Microsoft comments - updates

Author: Steve1145

Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventCiscoSecureEndpoint.md

@@ -0,0 +1,5 @@
+# Changelog for ASimAlertEventCiscoSecureEndpoint.yaml
+
+## Version 0.1.0
+
+- (2026-03-04) Cisco Secure Endpoint - AlertEvent ASIM Parser - [PR #13741](https://github.com/Azure/Azure-Sentinel/pull/13741)

Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventCiscoSecureEndpoint.md

@@ -0,0 +1,5 @@
+# Changelog for vimAlertEventCiscoSecureEndpoint.yaml
+
+## Version 0.1.0
+
+- (2026-03-04) Cisco Secure Endpoint - AlertEvent ASIM Parser - [PR #13741](https://github.com/Azure/Azure-Sentinel/pull/13741)

Parsers/ASimAlertEvent/Parsers/ASimAlertEventCiscoSecureEndpoint.yaml

@@ -22,9 +22,13 @@ ParserParams:
   - Name: disabled
     Type: bool
     Default: false
+  - Name: pack
+    Type: bool
+    Default: false
 ParserQuery: |
     let CiscoSEParser = (
-        disabled: bool=false
+        disabled: bool=false,
+        pack: bool=false
     )
     {
         CiscoSecureEndpointEventsV2_CL
@@ -125,20 +129,24 @@ ParserQuery: |
             EventSubType = 'Threat',
             EventCount = int(1),
             IndicatorType = 'File'
-        | extend AdditionalFields = bag_pack(
-            'ComputerExternalIp', ComputerExternalIp,
-            'ComputerActive', ComputerActive,
-            'ComputerNetworkAddresses', ComputerNetworkAddresses,
-            'CloudIocShortDescription', CloudIocShortDescription,
-            'BpDataRemediated', BpDataRemediated,
-            'BpDataSilent', BpDataSilent,
-            'BpDataType', BpDataType,
-            'BpDataDetailsActions', BpDataDetailsActions,
-            'BpDataDetailsSigId', BpDataDetailsSigId,
-            'BpDataDetailsSigRev', BpDataDetailsSigRev,
-            'BpDataDetailsSigSetVersion', BpDataDetailsSigSetVersion,
-            'BpDataNormalizedObservablesAll', BpDataNormalizedObservablesAll,
-            'BpDataDetailsMatchedActivityEvents', BpDataDetailsMatchedActivityEvents //full raw
+        | extend AdditionalFields = iff (
+            pack,
+            bag_pack(
+                'ComputerExternalIp', ComputerExternalIp,
+                'ComputerActive', ComputerActive,
+                'ComputerNetworkAddresses', ComputerNetworkAddresses,
+                'CloudIocShortDescription', CloudIocShortDescription,
+                'BpDataRemediated', BpDataRemediated,
+                'BpDataSilent', BpDataSilent,
+                'BpDataType', BpDataType,
+                'BpDataDetailsActions', BpDataDetailsActions,
+                'BpDataDetailsSigId', BpDataDetailsSigId,
+                'BpDataDetailsSigRev', BpDataDetailsSigRev,
+                'BpDataDetailsSigSetVersion', BpDataDetailsSigSetVersion,
+                'BpDataNormalizedObservablesAll', BpDataNormalizedObservablesAll,
+                'BpDataDetailsMatchedActivityEvents', BpDataDetailsMatchedActivityEvents //full raw
+            ),
+            dynamic([])
         )
         | extend
             AlertId = EventUid,
@@ -147,34 +155,67 @@ ParserQuery: |
             Hostname = DvcHostname,
             IpAddr = DvcIpAddr,
             User = Username
-        | project-away
-            Techniques,
-            Tactics,
-            Timestamp,
-            TimestampNanoseconds,
-            BpDataDetailsEngVer,
-            ComputerUser,
-            Detection*,
-            Start*,
-            FileFile*,
-            FileDisposition,
-            BpData*,
-            CommandLineArguments,
-            FileIdentity*,
-            FileParent*,
-            ConnectorGuid,
-            ComputerHostname,
-            ComputerConnectorGuid,
-            ComputerLinksComputer,
+        | project
+            EventUid,
+            EventOriginalType,
+            EventOriginalSeverity,
+            EventEndTime,
             EventReportUrl,
-            ComputerLinksGroup,
-            CloudIocDescription,
-            GroupGuids,
-            CloudIocShortDescription,
-            ComputerNetworkAddresses,
-            ComputerActive,
-            ComputerExternalIp
+            AlertName,
+            EventMessage,
+            EventProductVersion,
+            EventStartTime,
+            EventOriginalUid,
+            EventSeverity,
+            DvcOriginalAction,
+            DvcId,
+            DvcOs,
+            DvcOsVersion,
+            DvcDescription,
+            RuleName,
+            ThreatId,
+            Hostname,
+            DvcIdType,
+            DvcIpAddr,
+            DvcMacAddr,
+            DvcDomain,
+            Username,
+            UserId,
+            FileName,
+            FilePath,
+            ParentFileName,
+            ParentFilePath,
+            ProcessCommandLine,
+            FileSHA256,
+            FileSize,
+            ParentFileSHA256,
+            ProcessId,
+            ParentProcessId,
+            UserIdType,
+            DvcAction,
+            FileSHA1,
+            FileMD5,
+            ParentFileSHA1,
+            ParentFileMD5,
+            UsernameType,
+            AttackTechniques,
+            AttackTactics,
+            EventProduct,
+            EventVendor,
+            EventSchema,
+            EventSchemaVersion,
+            EventType,
+            EventSubType,
+            EventCount,
+            IndicatorType,
+            AdditionalFields,
+            AlertId,
+            AlertDescription,
+            Rule,
+            IpAddr,
+            User
     };
     CiscoSEParser(
-        disabled = disabled
+        disabled = disabled,
+        pack = pack
     )

Parsers/ASimAlertEvent/Parsers/vimAlertEventCiscoSecureEndpoint.yaml

@@ -52,6 +52,9 @@ ParserParams:
   - Name: disabled
     Type: bool
     Default: false
+  - Name: pack
+    Type: bool
+    Default: false
 ParserQuery: |
     let CiscoSEParser = (
         starttime: datetime=datetime(null),
@@ -64,7 +67,8 @@ ParserQuery: |
         threatcategory_has_any: dynamic=dynamic([]),
         alertverdict_has_any: dynamic=dynamic([]),
         eventseverity_has_any: dynamic=dynamic([]),
-        disabled:bool=false
+        disabled: bool=false,
+        pack: bool=false
     )
     {
         CiscoSecureEndpointEventsV2_CL
@@ -182,20 +186,24 @@ ParserQuery: |
             EventSubType = 'Threat',
             EventCount = int(1),
             IndicatorType = 'File'
-        | extend AdditionalFields = bag_pack(
-            'ComputerExternalIp', ComputerExternalIp,
-            'ComputerActive', ComputerActive,
-            'ComputerNetworkAddresses', ComputerNetworkAddresses,
-            'CloudIocShortDescription', CloudIocShortDescription,
-            'BpDataRemediated', BpDataRemediated,
-            'BpDataSilent', BpDataSilent,
-            'BpDataType', BpDataType,
-            'BpDataDetailsActions', BpDataDetailsActions,
-            'BpDataDetailsSigId', BpDataDetailsSigId,
-            'BpDataDetailsSigRev', BpDataDetailsSigRev,
-            'BpDataDetailsSigSetVersion', BpDataDetailsSigSetVersion,
-            'BpDataNormalizedObservablesAll', BpDataNormalizedObservablesAll,
-            'BpDataDetailsMatchedActivityEvents', BpDataDetailsMatchedActivityEvents //full raw
+        | extend AdditionalFields = iff (
+            pack,
+            bag_pack(
+                'ComputerExternalIp', ComputerExternalIp,
+                'ComputerActive', ComputerActive,
+                'ComputerNetworkAddresses', ComputerNetworkAddresses,
+                'CloudIocShortDescription', CloudIocShortDescription,
+                'BpDataRemediated', BpDataRemediated,
+                'BpDataSilent', BpDataSilent,
+                'BpDataType', BpDataType,
+                'BpDataDetailsActions', BpDataDetailsActions,
+                'BpDataDetailsSigId', BpDataDetailsSigId,
+                'BpDataDetailsSigRev', BpDataDetailsSigRev,
+                'BpDataDetailsSigSetVersion', BpDataDetailsSigSetVersion,
+                'BpDataNormalizedObservablesAll', BpDataNormalizedObservablesAll,
+                'BpDataDetailsMatchedActivityEvents', BpDataDetailsMatchedActivityEvents //full raw
+            ),
+            dynamic([])
         )
         | extend
             AlertId = EventUid,
@@ -204,33 +212,65 @@ ParserQuery: |
             Hostname = DvcHostname,
             IpAddr = DvcIpAddr,
             User = Username
-        | project-away
-            Techniques,
-            Tactics,
-            Timestamp,
-            TimestampNanoseconds,
-            BpDataDetailsEngVer,
-            ComputerUser,
-            Detection*,
-            Start*,
-            FileFile*,
-            FileDisposition,
-            BpData*,
-            CommandLineArguments,
-            FileIdentity*,
-            FileParent*,
-            ConnectorGuid,
-            ComputerHostname,
-            ComputerConnectorGuid,
-            ComputerLinksComputer,
+        | project
+            EventUid,
+            EventOriginalType,
+            EventOriginalSeverity,
+            EventEndTime,
             EventReportUrl,
-            ComputerLinksGroup,
-            CloudIocDescription,
-            GroupGuids,
-            CloudIocShortDescription,
-            ComputerNetworkAddresses,
-            ComputerActive,
-            ComputerExternalIp
+            AlertName,
+            EventMessage,
+            EventProductVersion,
+            EventStartTime,
+            EventOriginalUid,
+            EventSeverity,
+            DvcOriginalAction,
+            DvcId,
+            DvcOs,
+            DvcOsVersion,
+            DvcDescription,
+            RuleName,
+            ThreatId,
+            Hostname,
+            DvcIdType,
+            DvcIpAddr,
+            DvcMacAddr,
+            DvcDomain,
+            Username,
+            UserId,
+            FileName,
+            FilePath,
+            ParentFileName,
+            ParentFilePath,
+            ProcessCommandLine,
+            FileSHA256,
+            FileSize,
+            ParentFileSHA256,
+            ProcessId,
+            ParentProcessId,
+            UserIdType,
+            DvcAction,
+            FileSHA1,
+            FileMD5,
+            ParentFileSHA1,
+            ParentFileMD5,
+            UsernameType,
+            AttackTechniques,
+            AttackTactics,
+            EventProduct,
+            EventVendor,
+            EventSchema,
+            EventSchemaVersion,
+            EventType,
+            EventSubType,
+            EventCount,
+            IndicatorType,
+            AdditionalFields,
+            AlertId,
+            AlertDescription,
+            Rule,
+            IpAddr,
+            User
     };
     CiscoSEParser(
         starttime = starttime,
@@ -243,5 +283,6 @@ ParserQuery: |
         threatcategory_has_any = threatcategory_has_any,
         alertverdict_has_any = alertverdict_has_any,
         eventseverity_has_any = eventseverity_has_any,
-        disabled = disabled
+        disabled = disabled,
+        pack = pack
     )