 +27,10 @@
         "displayName": "Audit event ASIM parser",
         "category": "ASIM",
         "FunctionAlias": "ASimAuditEvent",
-        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuditEventEmpty, \n  ASimAuditEventMicrosoftExchangeAdmin365  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n  ASimAuditEventMicrosoftWindowsEvents  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n  ASimAuditEventMicrosoftSecurityEvents  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftSecurityEvents' in (DisabledParsers))),\n  ASimAuditEventMicrosoftEvent  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftEvents' in (DisabledParsers))),\n  ASimAuditEventAzureActivity  (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n  ASimAuditEventCiscoMeraki  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n  ASimAuditEventCiscoMerakiSyslog  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMerakiSyslog' in (DisabledParsers))),\n  ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n  ASimAuditEventBarracudaCEF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaCEF' in (DisabledParsers))),\n  ASimAuditEventCiscoISE  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n  ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n  ASimAuditEventSentinelOne  (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))),\n  ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))),\n  ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))),\n  ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))),\n  ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers)))\n",
+        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludeASimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuditEventEmpty, \n  ASimAuditEventMicrosoftExchangeAdmin365  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n  ASimAuditEventMicrosoftWindowsEvents  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n  ASimAuditEventMicrosoftSecurityEvents  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftSecurityEvents' in (DisabledParsers))),\n  ASimAuditEventMicrosoftEvent  (BuiltInDisabled or ('ExcludeASimAuditEventMicrosoftEvents' in (DisabledParsers))),\n  ASimAuditEventAzureActivity  (BuiltInDisabled or ('ExcludeASimAuditEventAzureActivity' in (DisabledParsers))),\n  ASimAuditEventCiscoMeraki  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMeraki' in (DisabledParsers))),\n  ASimAuditEventCiscoMerakiSyslog  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoMerakiSyslog' in (DisabledParsers))),\n  ASimAuditEventBarracudaWAF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaWAF' in (DisabledParsers))),\n  ASimAuditEventBarracudaCEF (BuiltInDisabled or ('ExcludeASimAuditEventBarracudaCEF' in (DisabledParsers))),\n  ASimAuditEventCiscoISE  (BuiltInDisabled or ('ExcludeASimAuditEventCiscoISE' in (DisabledParsers))),\n  ASimAuditEventVectraXDRAudit(BuiltInDisabled or ('ExcludeASimAuditEventVectraXDRAudit' in (DisabledParsers))),\n  ASimAuditEventSentinelOne  (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))),\n  ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))),\n  ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))),\n  ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))),\n  ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers))),\n  ASimAuditEventNative(BuiltInDisabled or ('ExcludeASimAuditEventNative' in (DisabledParsers)))",
         "version": 1,
         "functionParameters": "pack:bool=False"
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventAzureAdminActivity/ASimAuditEventAzureAdminActivity.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaCEF/ASimAuditEventBarracudaCEF.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventBarracudaWAF/ASimAuditEventBarracudaWAF.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoISE/ASimAuditEventCiscoISE.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMeraki/ASimAuditEventCiscoMeraki.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventCiscoMerakiSyslog/ASimAuditEventCiscoMerakiSyslog.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventCrowdStrikeFalconHost/ASimAuditEventCrowdStrikeFalconHost.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftEvent/ASimAuditEventMicrosoftEvent.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftExchangeAdmin365/ASimAuditEventMicrosoftExchangeAdmin365.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftSecurityEvents/ASimAuditEventMicrosoftSecurityEvents.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventMicrosoftWindowsEvents/ASimAuditEventMicrosoftWindowsEvents.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventNative/ASimAuditEventNative.json

@@ -0,0 +1,36 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2020-08-01",
+      "name": "[concat(parameters('Workspace'), '/ASimAuditEventNative')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "properties": {
+        "etag": "*",
+        "displayName": "Audit Event ASIM parser for Microsoft Sentinel native Audit Event table",
+        "category": "ASIM",
+        "FunctionAlias": "ASimAuditEventNative",
+        "query": "let parser=(disabled:bool=false) \n{\n  ASimAuditEventLogs  | where not(disabled)\n    | extend EventSchema = \"AuditEvent\"\n    | project-rename\n        EventUid = _ItemId\n    | extend\n        Value\t= NewValue,\n        User =  ActorUsername,\n        Application =  TargetAppName,\n        Dst = coalesce (TargetDvcId, TargetHostname, TargetIpAddr, TargetAppId, TargetAppName),\n        Dvc = coalesce (DvcFQDN, DvcHostname, DvcIpAddr, DvcId, _ResourceId, strcat (EventVendor,'/', EventProduct)), \n        Rule=RuleName,\n        IpAddr=SrcIpAddr,\n        EventStartTime = TimeGenerated,\n        EventEndTime = TimeGenerated,\n        Src = coalesce (SrcFQDN, SrcHostname, SrcIpAddr, SrcDvcId)\n    | project-away\n        _ResourceId, _SubscriptionId\n};\nparser  (disabled=disabled)",
+        "version": 1,
+        "functionParameters": "disabled:bool=False"
+      }
+    }
+  ]
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventNative/README.md

@@ -0,0 +1,18 @@
+# Native ASIM AuditEvent Normalization Parser
+
+ARM template for ASIM AuditEvent schema parser for Native.
+
+This ASIM parser supports normalizing the native Microsoft Sentinel Audit Event table (ASimAuditEventLogs) to the ASIM Audit Event normalized schema. While the native table is ASIM compliant, the parser is needed to add capabilities, such as aliases, available only at query time. 
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM AuditEvent normalization schema reference](https://aka.ms/ASimAuditEventDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventNative%2FASimAuditEventNative.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuditEvent%2FARM%2FASimAuditEventNative%2FASimAuditEventNative.json)

Parsers/ASimAuditEvent/ARM/ASimAuditEventSentinelOne/ASimAuditEventSentinelOne.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventVMwareCarbonBlackCloud/ASimAuditEventVMwareCarbonBlackCloud.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/ASimAuditEventVectraXDRAudit/ASimAuditEventVectraXDRAudit.json

@@ -33,4 +33,4 @@
       }
     }
   ]
-}
+}

Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json

@@ -298,6 +298,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAuditEventNative",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/ASimAuditEventNative/ASimAuditEventNative.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -658,6 +678,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuditEventNative",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuditEvent/ARM/vimAuditEventNative/vimAuditEventNative.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",