Skip to content

Commit 57b4393

Browse files
bveuropebveurope
committed
Cisco Secure Endpoint - AlertEvent ASIM Parser
Co-authored-by: Remco Hofman <5119620+SpeedyFireCyclone@users.noreply.github.com>
1 parent 11a4faf commit 57b4393

File tree

4 files changed

+435
-6
lines changed

4 files changed

+435
-6
lines changed

Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Parser:
22
Title: Alert Event ASIM parser
3-
Version: "0.1.0"
4-
LastUpdated: Oct 18, 2024
3+
Version: "0.1.1"
4+
LastUpdated: Mar 04, 2026
55
Product:
66
Name: Source agnostic
77
Normalization:
@@ -31,6 +31,7 @@ ParserQuery: |
3131
union isfuzzy=true
3232
vimAlertEventEmpty,
3333
ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),
34-
ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))
34+
ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))),
35+
ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))
3536
};
3637
parser (pack=pack)

Parsers/ASimAlertEvent/Parsers/ASimAlertEventCiscoSecureEndpoint.yaml

Lines changed: 180 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,180 @@
1+
Parser:
2+
Title: Alert Event ASIM parser for Cisco Secure Endpoint
3+
Version: '0.1.0'
4+
LastUpdated: Mar 04, 2026
5+
Product:
6+
Name: Cisco Secure Endpoint
7+
Normalization:
8+
Schema: AlertEvent
9+
Version: '0.1'
10+
References:
11+
- Title: ASIM Alert Schema
12+
Link: https://aka.ms/ASimAlertEventDoc
13+
- Title: ASIM
14+
Link: https://aka.ms/AboutASIM
15+
- Title: Developer
16+
Link: https://www.bluevoyant.com/
17+
Description: |
18+
This ASIM parser supports normalizing the Cisco Secure Endpoint logs (via Codeless Connector Framework) to the ASIM Alert normalized schema.
19+
ParserName: ASimAlertEventCiscoSecureEndpoint
20+
EquivalentBuiltInParser:
21+
ParserParams:
22+
- Name: disabled
23+
Type: bool
24+
Default: false
25+
ParserQuery: |
26+
let CiscoSEParser = (
27+
disabled: bool=false
28+
)
29+
{
30+
CiscoSecureEndpointEventsV2_CL
31+
| where not(disabled)
32+
| where isnotempty(Severity) //Filter in only security events and not operational logs
33+
| extend
34+
EventUid = tostring(Id),
35+
EventOriginalType = tostring(EventTypeId)
36+
| project-rename
37+
EventOriginalSeverity = Severity,
38+
EventEndTime = Date,
39+
EventReportUrl = ComputerLinksTrajectory,
40+
AlertName = EventType
41+
| extend
42+
EventMessage = coalesce(CloudIocDescription, CloudIocShortDescription, BpDataName, Detection),
43+
EventProductVersion = coalesce(BpDataDetailsEngVer, 'Cloud'),
44+
EventStartTime = unixtime_seconds_todatetime(Timestamp),
45+
EventOriginalUid = coalesce(BpDataId, DetectionId, dynamic(null)),
46+
EventSeverity = case(
47+
EventOriginalSeverity in ('Critical', 'High'), 'High',
48+
EventOriginalSeverity == 'Medium', 'Medium',
49+
EventOriginalSeverity == 'Low', 'Low',
50+
'Informational'
51+
),
52+
DvcOriginalAction = coalesce(FileParentDisposition, dynamic(null)),
53+
DvcId = coalesce(BpDataDeviceOsMachineUuid, ComputerConnectorGuid),
54+
DvcOs = coalesce(strcat(BpDataDeviceOsName, ' ', BpDataDeviceOsEdition), dynamic(null)),
55+
DvcOsVersion = coalesce(BpDataDeviceOsBuild, dynamic(null)),
56+
DvcDescription = coalesce(BpDataDeviceHwInfoVendorName, dynamic(null)),
57+
RuleName = coalesce(Detection, BpDataDetection, dynamic(null)),
58+
ThreatId = coalesce(BpDataDetection, dynamic(null)),
59+
Hostname = coalesce(ComputerHostname, Hostname),
60+
DvcIdType = 'Other',
61+
DvcIpAddr = extract_json('$[0].ip', ComputerNetworkAddresses),
62+
DvcMacAddr = extract_json('$[0].mac', ComputerNetworkAddresses)
63+
| invoke _ASIM_ResolveDvcFQDN("Hostname")
64+
| project-away Hostname
65+
| mv-apply _a = parse_json(BpDataDetailsMatchedActivityEvents) on (
66+
extend
67+
DvcDomain = coalesce(tostring(_a.['process:start'].user.domain), tostring(_a.['telemetry:api_invoke'].user.domain)),
68+
Username = coalesce(tostring(_a.['process:start'].user.name), tostring(_a.['telemetry:api_invoke'].user.name)),
69+
UserId = coalesce(tostring(_a.['process:start'].user.sid), tostring(_a.['telemetry:api_invoke'].user.sid)),
70+
FileName = coalesce(tostring(_a.['process:start'].app.original_file_name), tostring(_a.['telemetry:api_invoke'].app.original_file_name)),
71+
FilePath = coalesce(tostring(_a.['process:start'].app.path), tostring(_a.['telemetry:api_invoke'].app.path)),
72+
ParentFileName = coalesce(tostring(_a.['process:start'].parent_app.original_file_name), tostring(_a.['telemetry:api_invoke'].parent_app.original_file_name)),
73+
ParentFilePath = coalesce(tostring(_a.['process:start'].parent_app.path), tostring(_a.['telemetry:api_invoke'].parent_app.path)),
74+
ProcessCommandLine = coalesce(tostring(_a.['process:start'].cmd_line), tostring(_a.['telemetry:api_invoke'].cmd_line)),
75+
FileSHA256 = coalesce(tostring(_a.['process:start'].app.sha256), tostring(_a.['telemetry:api_invoke'].app.sha256)),
76+
FileSize = tolong(coalesce(tostring(_a.['process:start'].app.size), tostring(_a.['telemetry:api_invoke'].app.size))),
77+
ParentFileSHA256 = coalesce(tostring(_a.['process:start'].parent_app.sha256), tostring(_a.['telemetry:api_invoke'].parent_app.sha256)),
78+
ProcessId = coalesce(tostring(_a.['process:start'].pid), tostring(_a.['telemetry:api_invoke'].pid)),
79+
ParentProcessId = coalesce(tostring(_a.['process:start'].parent_pid), tostring(_a.['telemetry:api_invoke'].parent_pid))
80+
| project-away _a
81+
| project DvcDomain, Username, UserId, FileName, FilePath, ParentFileName, ParentFilePath, ProcessCommandLine, FileSHA256, FileSize, ParentFileSHA256, ProcessId, ParentProcessId
82+
)
83+
| extend
84+
BpDataObservablesFile = parse_json(BpDataObservablesFile),
85+
FileName = coalesce(FileFileName, FileName, dynamic(null)),
86+
FilePath = coalesce(FileFilePath, FilePath, dynamic(null)),
87+
ProcessCommandLine = coalesce(ProcessCommandLine, CommandLineArguments, dynamic(null)),
88+
UserIdType = iff(isnotempty(UserId), 'Other', dynamic(null)),
89+
DvcAction = case(
90+
DvcOriginalAction == 'Clean', 'Allow',
91+
DvcOriginalAction == 'Unknown', 'Unknown',
92+
'Unknown'
93+
),
94+
Username = coalesce(IsolationUser, ComputerUser, Username)
95+
| extend
96+
FileSHA1 = coalesce(FileIdentitySha1, BpDataObservablesFile.[0].sha1, dynamic(null)),//orginal file always first item in array
97+
FileSHA256 = coalesce(FileIdentitySha256, BpDataObservablesFile.[0].sha256, dynamic(null)),
98+
FileMD5 = coalesce(FileIdentityMd5, BpDataObservablesFile.[0].md5, dynamic(null)),
99+
ParentFileSHA1 = coalesce(FileParentIdentityMd5, BpDataObservablesFile.[1].sha1, dynamic(null)),//parent file always first item in array
100+
ParentFileSHA256 = coalesce(FileParentIdentityMd5, BpDataObservablesFile.[1].sha256, dynamic(null)),
101+
ParentFileMD5 = coalesce(FileParentIdentityMd5, BpDataObservablesFile.[1].md5, dynamic(null)),
102+
UsernameType = iff(isnotempty(Username), 'Simple', dynamic(null))
103+
| mv-apply _t = parse_json(Techniques) on (
104+
extend Technique = iff(isnotempty(_t), strcat('(',tostring(_t),')'), dynamic(null))
105+
| summarize AttackTechniques = strcat_array(make_set(Technique), ', ')
106+
)
107+
| mv-apply _t = parse_json(Tactics) to typeof(string) on (
108+
extend Tactic = iff(
109+
isnotempty(_t),
110+
replace_strings(
111+
_t,
112+
dynamic(['TA0043', 'TA0042', 'TA0001', 'TA0002', 'TA0003', 'TA0004', 'TA0005', 'TA0006', 'TA0007', 'TA0008', 'TA0009', 'TA0011', 'TA0010', 'TA0040']),
113+
dynamic(['Reconnaissance (TA0043)', 'Resource Development (TA0042)', 'Initial Access (TA0001)', 'Execution (TA0002)', 'Persistence (TA0003)', 'Privilege Escalation (TA0004)', 'Defense Evasion (TA0005)', 'Credential Access (TA0006)', 'Discovery (TA0007)', 'Lateral Movement (TA0008)','Collection (TA0009)', 'Command and Control (TA0011)', 'Exfiltration (TA0010)', 'Impact (TA0040)'])
114+
),
115+
''
116+
)
117+
| summarize AttackTactics = strcat_array(make_set(Tactic), ', ')
118+
)
119+
| extend
120+
EventProduct = 'Secure Endpoint',
121+
EventVendor = 'Cisco',
122+
EventSchema = 'AlertEvent',
123+
EventSchemaVersion = '0.1',
124+
EventType = 'Alert',
125+
EventSubType = 'Threat',
126+
EventCount = int(1),
127+
IndicatorType = 'File'
128+
| extend AdditionalFields = bag_pack(
129+
'ComputerExternalIp', ComputerExternalIp,
130+
'ComputerActive', ComputerActive,
131+
'ComputerNetworkAddresses', ComputerNetworkAddresses,
132+
'CloudIocShortDescription', CloudIocShortDescription,
133+
'BpDataRemediated', BpDataRemediated,
134+
'BpDataSilent', BpDataSilent,
135+
'BpDataType', BpDataType,
136+
'BpDataDetailsActions', BpDataDetailsActions,
137+
'BpDataDetailsSigId', BpDataDetailsSigId,
138+
'BpDataDetailsSigRev', BpDataDetailsSigRev,
139+
'BpDataDetailsSigSetVersion', BpDataDetailsSigSetVersion,
140+
'BpDataNormalizedObservablesAll', BpDataNormalizedObservablesAll,
141+
'BpDataDetailsMatchedActivityEvents', BpDataDetailsMatchedActivityEvents //full raw
142+
)
143+
| extend
144+
AlertId = EventUid,
145+
AlertDescription = EventMessage,
146+
Rule = RuleName,
147+
Hostname = DvcHostname,
148+
IpAddr = DvcIpAddr,
149+
User = Username
150+
| project-away
151+
Techniques,
152+
Tactics,
153+
Timestamp,
154+
TimestampNanoseconds,
155+
BpDataDetailsEngVer,
156+
ComputerUser,
157+
Detection*,
158+
Start*,
159+
FileFile*,
160+
FileDisposition,
161+
BpData*,
162+
CommandLineArguments,
163+
FileIdentity*,
164+
FileParent*,
165+
ConnectorGuid,
166+
ComputerHostname,
167+
ComputerConnectorGuid,
168+
ComputerLinksComputer,
169+
EventReportUrl,
170+
ComputerLinksGroup,
171+
CloudIocDescription,
172+
GroupGuids,
173+
CloudIocShortDescription,
174+
ComputerNetworkAddresses,
175+
ComputerActive,
176+
ComputerExternalIp
177+
};
178+
CiscoSEParser(
179+
disabled = disabled
180+
)

Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
Parser:
22
Title: Alert Event ASIM filtering parser
3-
Version: '0.1.0'
4-
LastUpdated: Mar 11 2024
3+
Version: '0.1.1'
4+
LastUpdated: Mar 04 2026
55
Product:
66
Name: Source agnostic
77
Normalization:
@@ -73,6 +73,7 @@ ParserQuery: |
7373
union isfuzzy=true
7474
vimAlertEventEmpty,
7575
vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),
76-
vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers))))
76+
vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))),
77+
vimAlertEventCiscoSecureEndpoint (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers))))
7778
};
7879
parser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)

0 commit comments

Comments
 (0)