+ "query": "let parser = (disabled: bool=false, pack: bool=false)\n{\n let DCUIEvents = (\n Syslog\n | where not(disabled)\n | where ProcessName == \"DCUI\"\n | where SyslogMessage has_any (\"logged in\", \"logged out\") or SyslogMessage has_all (\"Authentication of user\", \"failed\")\n | extend\n TargetUsername = extract(@\"[Uu]ser (\\S+)\", 1, SyslogMessage),\n EventType = case(SyslogMessage has \"logged out\", \"Logoff\", \"Logon\"),\n EventResult = case(\n SyslogMessage has_any (\"logged in\", \"logged out\", \"succeeded\"), \"Success\",\n SyslogMessage has \"failed\", \"Failure\",\n \"\"\n ),\n EventResultDetails = iff(SyslogMessage has \"time out\", \"Session timeout\", \"\"),\n EventSubType = \"Interactive\",\n LogonMethod = \"Username & Password\"\n | where isnotempty(TargetUsername)\n );\n let HostdEvents = (\n Syslog\n | where not(disabled)\n | where ProcessName == \"Hostd\"\n | where SyslogMessage has_any (\"Accepted password\", \"Rejected password\", \"Cannot login\")\n | extend\n TargetUsername = coalesce(\n extract(@\"for user (\\S+) from\", 1, SyslogMessage),\n extract(@\"Cannot login user (\\S+)@\", 1, SyslogMessage),\n extract(@\"Cannot login (\\S+)@\", 1, SyslogMessage)\n ),\n SrcIpAddr = coalesce(\n extract(@\"for user \\S+ from ([\\d.]+)\", 1, SyslogMessage),\n extract(@\"Cannot login user \\S+@([\\d.]+)\", 1, SyslogMessage),\n extract(@\"Cannot login \\S+@([\\d.]+)\", 1, SyslogMessage)\n ),\n EventResult = case(\n SyslogMessage has \"Accepted password\", \"Success\",\n SyslogMessage has_any (\"Rejected password\", \"Cannot login\"), \"Failure\",\n \"\"\n ),\n EventType = \"Logon\",\n EventSubType = \"Remote\",\n EventResultDetails = extract(@\"@[\\d.]+: (.+)$\", 1, SyslogMessage),\n TargetSessionId = extract(@\"session=(\\S+)\", 1, SyslogMessage),\n OperationId = extract(@\"opID=([^\\s\\]]+)\", 1, SyslogMessage),\n SessionIdShort = extract(@\"sid=([a-f0-9]+)\", 1, SyslogMessage)\n | where isnotempty(TargetUsername)\n // Hostd double-logs each auth failure: once as \"Rejected password\" (PAM) and once as \"Cannot login\" (Event Manager), typically within 35-300ms of each other.\n // A 1-second deduplication window collapses these into a single event. The window is intentionally conservative relative to observed duplicate gaps (<100ms).\n | summarize arg_min(TimeGenerated, *) by TargetUsername, SrcIpAddr, EventResult, Computer, bin(TimeGenerated, 1s)\n | project-away TimeGenerated1\n );\n union DCUIEvents, HostdEvents\n | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n | extend\n EventCount = int(1),\n EventStartTime = coalesce(EventTime, TimeGenerated),\n EventEndTime = coalesce(EventTime, TimeGenerated),\n EventVendor = \"VMware\",\n EventProduct = \"ESXi\",\n EventSchema = \"Authentication\",\n EventSchemaVersion = \"0.1.4\",\n TargetUsernameType = \"Simple\",\n DvcIpAddr = iif(HostIP != \"Unknown IP\", tostring(HostIP), dynamic(null)),\n DvcOs = \"VMkernel\",\n TargetHostname = DvcHostname\n | extend\n AdditionalFields = iif(\n pack,\n bag_pack(\n 'OperationId', OperationId,\n 'SessionIdShort', SessionIdShort\n ),\n dynamic(null)\n )\n | extend\n User = TargetUsername,\n Dvc = DvcHostname,\n IpAddr = SrcIpAddr,\n Src = SrcIpAddr\n | project\n TimeGenerated,\n _ResourceId,\n Type,\n EventCount,\n EventStartTime,\n EventEndTime,\n EventType,\n EventSubType,\n EventResult,\n EventResultDetails,\n //EventSeverity,\n EventVendor,\n EventProduct,\n //EventProductVersion,\n EventSchema,\n EventSchemaVersion,\n DvcHostname,\n DvcIpAddr,\n DvcOs,\n DvcDomain,\n DvcDomainType,\n DvcFQDN,\n //DvcId,\n //DvcIdType,\n SrcIpAddr,\n //SrcHostname,\n TargetUsername,\n TargetUsernameType,\n //TargetUserType,\n //TargetUserDomain,\n TargetHostname,\n TargetSessionId,\n LogonMethod,\n //LogonProtocol,\n AdditionalFields,\n User,\n Dvc,\n IpAddr,\n Src\n};\nparser(disabled = disabled, pack = pack)",
0 commit comments