Skip to content

Commit

Permalink
Merge pull request #11236 from dicolanl/ZeroNetworks-ParserUpdate
Browse files Browse the repository at this point in the history
ZeroNetworks: update parsers with new auditTypes
  • Loading branch information
v-visodadasi authored Oct 24, 2024
2 parents f73b652 + 781f6f4 commit e782f62
Show file tree
Hide file tree
Showing 2 changed files with 132 additions and 125 deletions.
98 changes: 0 additions & 98 deletions Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt

This file was deleted.

159 changes: 132 additions & 27 deletions Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml
Original file line number Diff line number Diff line change
@@ -1,38 +1,38 @@
id: 4677df99-9bff-4b87-a7b9-575091361d82
Function:
Title: Parser for ZNSegmentAudit
Version: '1.0.0'
LastUpdated: '2023-08-23'
Version: '1.0.1'
LastUpdated: '2024-10-08'
Category: Microsoft Sentinel Parser
FunctionName: ZNSegmentAudit
FunctionAlias: ZNSegmentAudit
FunctionQuery: |
let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [
0, "Unspecified",
1, "Asset is being added to protection",
2, "Asset added to protection",
3, "Asset failed adding to protection",
4, "Asset is being removed from protection",
5, "Removed asset from protection",
6, "Failed removing asset from protection",
7, "Asset added to learning",
8, "Asset removed from learning",
9, "Access rule created",
10, "Access rule deleted",
11, "Access rule expired",
12, "Access rule edited",
17, "MFA access policy created",
18, "MFA access policy deleted",
19, "MFA access policy edited",
20, "JIT rule created",
21, "JIT rule deleted",
22, "JIT rule expired",
23, "JIT rule revived",
24, "JIT rule edited",
1, "Asset is being segmented (network)",
2, "Asset segmented (network)",
3, "Asset failed being segmented (network)",
4, "Asset is being unsegmented (network)",
5, "Asset unsegmented (network)",
6, "Asset failed being unsegmented (network)",
7, "Asset added to learning (network)",
8, "Asset removed from learning (network)",
9, "Inbound allow rule created",
10, "Inbound allow rule deleted",
11, "Inbound allow rule expired",
12, "Inbound allow rule edited",
17, "Inbound MFA policy created",
18, "Inbound MFA policy edited",
19, "Inbound MFA policy deleted",
20, "Inbound JIT rule created",
21, "Inbound JIT rule deleted",
22, "Inbound JIT rule expired",
23, "Inbound JIT rule revived",
24, "Inbound JIT rule edited",
25, "API Token created",
26, "API Token deleted",
27, "API Token regenerated",
28, "Asset learning is extended",
28, "Asset segmentation date postponed (network)",
29, "Outbound block rule created",
30, "Outbound block rule deleted",
31, "Outbound block rule expired",
Expand All @@ -41,24 +41,129 @@ FunctionQuery: |
34, "Inbound block rule deleted",
35, "Inbound block rule expired",
36, "Inbound block rule edited",
37, "Inbound rule pseudo edited",
38, "Outbound rule pseudo edited"
39, "Asset unsegmented (network) (overriding policy)",
40, "Asset is being unsegmented (network) (overriding policy)",
41, "Asset removed from learning (network) (overriding policy)",
42, "Asset is being segmented (network) (policy)",
43, "Asset segmented (network) (policy)",
44, "Asset added to learning (network) (policy)",
45, "Segmentation policy created",
46, "Segmentation policy deleted",
47, "Segmentation policy edited",
48, "Inbound JIT access rejected",
49, "Inbound JIT fallback rule created",
50, "Inbound JIT fallback rule deleted",
51, "Inbound JIT fallback rule expired",
53, "Outbound allow rule created",
54, "Outbound allow rule deleted",
55, "Outbound allow rule expired",
56, "Outbound allow rule edited",
58, "Admin portal role changed to admin",
59, "Admin portal role changed to viewer",
60, "Admin portal role revoked",
61, "Outbound JIT rule created",
62, "Outbound JIT rule deleted",
63, "Outbound JIT rule expired",
64, "Outbound MFA policy created",
65, "Outbound MFA policy deleted",
66, "Outbound MFA policy edited",
67, "Outbound JIT access rejected",
68, "Asset learning is done (network)",
69, "Asset learning (policy) is done (network)",
70, "Manual Linux asset created",
71, "Manual OT/IoT asset created",
72, "Asset learning extended (network)",
73, "Admin portal logon",
74, "Asset manager added",
75, "Asset manager removed",
76, "Asset is monitored by Cloud connector",
77, "Asset is no longer monitored by Cloud connector",
78, "Asset is monitored by Segment server",
79, "Asset is back to learning (network)",
80, "Manual OT/IoT asset edited",
81, "Admin portal role changed to operator",
82, "Segment server deployed",
83, "AI inbound allow rule rejected",
84, "AI inbound block rule rejected",
85, "AI outbound allow rule rejected",
86, "AI outbound block rule rejected",
87, "AI inbound allow rule approved",
88, "AI inbound block rule approved",
89, "AI outbound allow rule approved",
90, "AI outbound block rule approved",
91, "AI inbound allow rule approved with changes",
92, "AI inbound block rule approved with changes",
93, "AI outbound allow rule approved with changes",
94, "AI outbound block rule approved with changes",
95, "Connect region created",
96, "Connect session created",
97, "Connect session expired",
98, "Connect session revoked",
99, "Connect session logged out",
100, "User access configuration created",
101, "User access configuration edited",
102, "User access configuration deleted",
103, "Connect server deployed",
104, "Connect asset created",
105, "Asset segmentation postponed (network) (pending review rules)",
106, "Connect region edited",
107, "Connect server edited",
108, "Asset is being segmented (identity)",
109, "Asset segmented (identity)",
110, "Asset is being unsegmented (identity)",
111, "Asset unsegmented (identity)",
112, "Identity rule created",
113, "Identity rule deleted",
114, "Identity rule expired",
115, "Identity rule edited",
116, "User segmented (identity)",
117, "User unsegmented (identity)",
118, "User added to learning (identity)",
119, "User removed from learning (identity)",
120, "Asset added to RPC monitoring",
121, "Asset removed from RPC monitoring",
122, "User classification changed",
123, "Connect session extended",
124, "Asset marked as inactive by repository (deleted)",
125, "Asset marked as active by repository",
126, "Asset marked as inactive by user",
127, "Asset marked as active by user",
128, "Break glass configuration activated",
129, "Break glass configuration deactivated",
130, "Asset marked as inactive by repository (disable)",
131, "Asset marked as active by repository (enable)",
132, "Break glass configuration activated (asset)",
133, "Break glass configuration deactivated (asset)",
134, "Asset is being segmented (RPC)",
135, "Asset segmented (RPC)",
136, "Asset is being unsegmented (RPC)",
137, "Asset unsegmented (RPC)",
138, "Rules RPC rule created",
139, "Rules RPC rule deleted",
140, "Rules RPC rule expired",
141, "Rules RPC rule edited"
];
let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, EnforcementSource: string) [
1, "Reactive Policy",
2, "Automated",
3, "Access Portal",
4, "Admin Portal",
5, "AI",
6, "API"
6, "API",
7, "Setup"
];
let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [
1, "Admin",
2, "Viewer",
3, "Regular",
4, "API - Full Access",
5, "API - Read Only",
6, "Self Service"
6, "Self Service",
7, "CloudConnectorProvisioning",
8, "JAMF Asset",
9, "Asset Manager",
10, "Operator",
11, "Service Now Token"
];
union isfuzzy=true ZNSegmentAuditNativePoller_CL, ZNSegmentAudit_CL
| project-away TimeGenerated
Expand Down

0 comments on commit e782f62

Please sign in to comment.