AlertSchemaParsers

Author: vakohl

.github/workflows/convertKqlFunctionYamlToArmTemplate.yaml

@@ -15,6 +15,7 @@ on:
        - 'Parsers/ASimRegistryEvent/Parsers/**'
        - 'Parsers/ASimUserManagement/Parsers/**'
        - 'Parsers/ASimDhcpEvent/Parsers/**'
+       - 'Parsers/ASimAlertEvent/Parsers/**'
 
 env:
   GITHUB_APPS_ID: "${{ secrets.APPLICATION_ID }}"

.github/workflows/runAsimSchemaAndDataTesters.yaml

@@ -17,6 +17,7 @@ on:
     - 'Parsers/ASimRegistryEvent/Parsers/**'
     - 'Parsers/ASimUserManagement/Parsers/**'
     - 'Parsers/ASimDhcpEvent/Parsers/**'
+    - 'Parsers/ASimAlertEvent/Parsers/**'
 
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:

.script/getModifiedASimSchemas.ps1

@@ -1,5 +1,5 @@
 function getModifiedAsimSchemas() {
-    $schemas = ("ASimDns", "ASimWebSession", "ASimNetworkSession", "ASimProcessEvent", "ASimAuditEvent", "ASimAuthentication", "ASimFileEvent", "ASimRegistryEvent","ASimUserManagement","ASimDhcpEvent")
+    $schemas = ("ASimDns", "ASimWebSession", "ASimNetworkSession", "ASimProcessEvent", "ASimAuditEvent", "ASimAuthentication", "ASimFileEvent", "ASimRegistryEvent","ASimUserManagement","ASimDhcpEvent","ASimAlertEvent")
     $modifiedSchemas = @()
     foreach ($schema in $schemas) {
         $filesThatWereChanged= Invoke-Expression "git diff origin/master  --name-only -- $($PSScriptRoot)/../Parsers/$($schema)/Parsers"

.script/tests/asimParsersTest/ASimFilteringTest.py

@@ -843,6 +843,20 @@ def send_query(self, query_str):
         "targetappname_has_any" : "TargetAppName",
         "username_has_any" : "User"
     },
+    "AlertEvent" :
+    {
+        "disabled" : "",
+        "endtime" : "EventEndTime",
+        "starttime" : "EventStartTime",
+        "ipaddr_has_any_prefix" : "DvcIpAddr",
+        "hostname_has_any" : "DvcHostname",
+        "username_has_any" : "Username",
+        "attacktactics_has_any" : "AttackTactics",
+        "attacktechniques_has_any" : "AttackTechniques",
+        "threatcategory_has_any" : "ThreatCategory",
+        "alertverdict_has_any" : "AlertVerdict",
+        "eventseverity_has_any" : "EventSeverity",
+    },
     "DhcpEvent" :
     {
         "disabled" : "",

ASIM/dev/Parser YAML templates/ASimAlertTemplate.yaml

@@ -0,0 +1,30 @@
+Parser:
+  Title: Alert event ASIM parser for <product name>
+  Version: '0.1.0'
+  LastUpdated: <MMM DD, YYYY>
+Product:
+  Name: <product name>
+Normalization:
+  Schema: AlertEvent
+  Version: '<current schema version>'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+Description: |
+  This ASIM parser supports normalizing the <product name> logs to the ASIM 'Alert' normalized schema.
+ParserName: <ASimAlertEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_AlertEvent_Vendor+Product>
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+    disabled:bool = false
+  )
+  {
+    <parser query body>
+  };
+  parser (disabled = disabled)

ASIM/dev/Parser YAML templates/ASimAuditEventTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: ASIM Audit Event parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing the <product name> logs to the ASIM Audit Event normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_AuditEvent_Product>
+ParserName: <ASimAuditEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_AuditEvent_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool

ASIM/dev/Parser YAML templates/ASimAuthenticationTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: ASIM Authentication parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing the <product name> logs to the ASIM Authentication normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_Authentication_Product>
+ParserName: <ASimAuthenticationVendor+Product>
+EquivalentBuiltInParser: <_ASim_Authentication_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool

ASIM/dev/Parser YAML templates/ASimDhcpEventTemplate.yaml

@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing <product name> logs to the ASIM Dhcp normalized schema.
-ParserName: <ASimDhcpEventProduct>
-EquivalentBuiltInParser: <_ASim_DhcpEvent_Product>
+ParserName: <ASimDhcpEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_DhcpEvent_Vendor+Product
 ParserParams:
   - Name: disabled
     Type: bool

ASIM/dev/Parser YAML templates/ASimDnsTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: DNS activity ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing the <product name> logs to the ASIM DNS activity normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_Dns_Product>
+ParserName: <ASimDnsVendor+Product>
+EquivalentBuiltInParser: <_ASim_Dns_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool

ASIM/dev/Parser YAML templates/ASimFileEventTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: File events ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing the <product name> logs to the ASIM file activity normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_FileEvent_Product>
+ParserName: <ASimFileEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_FileEvent_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool

ASIM/dev/Parser YAML templates/ASimNetworkSessionTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Network Session ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing <product name> logs to the ASIM Network Session normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_NetworkSession_Product>
+ParserName: <ASimNetworkSessionVendor+Product>
+EquivalentBuiltInParser: <_ASim_NetworkSession_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool

ASIM/dev/Parser YAML templates/ASimProcessEventTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Process event ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ references:
   Link: https:/aka.ms/AboutASIM
 Description:
   This ASIM parser supports normalizing the <product name> logs to the ASIM process event normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_ProcessEvent_Product>
+ParserName: <ASimProcessEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_ProcessEvent_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool

ASIM/dev/Parser YAML templates/ASimRegistryEventTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Registry Event ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing <product name> logs to the ASIM Registry event normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_RegistryEvent_Product>
+ParserName: <ASimRegistryEventVendor+Product>
+EquivalentBuiltInParser: <_ASim_RegistryEvent_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool

ASIM/dev/Parser YAML templates/ASimUserManagementTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: User Management activity ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing the <product name> logs to the ASIM User Management activity normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_UserManagement_Product>
+ParserName: <ASimUserManagementVendor+Product>
+EquivalentBuiltInParser: <_ASim_UserManagement_Vendor+Product>
 ParserParams:
   - Name: disabled
     Type: bool

ASIM/dev/Parser YAML templates/ASimWebSessionTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Web Session ASIM parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing <product name> logs to the ASIM Web Session normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_ASim_WebSession_Product>
+ParserName: <ASimWebSessionVendor+Product>
+EquivalentBuiltInParser: <_ASim_WebSession_Vendor+Product
 ParserParams:
   - Name: disabled
     Type: bool

ASIM/dev/Parser YAML templates/vimAlertTemplate.yaml

@@ -0,0 +1,82 @@
+Parser:
+  Title: Alert Event ASIM filtering parser for <product name>
+  Version: '0.1.0'
+  LastUpdated: <MMM DD, YYYY>
+Product:
+  Name: <product name>
+Normalization:
+  Schema: AlertEvent
+  Version: '<current schema version>'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https:/aka.ms/AboutASIM
+Description: |
+  This ASIM filtering parser supports normalizing the <product name> logs to the ASIM Alert normalized schema.
+ParserName: <vimAlertEventVendor+Product>
+EquivalentBuiltInParser: <_Im_AlertEvent_Vendor+Product>
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: ipaddr_has_any_prefix
+    Type: dynamic
+    Default: dynamic([])
+  - Name: hostname_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: username_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: attacktactics_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: attacktechniques_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: threatcategory_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: alertverdict_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: eventseverity_has_any
+    Type: dynamic
+    Default: dynamic([])
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+    starttime: datetime=datetime(null), 
+        endtime: datetime=datetime(null), 
+        ipaddr_has_any_prefix: dynamic=dynamic([]),
+        hostname_has_any: dynamic=dynamic([]),
+        username_has_any: dynamic=dynamic([]),
+        attacktactics_has_any: dynamic=dynamic([]),
+        attacktechniques_has_any: dynamic=dynamic([]),
+        threatcategory_has_any: dynamic=dynamic([]),
+        alertverdict_has_any: dynamic=dynamic([]),
+        eventseverity_has_any: dynamic=dynamic([]),
+        disabled:bool=false
+  )
+  {
+    <parser query body>
+  };
+  parser (
+        starttime = starttime, 
+        endtime = endtime, 
+        ipaddr_has_any_prefix = ipaddr_has_any_prefix,
+        hostname_has_any = hostname_has_any,
+        username_has_any = username_has_any,
+        attacktactics_has_any = attacktactics_has_any,
+        attacktechniques_has_any = attacktechniques_has_any,
+        threatcategory_has_any = threatcategory_has_any,
+        alertverdict_has_any = alertverdict_has_any,
+        eventseverity_has_any = eventseverity_has_any,
+        disabled = disabled
+  )

ASIM/dev/Parser YAML templates/vimAuditEventTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Audit Event ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports normalizing the <product name> logs to the ASIM Audit Event normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_AuditEvent_Product>
+ParserName: <ASimAuditEventVendor+Product>
+EquivalentBuiltInParser: <_Im_AuditEvent_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime

ASIM/dev/Parser YAML templates/vimAuthenticationTemplate.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Authentication ASIM filtering parser for <product name>
-  Version: '<parser version>'
+  Version: '0.1.0'
   LastUpdated: <MMM DD, YYYY>
 Product:
   Name: <product name>
@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports filtering and normalizing the <product name> logs to the ASIM authentication normalized schema.
-ParserName: <parser function name>
-EquivalentBuiltInParser: <_Im_Authentication_Product>
+ParserName: <ASimAuthenticationVendor+Product>
+EquivalentBuiltInParser: <_Im_Authentication_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime

ASIM/dev/Parser YAML templates/vimDhcpEventTemplate.yaml

@@ -14,8 +14,8 @@ References:
   Link: https:/aka.ms/AboutASIM
 Description: |
   This ASIM filtering parser supports filtering and normalizing the <product name> logs to the ASIM authentication normalized schema.
-ParserName: <vimDhcpEventProduct>
-EquivalentBuiltInParser: <_Im_DhcpEvent_Product>
+ParserName: <ASimDhcpEventVendor+Product>
+EquivalentBuiltInParser: <_Im_DhcpEvent_Vendor+Product>
 ParserParams:
   - Name: starttime
     Type: datetime