diff --git a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt deleted file mode 100644 index 15a16325a56..00000000000 --- a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.txt +++ /dev/null @@ -1,98 +0,0 @@ -// Usage Instruction : -// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as ZNSegmentAudit. -// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. ZNSegmentAudit | take 10). -// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions -let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [ - 0, "Unspecified", - 1, "Asset is being added to protection", - 2, "Asset added to protection", - 3, "Asset failed adding to protection", - 4, "Asset is being removed from protection", - 5, "Removed asset from protection", - 6, "Failed removing asset from protection", - 7, "Asset added to learning", - 8, "Asset removed from learning", - 9, "Access rule created", - 10, "Access rule deleted", - 11, "Access rule expired", - 12, "Access rule edited", - 17, "MFA access policy created", - 18, "MFA access policy deleted", - 19, "MFA access policy edited", - 20, "JIT rule created", - 21, "JIT rule deleted", - 22, "JIT rule expired", - 23, "JIT rule revived", - 24, "JIT rule edited", - 25, "API Token created", - 26, "API Token deleted", - 27, "API Token regenerated", - 28, "Asset learning is extended", - 29, "Outbound block rule created", - 30, "Outbound block rule deleted", - 31, "Outbound block rule expired", - 32, "Outbound block rule edited", - 33, "Inbound block rule created", - 34, "Inbound block rule deleted", - 35, "Inbound block rule expired", - 36, "Inbound block rule edited", - 37, "Inbound rule pseudo edited", - 38, "Outbound rule pseudo edited" -]; -let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, EnforcementSource: string) [ - 1, "Reactive Policy", - 2, "Automated", - 3, "Access Portal", - 4, "Admin Portal", - 5, "AI", - 6, "API" -]; -let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [ - 1, "Admin", - 2, "Viewer", - 3, "Regular", - 4, "API - Full Access", - 5, "API - Read Only", - 6, "Self Service" -]; -union isfuzzy=true ZNSegmentAuditNativePoller_CL, ZNSegmentAudit_CL -| project-away TimeGenerated -| lookup kind=leftouter AuditTypesTable on auditType_d -| lookup kind=leftouter EnforcementSourceTypeTable on enforcementSource_d -| lookup kind=leftouter UserRoleTypeTable on userRole_d -| extend entity=parse_json(destinationEntitiesList_s) -| extend EventVendor="Zero Networks", - EventProduct="Segment Audit", - AuditTypeId=column_ifexists('auditType_d', ''), - TimeGenerated=unixtime_milliseconds_todatetime(timestamp_d), - EnforcementSourceId=column_ifexists('enforcementSource_d', ''), - UserRoleId=column_ifexists('userRole_d', ''), - DestinationEntityName = ['entity'][0].name, - DestinationEntityId = ['entity'][0].id, - Details=column_ifexists('details_s', ''), - PerformedById=column_ifexists('performedBy_id_s', ''), - PerformedByName=column_ifexists('performedBy_name_s', ''), - PerformedByGuid=column_ifexists('performedBy_id_g', ''), - ReportedObjectGuid=column_ifexists('reportedObjectId_g', ''), - ReportedObjectId=column_ifexists('reportedObjectId_s', '') -| extend Rule=parse_json(Details).rule, - ReactivePolicy=parse_json(Details).rp -| project - TimeGenerated, - EventVendor, - EventProduct, - AuditTypeId, - AuditType, - DestinationEntityId, - DestinationEntityName, - EnforcementSourceId, - EnforcementSource, - PerformedByGuid, - PerformedById, - PerformedByName, - ReportedObjectGuid, - ReportedObjectId, - UserRoleId, - UserRole, - Rule, - ReactivePolicy diff --git a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml index be2f94cb775..0315e2fff68 100644 --- a/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml +++ b/Solutions/ZeroNetworks/Parsers/ZNSegmentAudit.yaml @@ -1,38 +1,38 @@ id: 4677df99-9bff-4b87-a7b9-575091361d82 Function: Title: Parser for ZNSegmentAudit - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '1.0.1' + LastUpdated: '2024-10-08' Category: Microsoft Sentinel Parser FunctionName: ZNSegmentAudit FunctionAlias: ZNSegmentAudit FunctionQuery: | let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [ 0, "Unspecified", - 1, "Asset is being added to protection", - 2, "Asset added to protection", - 3, "Asset failed adding to protection", - 4, "Asset is being removed from protection", - 5, "Removed asset from protection", - 6, "Failed removing asset from protection", - 7, "Asset added to learning", - 8, "Asset removed from learning", - 9, "Access rule created", - 10, "Access rule deleted", - 11, "Access rule expired", - 12, "Access rule edited", - 17, "MFA access policy created", - 18, "MFA access policy deleted", - 19, "MFA access policy edited", - 20, "JIT rule created", - 21, "JIT rule deleted", - 22, "JIT rule expired", - 23, "JIT rule revived", - 24, "JIT rule edited", + 1, "Asset is being segmented (network)", + 2, "Asset segmented (network)", + 3, "Asset failed being segmented (network)", + 4, "Asset is being unsegmented (network)", + 5, "Asset unsegmented (network)", + 6, "Asset failed being unsegmented (network)", + 7, "Asset added to learning (network)", + 8, "Asset removed from learning (network)", + 9, "Inbound allow rule created", + 10, "Inbound allow rule deleted", + 11, "Inbound allow rule expired", + 12, "Inbound allow rule edited", + 17, "Inbound MFA policy created", + 18, "Inbound MFA policy edited", + 19, "Inbound MFA policy deleted", + 20, "Inbound JIT rule created", + 21, "Inbound JIT rule deleted", + 22, "Inbound JIT rule expired", + 23, "Inbound JIT rule revived", + 24, "Inbound JIT rule edited", 25, "API Token created", 26, "API Token deleted", 27, "API Token regenerated", - 28, "Asset learning is extended", + 28, "Asset segmentation date postponed (network)", 29, "Outbound block rule created", 30, "Outbound block rule deleted", 31, "Outbound block rule expired", @@ -41,8 +41,107 @@ FunctionQuery: | 34, "Inbound block rule deleted", 35, "Inbound block rule expired", 36, "Inbound block rule edited", - 37, "Inbound rule pseudo edited", - 38, "Outbound rule pseudo edited" + 39, "Asset unsegmented (network) (overriding policy)", + 40, "Asset is being unsegmented (network) (overriding policy)", + 41, "Asset removed from learning (network) (overriding policy)", + 42, "Asset is being segmented (network) (policy)", + 43, "Asset segmented (network) (policy)", + 44, "Asset added to learning (network) (policy)", + 45, "Segmentation policy created", + 46, "Segmentation policy deleted", + 47, "Segmentation policy edited", + 48, "Inbound JIT access rejected", + 49, "Inbound JIT fallback rule created", + 50, "Inbound JIT fallback rule deleted", + 51, "Inbound JIT fallback rule expired", + 53, "Outbound allow rule created", + 54, "Outbound allow rule deleted", + 55, "Outbound allow rule expired", + 56, "Outbound allow rule edited", + 58, "Admin portal role changed to admin", + 59, "Admin portal role changed to viewer", + 60, "Admin portal role revoked", + 61, "Outbound JIT rule created", + 62, "Outbound JIT rule deleted", + 63, "Outbound JIT rule expired", + 64, "Outbound MFA policy created", + 65, "Outbound MFA policy deleted", + 66, "Outbound MFA policy edited", + 67, "Outbound JIT access rejected", + 68, "Asset learning is done (network)", + 69, "Asset learning (policy) is done (network)", + 70, "Manual Linux asset created", + 71, "Manual OT/IoT asset created", + 72, "Asset learning extended (network)", + 73, "Admin portal logon", + 74, "Asset manager added", + 75, "Asset manager removed", + 76, "Asset is monitored by Cloud connector", + 77, "Asset is no longer monitored by Cloud connector", + 78, "Asset is monitored by Segment server", + 79, "Asset is back to learning (network)", + 80, "Manual OT/IoT asset edited", + 81, "Admin portal role changed to operator", + 82, "Segment server deployed", + 83, "AI inbound allow rule rejected", + 84, "AI inbound block rule rejected", + 85, "AI outbound allow rule rejected", + 86, "AI outbound block rule rejected", + 87, "AI inbound allow rule approved", + 88, "AI inbound block rule approved", + 89, "AI outbound allow rule approved", + 90, "AI outbound block rule approved", + 91, "AI inbound allow rule approved with changes", + 92, "AI inbound block rule approved with changes", + 93, "AI outbound allow rule approved with changes", + 94, "AI outbound block rule approved with changes", + 95, "Connect region created", + 96, "Connect session created", + 97, "Connect session expired", + 98, "Connect session revoked", + 99, "Connect session logged out", + 100, "User access configuration created", + 101, "User access configuration edited", + 102, "User access configuration deleted", + 103, "Connect server deployed", + 104, "Connect asset created", + 105, "Asset segmentation postponed (network) (pending review rules)", + 106, "Connect region edited", + 107, "Connect server edited", + 108, "Asset is being segmented (identity)", + 109, "Asset segmented (identity)", + 110, "Asset is being unsegmented (identity)", + 111, "Asset unsegmented (identity)", + 112, "Identity rule created", + 113, "Identity rule deleted", + 114, "Identity rule expired", + 115, "Identity rule edited", + 116, "User segmented (identity)", + 117, "User unsegmented (identity)", + 118, "User added to learning (identity)", + 119, "User removed from learning (identity)", + 120, "Asset added to RPC monitoring", + 121, "Asset removed from RPC monitoring", + 122, "User classification changed", + 123, "Connect session extended", + 124, "Asset marked as inactive by repository (deleted)", + 125, "Asset marked as active by repository", + 126, "Asset marked as inactive by user", + 127, "Asset marked as active by user", + 128, "Break glass configuration activated", + 129, "Break glass configuration deactivated", + 130, "Asset marked as inactive by repository (disable)", + 131, "Asset marked as active by repository (enable)", + 132, "Break glass configuration activated (asset)", + 133, "Break glass configuration deactivated (asset)", + 134, "Asset is being segmented (RPC)", + 135, "Asset segmented (RPC)", + 136, "Asset is being unsegmented (RPC)", + 137, "Asset unsegmented (RPC)", + 138, "Rules RPC rule created", + 139, "Rules RPC rule deleted", + 140, "Rules RPC rule expired", + 141, "Rules RPC rule edited" ]; let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, EnforcementSource: string) [ 1, "Reactive Policy", @@ -50,7 +149,8 @@ FunctionQuery: | 3, "Access Portal", 4, "Admin Portal", 5, "AI", - 6, "API" + 6, "API", + 7, "Setup" ]; let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [ 1, "Admin", @@ -58,7 +158,12 @@ FunctionQuery: | 3, "Regular", 4, "API - Full Access", 5, "API - Read Only", - 6, "Self Service" + 6, "Self Service", + 7, "CloudConnectorProvisioning", + 8, "JAMF Asset", + 9, "Asset Manager", + 10, "Operator", + 11, "Service Now Token" ]; union isfuzzy=true ZNSegmentAuditNativePoller_CL, ZNSegmentAudit_CL | project-away TimeGenerated