Azure · Steve1145 · Mar 4, 2026 · Mar 4, 2026 · Mar 24, 2026 · Apr 2, 2026
@@ -0,0 +1,5 @@
+# Changelog for ASimAlertEventCiscoSecureEndpoint.yaml
+
+## Version 0.1.0
+
+- (2026-03-04) Cisco Secure Endpoint - AlertEvent ASIM Parser - [PR #13741](https://github.com/Azure/Azure-Sentinel/pull/13741)
@@ -0,0 +1,5 @@
+# Changelog for vimAlertEventCiscoSecureEndpoint.yaml
+
+## Version 0.1.0
+
+- (2026-03-04) Cisco Secure Endpoint - AlertEvent ASIM Parser - [PR #13741](https://github.com/Azure/Azure-Sentinel/pull/13741)
@@ -1,7 +1,7 @@
 Parser:
   Title: Alert Event ASIM parser
-  Version: "0.1.0"
-  LastUpdated: Oct 18, 2024
+  Version: "0.1.1"
+  LastUpdated: Mar 04, 2026
 Product:
   Name: Source agnostic
 Normalization:
@@ -31,6 +31,7 @@ ParserQuery: |
   union isfuzzy=true
     vimAlertEventEmpty,
     ASimAlertEventMicrosoftDefenderXDR (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventMicrosoftDefenderXDR' in (DisabledParsers)))),
-    ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers))))
+    ASimAlertEventSentinelOneSingularity (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventSentinelOneSingularity' in (DisabledParsers)))),
+    ASimAlertEventCiscoSecureEndpoint (disabled=(ASimBuiltInDisabled or ('ExcludeASimAlertEventCiscoSecureEndpoint' in (DisabledParsers))))
   }; 
   parser (pack=pack)
@@ -0,0 +1,221 @@
+Parser:
+  Title: Alert Event ASIM parser for Cisco Secure Endpoint
+  Version: '0.1.0'
+  LastUpdated: Mar 04, 2026
+Product:
+  Name: Cisco Secure Endpoint
+Normalization:
+  Schema: AlertEvent
+  Version: '0.1'
+References:
+- Title: ASIM Alert Schema
+  Link: https://aka.ms/ASimAlertEventDoc
+- Title: ASIM
+  Link: https://aka.ms/AboutASIM
+- Title: Developer
+  Link: https://www.bluevoyant.com/
+Description: |
+  This ASIM parser supports normalizing the Cisco Secure Endpoint logs (via Codeless Connector Framework) to the ASIM Alert normalized schema.
+ParserName: ASimAlertEventCiscoSecureEndpoint
+EquivalentBuiltInParser:
+ParserParams:
+  - Name: disabled
+    Type: bool
+    Default: false
+  - Name: pack
+    Type: bool
+    Default: false
+ParserQuery: |
+    let CiscoSEParser = (
+        disabled: bool=false,
+        pack: bool=false
+    )
+    {
+        CiscoSecureEndpointEventsV2_CL
+        | where not(disabled)
+        | where isnotempty(Severity) //Filter in only security events and not operational logs
+        | extend
+            EventUid = tostring(Id),
+            EventOriginalType = tostring(EventTypeId)
+        | project-rename
+            EventOriginalSeverity = Severity,
+            EventEndTime = Date,
+            EventReportUrl = ComputerLinksTrajectory,
+            AlertName = EventType
+        | extend
+            EventMessage = coalesce(CloudIocDescription, CloudIocShortDescription, BpDataName, Detection),
+            EventProductVersion = coalesce(BpDataDetailsEngVer, 'Cloud'),
+            EventStartTime = unixtime_seconds_todatetime(Timestamp),
+            EventOriginalUid = coalesce(BpDataId, DetectionId, dynamic(null)),
+            EventSeverity = case(
+                EventOriginalSeverity in ('Critical', 'High'), 'High',
+                EventOriginalSeverity == 'Medium', 'Medium',
+                EventOriginalSeverity == 'Low', 'Low',
+                'Informational'
+            ),
+            DvcOriginalAction = coalesce(FileParentDisposition, dynamic(null)),
+            DvcId = coalesce(BpDataDeviceOsMachineUuid, ComputerConnectorGuid),
+            DvcOs = coalesce(strcat(BpDataDeviceOsName, ' ', BpDataDeviceOsEdition), dynamic(null)),
+            DvcOsVersion = coalesce(BpDataDeviceOsBuild, dynamic(null)),
+            DvcDescription = coalesce(BpDataDeviceHwInfoVendorName, dynamic(null)),
+            RuleName = coalesce(Detection, BpDataDetection, dynamic(null)),
+            ThreatId = coalesce(BpDataDetection, dynamic(null)),
+            Hostname = coalesce(ComputerHostname, Hostname),
+            DvcIdType = 'Other',
+            DvcIpAddr = extract_json('$[0].ip', ComputerNetworkAddresses),
+            DvcMacAddr = extract_json('$[0].mac', ComputerNetworkAddresses)
+        | invoke _ASIM_ResolveDvcFQDN("Hostname")
+        | project-away Hostname
+        | mv-apply _a = parse_json(BpDataDetailsMatchedActivityEvents) on (
+            extend
+                DvcDomain = coalesce(tostring(_a.['process:start'].user.domain), tostring(_a.['telemetry:api_invoke'].user.domain)),
+                Username = coalesce(tostring(_a.['process:start'].user.name), tostring(_a.['telemetry:api_invoke'].user.name)),
+                UserId = coalesce(tostring(_a.['process:start'].user.sid), tostring(_a.['telemetry:api_invoke'].user.sid)),
+                FileName = coalesce(tostring(_a.['process:start'].app.original_file_name), tostring(_a.['telemetry:api_invoke'].app.original_file_name)),
+                FilePath = coalesce(tostring(_a.['process:start'].app.path), tostring(_a.['telemetry:api_invoke'].app.path)),
+                ParentFileName = coalesce(tostring(_a.['process:start'].parent_app.original_file_name), tostring(_a.['telemetry:api_invoke'].parent_app.original_file_name)),
+                ParentFilePath = coalesce(tostring(_a.['process:start'].parent_app.path), tostring(_a.['telemetry:api_invoke'].parent_app.path)),
+                ProcessCommandLine = coalesce(tostring(_a.['process:start'].cmd_line), tostring(_a.['telemetry:api_invoke'].cmd_line)),
+                FileSHA256 = coalesce(tostring(_a.['process:start'].app.sha256), tostring(_a.['telemetry:api_invoke'].app.sha256)),
+                FileSize = tolong(coalesce(tostring(_a.['process:start'].app.size), tostring(_a.['telemetry:api_invoke'].app.size))),
+                ParentFileSHA256 = coalesce(tostring(_a.['process:start'].parent_app.sha256), tostring(_a.['telemetry:api_invoke'].parent_app.sha256)),
+                ProcessId = coalesce(tostring(_a.['process:start'].pid), tostring(_a.['telemetry:api_invoke'].pid)),
+                ParentProcessId = coalesce(tostring(_a.['process:start'].parent_pid), tostring(_a.['telemetry:api_invoke'].parent_pid))
+          | project-away _a
+          | project DvcDomain, Username, UserId, FileName, FilePath, ParentFileName, ParentFilePath, ProcessCommandLine, FileSHA256, FileSize, ParentFileSHA256, ProcessId, ParentProcessId
+        )
+        | extend
+            BpDataObservablesFile = parse_json(BpDataObservablesFile),
+            FileName = coalesce(FileFileName, FileName, dynamic(null)),
+            FilePath = coalesce(FileFilePath, FilePath, dynamic(null)),
+            ProcessCommandLine = coalesce(ProcessCommandLine, CommandLineArguments, dynamic(null)),
+            UserIdType = iff(isnotempty(UserId), 'Other', dynamic(null)),
+            DvcAction = case(
+                DvcOriginalAction == 'Clean', 'Allow',
+                DvcOriginalAction == 'Unknown', 'Unknown',
+                'Unknown'
+            ),
+            Username = coalesce(IsolationUser, ComputerUser, Username)
+        | extend
+            FileSHA1 = coalesce(FileIdentitySha1, BpDataObservablesFile.[0].sha1, dynamic(null)),//orginal file always first item in array
+            FileSHA256 = coalesce(FileIdentitySha256, BpDataObservablesFile.[0].sha256, dynamic(null)),
+            FileMD5 = coalesce(FileIdentityMd5, BpDataObservablesFile.[0].md5, dynamic(null)),
+            ParentFileSHA1 = coalesce(FileParentIdentityMd5, BpDataObservablesFile.[1].sha1, dynamic(null)),//parent file always first item in array
+            ParentFileSHA256 = coalesce(FileParentIdentityMd5, BpDataObservablesFile.[1].sha256, dynamic(null)),
+            ParentFileMD5 = coalesce(FileParentIdentityMd5, BpDataObservablesFile.[1].md5, dynamic(null)),
+            UsernameType = iff(isnotempty(Username), 'Simple', dynamic(null))
+        | mv-apply _t = parse_json(Techniques) on (
+            extend Technique = iff(isnotempty(_t), strcat('(',tostring(_t),')'), dynamic(null))
+            | summarize AttackTechniques = strcat_array(make_set(Technique), ', ')
+        )
+        | mv-apply _t = parse_json(Tactics) to typeof(string) on (
+            extend Tactic = iff(
+                isnotempty(_t),
+                replace_strings(
+                    _t,
+                    dynamic(['TA0043', 'TA0042', 'TA0001', 'TA0002', 'TA0003', 'TA0004', 'TA0005', 'TA0006', 'TA0007', 'TA0008', 'TA0009', 'TA0011', 'TA0010', 'TA0040']),
+                    dynamic(['Reconnaissance (TA0043)', 'Resource Development (TA0042)', 'Initial Access (TA0001)', 'Execution (TA0002)', 'Persistence (TA0003)', 'Privilege Escalation (TA0004)', 'Defense Evasion (TA0005)', 'Credential Access (TA0006)', 'Discovery (TA0007)', 'Lateral Movement (TA0008)','Collection (TA0009)', 'Command and Control (TA0011)', 'Exfiltration (TA0010)', 'Impact (TA0040)'])
+                ),
+                ''
+            )
+            | summarize AttackTactics = strcat_array(make_set(Tactic), ', ')
+        )
+        | extend
+            EventProduct = 'Secure Endpoint',
+            EventVendor = 'Cisco',
+            EventSchema = 'AlertEvent',
+            EventSchemaVersion = '0.1',
+            EventType = 'Alert',
+            EventSubType = 'Threat',
+            EventCount = int(1),
+            IndicatorType = 'File'
+        | extend AdditionalFields = iff (
+            pack,
+            bag_pack(
+                'ComputerExternalIp', ComputerExternalIp,
+                'ComputerActive', ComputerActive,
+                'ComputerNetworkAddresses', ComputerNetworkAddresses,
+                'CloudIocShortDescription', CloudIocShortDescription,
+                'BpDataRemediated', BpDataRemediated,
+                'BpDataSilent', BpDataSilent,
+                'BpDataType', BpDataType,
+                'BpDataDetailsActions', BpDataDetailsActions,
+                'BpDataDetailsSigId', BpDataDetailsSigId,
+                'BpDataDetailsSigRev', BpDataDetailsSigRev,
+                'BpDataDetailsSigSetVersion', BpDataDetailsSigSetVersion,
+                'BpDataNormalizedObservablesAll', BpDataNormalizedObservablesAll,
+                'BpDataDetailsMatchedActivityEvents', BpDataDetailsMatchedActivityEvents //full raw
+            ),
+            dynamic([])
+        )
+        | extend
+            AlertId = EventUid,
+            AlertDescription = EventMessage,
+            Rule = RuleName,
+            Hostname = DvcHostname,
+            IpAddr = DvcIpAddr,
+            User = Username
+        | project
+            EventUid,
+            EventOriginalType,
+            EventOriginalSeverity,
+            EventEndTime,
+            EventReportUrl,
+            AlertName,
+            EventMessage,
+            EventProductVersion,
+            EventStartTime,
+            EventOriginalUid,
+            EventSeverity,
+            DvcOriginalAction,
+            DvcId,
+            DvcOs,
+            DvcOsVersion,
+            DvcDescription,
+            RuleName,
+            ThreatId,
+            Hostname,
+            DvcIdType,
+            DvcIpAddr,
+            DvcMacAddr,
+            DvcDomain,
+            Username,
+            UserId,
+            FileName,
+            FilePath,
+            ParentFileName,
+            ParentFilePath,
+            ProcessCommandLine,
+            FileSHA256,
+            FileSize,
+            ParentFileSHA256,
+            ProcessId,
+            ParentProcessId,
+            UserIdType,
+            DvcAction,
+            FileSHA1,
+            FileMD5,
+            ParentFileSHA1,
+            ParentFileMD5,
+            UsernameType,
+            AttackTechniques,
+            AttackTactics,
+            EventProduct,
+            EventVendor,
+            EventSchema,
+            EventSchemaVersion,
+            EventType,
+            EventSubType,
+            EventCount,
+            IndicatorType,
+            AdditionalFields,
+            AlertId,
+            AlertDescription,
+            Rule,
+            IpAddr,
+            User
+    };
+    CiscoSEParser(
+        disabled = disabled,
+        pack = pack
+    )
@@ -1,7 +1,7 @@
 Parser:
   Title: Alert Event ASIM filtering parser
-  Version: '0.1.0'
-  LastUpdated: Mar 11 2024
+  Version: '0.1.1'
+  LastUpdated: Mar 04 2026
 Product:
   Name: Source agnostic
 Normalization:
@@ -73,6 +73,7 @@ ParserQuery: |
   union isfuzzy=true
     vimAlertEventEmpty,
     vimAlertEventMicrosoftDefenderXDR (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertMicrosoftDefenderXDR' in (DisabledParsers)))),
-    vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers))))
+    vimAlertEventSentinelOneSingularity (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertSentinelOneSingularity' in (DisabledParsers)))),
+    vimAlertEventCiscoSecureEndpoint (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAlertEventCiscoSecureEndpoint' in (DisabledParsers))))
   };
   parser (starttime=starttime, endtime=endtime, ipaddr_has_any_prefix=ipaddr_has_any_prefix, hostname_has_any=hostname_has_any, username_has_any=username_has_any, attacktactics_has_any=attacktactics_has_any, attacktechniques_has_any=attacktechniques_has_any, threatcategory_has_any=threatcategory_has_any, alertverdict_has_any=alertverdict_has_any, eventseverity_has_any=eventseverity_has_any, pack=pack)