Cisco Secure Endpoint - AlertEvent ASIM Parser

Co-authored-by: Remco Hofman <5119620+SpeedyFireCyclone@users.noreply.github.com>

Author: Steve1145

Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml

@@ -1,7 +1,7 @@
 Parser:
   Title: Alert Event ASIM parser
-  Version: "0.1.0"
-  LastUpdated: Oct 18, 2024
+  Version: "0.1.1"
+  LastUpdated: Mar 04, 2026
 Product:
   Name: Source agnostic
 Normalization:
@@ -31,6 +31,7 @@ ParserQuery: |
   union isfuzzy=true
     vimAlertEventEmpty,
     ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),
-    ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))
+    ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))),
+    ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))
   }; 
   parser (pack=pack)

Parsers/ASimAlertEvent/Parsers/ASimAlertEventCiscoSecureEndpoint.yaml

@@ -0,0 +1,180 @@
+Parser:
+  Title: Alert Event ASIM parser for Cisco Secure Endpoint
+  Version: '0.1.0'
+  LastUpdated: Mar 04, 2026
+Product:
+  Name: Cisco Secure Endpoint
+Normalization:
+  Schema: AlertEvent
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: Developer
+  Link: https://www.bluevoyant.com/
+Description: |
+  This ASIM parser supports normalizing the Cisco Secure Endpoint logs (via Codeless Connector Framework) to the ASIM Alert normalized schema.
+ParserName: ASimAlertEventCiscoSecureEndpoint
+EquivalentBuiltInParser:
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+    let CiscoSEParser = (
+        disabled: bool=false
+    )
+    {
+        CiscoSecureEndpointEventsV2_CL
+        | where not(disabled)
+        | where isnotempty(Severity) //Filter in only security events and not operational logs
+        | extend
+            EventUid = tostring(Id),
+            EventOriginalType = tostring(EventTypeId)
+        | project-rename
+            EventOriginalSeverity = Severity,
+            EventEndTime = Date,
+            EventReportUrl = ComputerLinksTrajectory,
+            AlertName = EventType
+        | extend
+            EventMessage = coalesce(CloudIocDescription, CloudIocShortDescription, BpDataName, Detection),
+            EventProductVersion = coalesce(BpDataDetailsEngVer, 'Cloud'),
+            EventStartTime = unixtime_seconds_todatetime(Timestamp),
+            EventOriginalUid = coalesce(BpDataId, DetectionId, dynamic(null)),
+            EventSeverity = case(
+                EventOriginalSeverity in ('Critical', 'High'), 'High',
+                EventOriginalSeverity == 'Medium', 'Medium',
+                EventOriginalSeverity == 'Low', 'Low',
+                'Informational'
+            ),
+            DvcOriginalAction = coalesce(FileParentDisposition, dynamic(null)),
+            DvcId = coalesce(BpDataDeviceOsMachineUuid, ComputerConnectorGuid),
+            DvcOs = coalesce(strcat(BpDataDeviceOsName, ' ', BpDataDeviceOsEdition), dynamic(null)),
+            DvcOsVersion = coalesce(BpDataDeviceOsBuild, dynamic(null)),
+            DvcDescription = coalesce(BpDataDeviceHwInfoVendorName, dynamic(null)),
+            RuleName = coalesce(Detection, BpDataDetection, dynamic(null)),
+            ThreatId = coalesce(BpDataDetection, dynamic(null)),
+            Hostname = coalesce(ComputerHostname, Hostname),
+            DvcIdType = 'Other',
+            DvcIpAddr = extract_json('$[0].ip', ComputerNetworkAddresses),
+            DvcMacAddr = extract_json('$[0].mac', ComputerNetworkAddresses)
+        | invoke _ASIM_ResolveDvcFQDN("Hostname")
+        | project-away Hostname
+        | mv-apply _a = parse_json(BpDataDetailsMatchedActivityEvents) on (
+            extend
+                DvcDomain = coalesce(tostring(_a.['process:start'].user.domain), tostring(_a.['telemetry:api_invoke'].user.domain)),
+                Username = coalesce(tostring(_a.['process:start'].user.name), tostring(_a.['telemetry:api_invoke'].user.name)),
+                UserId = coalesce(tostring(_a.['process:start'].user.sid), tostring(_a.['telemetry:api_invoke'].user.sid)),
+                FileName = coalesce(tostring(_a.['process:start'].app.original_file_name), tostring(_a.['telemetry:api_invoke'].app.original_file_name)),
+                FilePath = coalesce(tostring(_a.['process:start'].app.path), tostring(_a.['telemetry:api_invoke'].app.path)),
+                ParentFileName = coalesce(tostring(_a.['process:start'].parent_app.original_file_name), tostring(_a.['telemetry:api_invoke'].parent_app.original_file_name)),
+                ParentFilePath = coalesce(tostring(_a.['process:start'].parent_app.path), tostring(_a.['telemetry:api_invoke'].parent_app.path)),
+                ProcessCommandLine = coalesce(tostring(_a.['process:start'].cmd_line), tostring(_a.['telemetry:api_invoke'].cmd_line)),
+                FileSHA256 = coalesce(tostring(_a.['process:start'].app.sha256), tostring(_a.['telemetry:api_invoke'].app.sha256)),
+                FileSize = tolong(coalesce(tostring(_a.['process:start'].app.size), tostring(_a.['telemetry:api_invoke'].app.size))),
+                ParentFileSHA256 = coalesce(tostring(_a.['process:start'].parent_app.sha256), tostring(_a.['telemetry:api_invoke'].parent_app.sha256)),
+                ProcessId = coalesce(tostring(_a.['process:start'].pid), tostring(_a.['telemetry:api_invoke'].pid)),
+                ParentProcessId = coalesce(tostring(_a.['process:start'].parent_pid), tostring(_a.['telemetry:api_invoke'].parent_pid))
+          | project-away _a
+          | project DvcDomain, Username, UserId, FileName, FilePath, ParentFileName, ParentFilePath, ProcessCommandLine, FileSHA256, FileSize, ParentFileSHA256, ProcessId, ParentProcessId
+        )
+        | extend
+            BpDataObservablesFile = parse_json(BpDataObservablesFile),
+            FileName = coalesce(FileFileName, FileName, dynamic(null)),
+            FilePath = coalesce(FileFilePath, FilePath, dynamic(null)),
+            ProcessCommandLine = coalesce(ProcessCommandLine, CommandLineArguments, dynamic(null)),
+            UserIdType = iff(isnotempty(UserId), 'Other', dynamic(null)),
+            DvcAction = case(
+                DvcOriginalAction == 'Clean', 'Allow',
+                DvcOriginalAction == 'Unknown', 'Unknown',
+                'Unknown'
+            ),
+            Username = coalesce(IsolationUser, ComputerUser, Username)
+        | extend
+            FileSHA1 = coalesce(FileIdentitySha1, BpDataObservablesFile.[0].sha1, dynamic(null)),//orginal file always first item in array
+            FileSHA256 = coalesce(FileIdentitySha256, BpDataObservablesFile.[0].sha256, dynamic(null)),
+            FileMD5 = coalesce(FileIdentityMd5, BpDataObservablesFile.[0].md5, dynamic(null)),
+            ParentFileSHA1 = coalesce(FileParentIdentityMd5, BpDataObservablesFile.[1].sha1, dynamic(null)),//parent file always first item in array
+            ParentFileSHA256 = coalesce(FileParentIdentityMd5, BpDataObservablesFile.[1].sha256, dynamic(null)),
+            ParentFileMD5 = coalesce(FileParentIdentityMd5, BpDataObservablesFile.[1].md5, dynamic(null)),
+            UsernameType = iff(isnotempty(Username), 'Simple', dynamic(null))
+        | mv-apply _t = parse_json(Techniques) on (
+            extend Technique = iff(isnotempty(_t), strcat('(',tostring(_t),')'), dynamic(null))
+            | summarize AttackTechniques = strcat_array(make_set(Technique), ', ')
+        )
+        | mv-apply _t = parse_json(Tactics) to typeof(string) on (
+            extend Tactic = iff(
+                isnotempty(_t),
+                replace_strings(
+                    _t,
+                    dynamic(['TA0043', 'TA0042', 'TA0001', 'TA0002', 'TA0003', 'TA0004', 'TA0005', 'TA0006', 'TA0007', 'TA0008', 'TA0009', 'TA0011', 'TA0010', 'TA0040']),
+                    dynamic(['Reconnaissance (TA0043)', 'Resource Development (TA0042)', 'Initial Access (TA0001)', 'Execution (TA0002)', 'Persistence (TA0003)', 'Privilege Escalation (TA0004)', 'Defense Evasion (TA0005)', 'Credential Access (TA0006)', 'Discovery (TA0007)', 'Lateral Movement (TA0008)','Collection (TA0009)', 'Command and Control (TA0011)', 'Exfiltration (TA0010)', 'Impact (TA0040)'])
+                ),
+                ''
+            )
+            | summarize AttackTactics = strcat_array(make_set(Tactic), ', ')
+        )
+        | extend
+            EventProduct = 'Secure Endpoint',
+            EventVendor = 'Cisco',
+            EventSchema = 'AlertEvent',
+            EventSchemaVersion = '0.1',
+            EventType = 'Alert',
+            EventSubType = 'Threat',
+            EventCount = int(1),
+            IndicatorType = 'File'
+        | extend AdditionalFields = bag_pack(
+            'ComputerExternalIp', ComputerExternalIp,
+            'ComputerActive', ComputerActive,
+            'ComputerNetworkAddresses', ComputerNetworkAddresses,
+            'CloudIocShortDescription', CloudIocShortDescription,
+            'BpDataRemediated', BpDataRemediated,
+            'BpDataSilent', BpDataSilent,
+            'BpDataType', BpDataType,
+            'BpDataDetailsActions', BpDataDetailsActions,
+            'BpDataDetailsSigId', BpDataDetailsSigId,
+            'BpDataDetailsSigRev', BpDataDetailsSigRev,
+            'BpDataDetailsSigSetVersion', BpDataDetailsSigSetVersion,
+            'BpDataNormalizedObservablesAll', BpDataNormalizedObservablesAll,
+            'BpDataDetailsMatchedActivityEvents', BpDataDetailsMatchedActivityEvents //full raw
+        )
+        | extend
+            AlertId = EventUid,
+            AlertDescription = EventMessage,
+            Rule = RuleName,
+            Hostname = DvcHostname,
+            IpAddr = DvcIpAddr,
+            User = Username
+        | project-away
+            Techniques,
+            Tactics,
+            Timestamp,
+            TimestampNanoseconds,
+            BpDataDetailsEngVer,
+            ComputerUser,
+            Detection*,
+            Start*,
+            FileFile*,
+            FileDisposition,
+            BpData*,
+            CommandLineArguments,
+            FileIdentity*,
+            FileParent*,
+            ConnectorGuid,
+            ComputerHostname,
+            ComputerConnectorGuid,
+            ComputerLinksComputer,
+            EventReportUrl,
+            ComputerLinksGroup,
+            CloudIocDescription,
+            GroupGuids,
+            CloudIocShortDescription,
+            ComputerNetworkAddresses,
+            ComputerActive,
+            ComputerExternalIp
+    };
+    CiscoSEParser(
+        disabled = disabled
+    )

Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml

@@ -1,7 +1,7 @@
 Parser:
   Title: Alert Event ASIM filtering parser
-  Version: '0.1.0'
-  LastUpdated: Mar 11 2024
+  Version: '0.1.1'
+  LastUpdated: Mar 04 2026
 Product:
   Name: Source agnostic
 Normalization:
@@ -73,6 +73,7 @@ ParserQuery: |
   union isfuzzy=true
     vimAlertEventEmpty,
     vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),
-    vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers))))
+    vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))),
+    vimAlertEventCiscoSecureEndpoint (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers))))
   };
   parser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)