Skip to content

Commit bc3fc8d

Browse files
author
github-actions[bot]
committed
[ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.
1 parent eaf87ff commit bc3fc8d

File tree

7 files changed

+156
-2
lines changed

7 files changed

+156
-2
lines changed

Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
"displayName": "Authentication ASIM parser",
2828
"category": "ASIM",
2929
"FunctionAlias": "ASimAuthentication",
30-
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoIOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationFortinetFortigate (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationVMwareVCenter (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack)\n",
30+
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuthenticationEmpty, \n ASimAuthenticationAADManagedIdentitySignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAADServicePrincipalSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs' in (DisabledParsers) )),\n ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail' in (DisabledParsers) )),\n ASimAuthenticationBarracudaWAF (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n ASimAuthenticationCiscoASA (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n ASimAuthenticationCiscoIOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoIOS' in (DisabledParsers) )),\n ASimAuthenticationCiscoISE (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n ASimAuthenticationCiscoMeraki (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n ASimAuthenticationCiscoMerakiSyslog (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n ASimAuthenticationFortinetFortigate (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n ASimAuthenticationM365Defender (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender' in (DisabledParsers) )),\n ASimAuthenticationMD4IoT (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT' in (DisabledParsers) )),\n ASimAuthenticationMicrosoftWindowsEvent (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent' in (DisabledParsers) )),\n ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO' in (DisabledParsers) )),\n ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2' in (DisabledParsers) )),\n ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs' in (DisabledParsers) )),\n ASimAuthenticationPostgreSQL (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL' in (DisabledParsers) )),\n ASimAuthenticationSigninLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n ASimAuthenticationSshd (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n ASimAuthenticationSu (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n ASimAuthenticationSalesforceSC (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC' in (DisabledParsers) )),\n ASimAuthenticationVectraXDRAudit (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n ASimAuthenticationSentinelOne (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoCortexDataLake (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n ASimAuthenticationVMwareCarbonBlackCloud (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n ASimAuthenticationVMwareVCenter (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareVCenter' in (DisabledParsers) ), pack=pack),\n ASimAuthenticationCrowdStrikeFalconHost (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n ASimAuthenticationIllumioSaaSCore (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n ASimAuthenticationNative (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n ASimAuthenticationPaloAltoPanOS (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoPanOS' in (DisabledParsers) ), pack=pack)\n ASimAuthenticationPaloAltoGlobalProtect (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoGlobalProtect' in (DisabledParsers) ))\n",
3131
"version": 1,
3232
"functionParameters": "pack:bool=False"
3333
}

Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoGlobalProtect/ASimAuthenticationPaloAltoGlobalProtect.json

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
3+
"contentVersion": "1.0.0.0",
4+
"parameters": {
5+
"Workspace": {
6+
"type": "string",
7+
"metadata": {
8+
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
9+
}
10+
},
11+
"WorkspaceRegion": {
12+
"type": "string",
13+
"defaultValue": "[resourceGroup().location]",
14+
"metadata": {
15+
"description": "The region of the selected workspace. The default value will use the Region selection above."
16+
}
17+
}
18+
},
19+
"resources": [
20+
{
21+
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
22+
"apiVersion": "2020-08-01",
23+
"name": "[concat(parameters('Workspace'), '/ASimAuthenticationPaloAltoGlobalProtect')]",
24+
"location": "[parameters('WorkspaceRegion')]",
25+
"properties": {
26+
"etag": "*",
27+
"displayName": "Authentication ASIM parser for Palo Alto PAN-OS GlobalProtect",
28+
"category": "ASIM",
29+
"FunctionAlias": "ASimAuthenticationPaloAltoGlobalProtect",
30+
"query": "let EventSeverityLookup = datatable (LogSeverity: string, EventSeverity: string)\n[\n \"0\", \"Low\",\n \"1\", \"Low\",\n \"2\", \"Low\",\n \"3\", \"Low\",\n \"4\", \"Low\",\n \"5\", \"Low\",\n \"6\", \"Medium\",\n \"7\", \"Medium\",\n \"8\", \"Medium\",\n \"9\", \"High\",\n \"10\", \"High\",\n \"Informational\", \"Informational\"\n];\nlet parser = (disabled: bool=false, pack: bool=false) {\n CommonSecurityLog\n | where not(disabled)\n and DeviceVendor == \"Palo Alto Networks\"\n and DeviceProduct == \"PAN-OS\"\n and DeviceEventClassID == \"GLOBALPROTECT\"\n | where AdditionalExtensions has_any (\"gateway-login\", \"gateway-logout\", \"gateway-auth\", \"portal-auth\", \"portal-prelogin\", \"gateway-connected\")\n | parse-kv AdditionalExtensions as (\n PanOSEventID: string,\n PanOSStage: string,\n PanOSLogTimeStamp: string,\n PanOSAuthMethod: string,\n PanOSTunnelType: string,\n PanOSSourceUserName: string,\n PanOSSourceRegion: string,\n PanOSEndpointDeviceName: string,\n PanOSPublicIPv4: string,\n PanOSPublicIPv6: string,\n PanOSPrivateIPv4: string,\n PanOSPrivateIPv6: string,\n PanOSHostID: string,\n PanOSGlobalProtectClientVersion: string,\n PanOSEndpointOSType: string,\n PanOSEndpointOSVersion: string,\n PanOSEventStatus: string,\n PanOSGPGatewayLocation: string,\n PanOSPortal: string,\n PanOSLoginDuration: string,\n PanOSConnectionError: string,\n PanOSDescription: string,\n PanOSDeviceSN: string,\n PanOSVirtualSystem: string\n ) with (pair_delimiter=\";\", kv_delimiter=\"=\")\n | extend EventType = case(\n PanOSEventID =~ \"gateway-login\", \"Logon\",\n PanOSEventID =~ \"gateway-logout\", \"Logoff\",\n PanOSEventID =~ \"gateway-auth\", \"Logon\",\n PanOSEventID =~ \"portal-auth\", \"Logon\",\n PanOSEventID =~ \"portal-prelogin\", \"Logon\",\n PanOSEventID =~ \"gateway-connected\", \"Logon\",\n \"\"\n )\n | where isnotempty(EventType)\n | extend LogonMethod = case(\n PanOSAuthMethod =~ \"LDAP\", \"Username & Password\",\n PanOSAuthMethod =~ \"RADIUS\", \"Username & Password\",\n PanOSAuthMethod =~ \"SAML\", \"Other\",\n PanOSAuthMethod =~ \"certificate\", \"PKI\",\n PanOSAuthMethod =~ \"local-database\", \"Username & Password\",\n PanOSAuthMethod =~ \"Kerberos\", \"Username & Password\",\n PanOSAuthMethod =~ \"TACACS+\", \"Username & Password\",\n PanOSAuthMethod =~ \"Cookie\", \"Other\",\n \"\"\n )\n | invoke _ASIM_ResolveDvcFQDN('DeviceName')\n | invoke _ASIM_ResolveSrcFQDN('PanOSEndpointDeviceName')\n | lookup EventSeverityLookup on LogSeverity\n | extend EventSeverity = iif(isempty(EventSeverity), \"Informational\", EventSeverity)\n | extend\n EventResult = case(\n PanOSEventStatus =~ \"success\", \"Success\",\n PanOSEventStatus =~ \"failure\", \"Failure\",\n isnotempty(PanOSConnectionError), \"Failure\",\n \"Success\"\n ),\n EventResultDetails = case(\n PanOSConnectionError has \"auth\", \"No such user or password\",\n PanOSConnectionError has \"expired\", \"Session expired\",\n PanOSConnectionError has \"timeout\", \"Session expired\",\n PanOSConnectionError has \"cert\", \"Incorrect key\",\n PanOSConnectionError has \"policy\", \"Logon violates policy\",\n PanOSConnectionError has \"locked\", \"User locked\",\n PanOSConnectionError has \"disabled\", \"User disabled\",\n isnotempty(PanOSConnectionError), \"Other\",\n \"\"\n ),\n TargetUsername = coalesce(SourceUserName, PanOSSourceUserName),\n SrcIpAddr = coalesce(SourceIP, PanOSPublicIPv4, PanOSPublicIPv6),\n EventStartTime = coalesce(todatetime(PanOSLogTimeStamp), TimeGenerated),\n EventMessage = Message,\n SrcDvcOs = coalesce(PanOSEndpointOSVersion, PanOSEndpointOSType),\n TargetAppName = coalesce(PanOSPortal, \"GlobalProtect\"),\n TargetAppType = \"Service\",\n AdditionalFields = iff(\n pack,\n bag_pack(\n \"PanOSPortal\", PanOSPortal,\n \"PanOSGPGatewayLocation\", PanOSGPGatewayLocation,\n \"PanOSTunnelType\", PanOSTunnelType,\n \"PanOSGlobalProtectClientVersion\", PanOSGlobalProtectClientVersion,\n \"PanOSLoginDuration\", PanOSLoginDuration,\n \"PanOSHostID\", PanOSHostID,\n \"PanOSSourceRegion\", PanOSSourceRegion,\n \"PanOSVirtualSystem\", PanOSVirtualSystem,\n \"PanOSDescription\", PanOSDescription,\n \"PanOSPrivateIPv4\", PanOSPrivateIPv4,\n \"PanOSPrivateIPv6\", PanOSPrivateIPv6,\n \"PanOSDeviceSN\", PanOSDeviceSN,\n \"PanOSStage\", PanOSStage\n ),\n dynamic([])\n )\n | project-rename\n DvcIpAddr = Computer,\n DvcId = DeviceExternalID,\n EventOriginalSeverity = LogSeverity,\n EventOriginalType = DeviceEventClassID,\n EventOriginalUid = ExtID,\n EventProductVersion = DeviceVersion,\n EventOriginalSubType = PanOSEventID,\n EventOriginalResultDetails = PanOSConnectionError,\n LogonProtocol = PanOSTunnelType,\n TargetIpAddr = DestinationIP,\n EventUid = _ResourceId\n | extend\n Dvc = coalesce(DvcFQDN, DvcId, DvcHostname, DvcIpAddr),\n EventEndTime = EventStartTime,\n Dst = TargetIpAddr,\n Src = coalesce(SrcFQDN, SrcHostname, SrcIpAddr),\n TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n User = TargetUsername,\n IpAddr = SrcIpAddr,\n DvcIdType = iff(isnotempty(DvcId), \"Other\", \"\"),\n TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n Application = TargetAppName,\n DvcAction = iff(EventResult == \"Success\", \"Allowed\", \"Blocked\"),\n TargetHostname = DvcHostname,\n TargetDomain = DvcDomain,\n TargetDomainType = DvcDomainType,\n EventSubType = \"Remote\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.4\",\n EventProduct = \"PAN-OS\",\n EventVendor = \"Palo Alto Networks\",\n Type = \"CommonSecurityLog\",\n EventCount = int(1)\n | project\n TimeGenerated,\n EventType,\n EventResult,\n EventResultDetails,\n EventOriginalResultDetails,\n EventMessage,\n EventStartTime,\n EventEndTime,\n EventCount,\n EventSeverity,\n EventOriginalSeverity,\n EventOriginalType,\n EventOriginalSubType,\n EventOriginalUid,\n EventSubType,\n EventProduct,\n EventProductVersion,\n EventVendor,\n EventSchema,\n EventSchemaVersion,\n EventUid,\n Dvc,\n DvcIpAddr,\n DvcId,\n DvcIdType,\n DvcHostname,\n DvcDomain,\n DvcFQDN,\n DvcDomainType,\n TargetUsername,\n TargetUsernameType,\n TargetUserType,\n User,\n TargetAppName,\n TargetAppType,\n TargetIpAddr,\n Dst,\n SrcIpAddr,\n SrcHostname,\n SrcDomain,\n SrcFQDN,\n SrcDomainType,\n SrcDvcOs,\n Src,\n IpAddr,\n LogonMethod,\n LogonProtocol,\n Application,\n DvcAction,\n TargetHostname,\n TargetDomain,\n TargetDomainType,\n AdditionalFields,\n Type\n};\nparser(disabled=disabled, pack=pack)\n",
31+
"version": 1,
32+
"functionParameters": "disabled:bool=False,pack:bool=False"
33+
}
34+
}
35+
]
36+
}

0 commit comments

Comments
 (0)