ASIM updater: update empty tables tool

Author: oshezaf

.github/workflows/asim-schema-updater.yml

@@ -0,0 +1,95 @@
+name: ASIM Schema Updater
+
+on:
+  # Run weekly on Sundays at midnight UTC
+  schedule:
+    - cron: '0 0 * * 0'
+  
+  # Run on push when relevant files change
+  push:
+    branches:
+      - master
+      - main
+    paths:
+      - 'ASIM/dev/ASimTester/ASimTester.csv'
+      - 'Parsers/ASim*/Parsers/vim*Empty.yaml'
+      - 'ASIM/tools/ASIM Updater/**'
+  
+  # Run on pull requests for validation
+  pull_request:
+    branches:
+      - master
+      - main
+    paths:
+      - 'ASIM/dev/ASimTester/ASimTester.csv'
+      - 'Parsers/ASim*/Parsers/vim*Empty.yaml'
+      - 'ASIM/tools/ASIM Updater/**'
+  
+  # Allow manual trigger
+  workflow_dispatch:
+
+jobs:
+  update-empty-parsers:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+      
+      - name: Run empty parser updater (dry-run for PRs)
+        if: github.event_name == 'pull_request'
+        run: |
+          python "ASIM/tools/ASIM Updater/update_empty_parsers.py" --dry-run --verbose
+        continue-on-error: false
+      
+      - name: Run empty parser updater
+        if: github.event_name != 'pull_request'
+        run: |
+          python "ASIM/tools/ASIM Updater/update_empty_parsers.py" --verbose
+      
+      - name: Check for changes
+        if: github.event_name != 'pull_request'
+        id: check-changes
+        run: |
+          if git diff --quiet; then
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+            git diff --stat
+          fi
+      
+      - name: Create Pull Request
+        if: github.event_name != 'pull_request' && steps.check-changes.outputs.has_changes == 'true'
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: 'chore: Update ASIM empty parsers to match schema'
+          title: '[Automated] Update ASIM empty parsers'
+          body: |
+            This PR was automatically generated by the ASIM Schema Updater workflow.
+            
+            ## Changes
+            
+            Updated empty parser files to match the field definitions in `ASIM/dev/ASimTester/ASimTester.csv`.
+            
+            ## Review Checklist
+            
+            - [ ] Verify added fields are correct for each schema
+            - [ ] Verify removed fields should no longer be in the schema
+            - [ ] Verify type changes are correct
+            
+            ---
+            *This PR was automatically created by the [ASIM Schema Updater](.github/workflows/asim-schema-updater.yml) workflow.*
+          branch: automated/asim-empty-parser-update
+          delete-branch: true
+          labels: |
+            automated
+            asim
+            schema-update

ASIM/dev/Forked Repos PRs/README.MD

@@ -0,0 +1,69 @@
+# ASIM Schema Updater Tools
+
+This directory contains tools to maintain ASIM (Advanced Security Information Model) schema consistency across the Azure-Sentinel repository.
+
+## Tools
+
+### update_empty_parsers.py
+
+Updates empty parser YAML files (`vim*Empty.yaml`) to match the field definitions in `ASIM/dev/ASimTester/ASimTester.csv`.
+
+**Key Features:**
+- **Surgical edits**: Instead of regenerating entire datatables, makes minimal changes (add, remove, modify) for easier code review
+- **Preserves formatting**: Maintains the existing code style and comments
+- **Schema-aware**: Handles schema inheritance (Common fields apply to all schemas)
+- **Dry-run support**: Preview changes before applying them
+
+**Usage:**
+
+```bash
+# Preview changes (dry-run)
+python update_empty_parsers.py --dry-run
+
+# Apply changes to all empty parsers
+python update_empty_parsers.py
+
+# Update a specific parser
+python update_empty_parsers.py --parser "/path/to/vimAuditEventEmpty.yaml"
+
+# Verbose output
+python update_empty_parsers.py --verbose
+```
+
+**Options:**
+- `--repo-root`: Root directory of the Azure-Sentinel repository (auto-detected if not specified)
+- `--csv-path`: Path to ASimTester.csv (auto-detected if not specified)
+- `--dry-run`: Show what would be changed without making changes
+- `--parser`: Update only the specified parser file
+- `--verbose`, `-v`: Show detailed output including files with no changes
+
+## GitHub Workflow
+
+The tools are automatically run via GitHub Actions:
+- **Scheduled**: Weekly on Sundays at midnight UTC
+- **On push**: When relevant files are changed (CSV schema or empty parsers)
+
+See `.github/workflows/asim-schema-updater.yml` for the workflow configuration.
+
+## Schema Source
+
+The canonical schema definitions are in `ASIM/dev/ASimTester/ASimTester.csv`, which contains:
+- `ColumnName`: Field name
+- `ColumnType`: Data type (string, int, datetime, etc.)
+- `Class`: Field class (Mandatory, Recommended, Optional, Conditional, Alias)
+- `Schema`: Schema name (AuditEvent, NetworkSession, Dns, etc.)
+- `LogicalType`: Logical type hint
+- `ListOfValues`: Allowed values for enumerated fields
+- `Aliased`: Field this is an alias for (if Class is Alias)
+
+## Empty Parsers
+
+Empty parsers are located at:
+```
+Parsers/ASim*/Parsers/vim*Empty.yaml
+```
+
+They define the schema structure using an empty KQL datatable and are used for:
+- Schema validation
+- Union operations in parsers
+- Documentation generation