Merge branch 'master' of https://github.com/Azure/Azure-Sentinel into feature/t-shfeli/AddKindToSolutionsAndDetections

2021-10-24 15:36:22 +03:00 · 2021-10-24 15:36:22 +03:00 · 1e43960ff2
--- a/.script/tests/KqlvalidationsTests/CustomTables/CoreAzureBackup.json
+++ b/.script/tests/KqlvalidationsTests/CustomTables/CoreAzureBackup.json
@ -0,0 +1,197 @@
+{
+    "Name": "CoreAzureBackup",
+    "Properties": [
+      {
+        "Name": "AgentVersion",
+        "Type": "String"
+      },
+      {
+        "Name": "AzureBackupAgentVersion",
+        "Type": "string"
+      },
+      {
+        "Name": "AzureDataCenter",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupItemAppVersion",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupItemFriendlyName",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupItemFrontEndSize",
+        "Type": "real"
+      },
+      {
+        "Name": "BackupItemName",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupItemProtectionState",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupItemType",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupItemUniqueId",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupManagementServerName",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupManagementServerOSVersion",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupManagementServerType",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupManagementServerUniqueId",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupManagementServerVersion",
+        "Type": "String"
+      },
+      {
+        "Name": "BackupManagementType",
+        "Type": "String"
+      },
+      {
+        "Name": "Category",
+        "Type": "String"
+      },
+      {
+        "Name": "LatestRecoveryPointLocation",
+        "Type": "String"
+      },
+      {
+        "Name": "LatestRecoveryPointTime",
+        "Type": "datetime"
+      },
+      {
+        "Name": "OldestRecoveryPointLocation",
+        "Type": "String"
+      },
+      {
+        "Name": "OldestRecoveryPointTime",
+        "Type": "datetime"
+      },
+      {
+        "Name": "OperationName",
+        "Type": "String"
+      },
+      {
+        "Name": "PolicyUniqueId",
+        "Type": "String"
+      },
+      {
+        "Name": "ProtectedContainerFriendlyName",
+        "Type": "String"
+      },
+      {
+        "Name": "ProtectedContainerLocation",
+        "Type": "String"
+      },
+      {
+        "Name": "ProtectedContainerName",
+        "Type": "String"
+      },
+      {
+        "Name": "ProtectedContainerOSType",
+        "Type": "String"
+      },
+      {
+        "Name": "ProtectedContainerOSVersion",
+        "Type": "String"
+      },
+      {
+        "Name": "ProtectedContainerProtectionState",
+        "Type": "String"
+      },
+      {
+        "Name": "ProtectedContainerType",
+        "Type": "string"
+      },
+      {
+        "Name": "ProtectedContainerUniqueId",
+        "Type": "String"
+      },
+      {
+        "Name": "ProtectedContainerWorkloadType",
+        "Type": "String"
+      },
+      {
+        "Name": "ProtectionGroupName",
+        "Type": "String"
+      },
+      {
+        "Name": "ResourceGroupName",
+        "Type": "String"
+      },
+      {
+        "Name": "ResourceId",
+        "Type": "String"
+      },
+      {
+        "Name": "_ResourceId",
+        "Type": "String"
+      },
+      {
+        "Name": "SchemaVersion",
+        "Type": "string"
+      },
+      {
+        "Name": "SecondaryBackupProtectionState",
+        "Type": "String"
+      },
+      {
+        "Name": "SourceSystem",
+        "Type": "String"
+      },
+      {
+        "Name": "State",
+        "Type": "String"
+      },
+      {
+        "Name": "StorageReplicationType",
+        "Type": "String"
+      },
+      {
+        "Name": "SubscriptionId",
+        "Type": "String"
+      },
+      {
+        "Name": "_SubscriptionId",
+        "Type": "String"
+      },
+      {
+        "Name": "TimeGenerated",
+        "Type": "datetime"
+      },
+      {
+        "Name": "Type",
+        "Type": "String"
+      },
+      {
+        "Name": "VaultName",
+        "Type": "String"
+      },
+      {
+        "Name": "VaultTags",
+        "Type": "String"
+      },
+      {
+        "Name": "VaultUniqueId",
+        "Type": "String"
+      }
+    ]
+  }
--- a/Detections/AzureDevOpsAuditing/ADOAgentPoolCreatedDeleted.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOAgentPoolCreatedDeleted.yaml
@ -1,7 +1,10 @@
 id: acfdee3f-b794-404a-aeba-ef6a1fa08ad1
 name: Azure DevOps Agent Pool Created Then Deleted
 description: |
-  'As well as adding build agents to an existing pool to execute malicious activity within a pipeline an attacker could create a complete new agent pool and use this for execution. Azure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.'
+  'As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution.
+  Azure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this 
+  detection focuses on the creation of new self-hosted pools. To further reduce false positive rates the detection looks for pools created and deleted relatively quickly (within 7 days by default), 
+  as an attacker is likely to remove a malicious pool once used in order to reduce/remove evidence of their activity.'
 severity: High
 requiredDataConnectors: []
 queryFrequency: 7d
@ -45,5 +48,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/ADOAuditStreamDisabled.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOAuditStreamDisabled.yaml
@ -1,7 +1,9 @@
 id: 4e8238bd-ff4f-4126-a9f6-09b3b6801b3d
 name: Azure DevOps Audit Stream Disabled
 description: |
-  'Azure DevOps allow for audit logs to streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams before conducting activity and them re-enabling them after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action its unlikely to have a high false positive rate.'
+  'Azure DevOps allow for audit logs to be streamed to external storage solutions such as SIEM solutions. An attacker looking to hide malicious Azure DevOps activity from defenders may look to disable data streams 
+  before conducting activity and then re-enabling the stream after (so as not to raise data threshold-based alarms). Looking for disabled audit streams can identify this activity, and due to the nature of the action 
+  its unlikely to have a high false positive rate.'
 severity: High
 requiredDataConnectors: []
 queryFrequency: 1d
@ -27,5 +29,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/ADONewExtensionAdded.yaml
+++ b/Detections/AzureDevOpsAuditing/ADONewExtensionAdded.yaml
@ -1,7 +1,8 @@
 id: bf07ca9c-e408-443a-8939-6860a45a929e
-name: Azure DevOps - New Extension Added
+name: Azure DevOps New Extension Added
 description: |
-  'Extensions added additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. This query looks for new extensions that are not from a configurable list of approved publishers.'
+  'Extensions add additional features to Azure DevOps. An attacker could use a malicious extension to conduct malicious activity. 
+  This query looks for new extensions that are not from a configurable list of approved publishers.'
 severity: Low
 requiredDataConnectors: []
 queryFrequency: 1d
@ -30,5 +31,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/ADOPATUsedWithBrowser.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOPATUsedWithBrowser.yaml
@ -1,7 +1,9 @@
 id: 5f0d80db-3415-4265-9d52-8466b7372e3a
-name: Azure DevOps - PAT used with Browser.
+name: Azure DevOps PAT used with Browser.
 description: |
-  'Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access for use in code or applications. Given this they can be prone to attacker theft if not adequately secured. This queries looks for the use of a PAT in authentication but from a User Agent indicating a browser. This should not be normal activity and could be an indicator of an attacker using a stolen PAT.'
+  'Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. 
+  This can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. 
+  This should not be normal activity and could be an indicator of an attacker using a stolen PAT.'
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 1d
@ -27,5 +29,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/ADOPipelineModifiedbyNewUser.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOPipelineModifiedbyNewUser.yaml
@ -1,7 +1,9 @@
 id: 155e9134-d5ad-4a6f-88f3-99c220040b66
-name: Azure DevOps Pipleine modified by a New User.
+name: Azure DevOps Pipeline modified by a new user.
 description: |
-  'There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) in order to show if the user conducting the action has any associated AAD IdP  alerts, you can also chose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.'
+  'There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. 
+  This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before. This query also joins events with data to Azure AD Identity Protection (AAD IdP) 
+  in order to show if the user conducting the action has any associated AAD IdP alerts. You can also choose to filter this detection to only alert when the user also has AAD IdP alerts associated with them.'
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 1d
@ -54,5 +56,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/ADORetentionReducedto0.yaml
+++ b/Detections/AzureDevOpsAuditing/ADORetentionReducedto0.yaml
@ -1,7 +1,7 @@
 id: 71d374e0-1cf8-4e50-aecd-ab6c519795c2
-name: Azure DevOps - Retention Reduced to Zero
+name: Azure DevOps Retention Reduced to Zero
 description: |
-  'AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may  look to reduce the retention time for artifacts and runs to 0.'
+  'AzureDevOps retains items such as run records and produced artifacts for a configurable amount of time. An attacker looking to reduce the footprint left by their malicious activity may look to reduce the retention time for artifacts and runs to 0.'
 severity: Low
 requiredDataConnectors: []
 queryFrequency: 1d
@ -28,5 +28,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/ADOSecretNotSecured.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOSecretNotSecured.yaml
@ -1,7 +1,8 @@
 id: 4ca74dc0-8352-4ac5-893c-73571cc78331
-name: Azure DevOps - Variable Secret Not Secured
+name: Azure DevOps Variable Secret Not Secured
 description: |
-  'Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as secrets. This detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.'
+  'Credentials used in the build process may be stored as Azure DevOps variables. To secure these variables they should be stored in KeyVault or marked as Secrets. 
+  This detection looks for new variables added with names that suggest they are credentials but where they are not set as Secrets or stored in KeyVault.'
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 1d
@ -33,5 +34,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/ADOVariableModifiedByNewUser.yaml
+++ b/Detections/AzureDevOpsAuditing/ADOVariableModifiedByNewUser.yaml
@ -1,7 +1,10 @@
 id: 3b9a44d7-c651-45ed-816c-eae583a6f2f1
-name: ADO Build Variable Modified by New User.
+name: Azure DevOps Build Variable Modified by New User.
 description: |
-  'Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed modifying them before.'
+  'Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify 
+  or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, 
+  just detecting these changes would have a high false positive rate. This detection looks for modifications to variable groups where that user has not been observed 
+  modifying them before.'
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 1d
@ -42,5 +45,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOAdminGroupAdditions.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOAdminGroupAdditions.yaml
@ -1,7 +1,7 @@
 id: 89e6adbd-612c-4fbe-bc3d-32f81baf3b6c
 name: Azure DevOps Administrator Group Monitoring
 description: |
-  'This detection monitors for additions to project or project collection administration groups in an Azure DevOps Organization.'
+  'This detection monitors for additions to projects or project collection administration groups in an Azure DevOps Organization.'
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 4h
@ -38,5 +38,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOHistoricPrPolicyBypassing.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOHistoricPrPolicyBypassing.yaml
@ -1,7 +1,7 @@
 id: 4d8de9e6-263e-4845-8618-cd23a4f58b70
-name: Azure DevOps Pull Request Policy Bypassing - Historic Allowlist
+name: Azure DevOps Pull Request Policy Bypassing - Historic allow list
 description: |
-  'This detection builds a Allowlist of historic PR policy bypasses and compares to recent history, flagging a non manually allowlisted, non historic pull request bypass.'
+  'This detection builds an allow list of historic PR policy bypasses and compares to recent history, flagging pull request bypasses that are not manually in the allow list and not historically included in the allow list.'
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 3h
@ -39,5 +39,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOHistoricServiceConnectionAdds.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOHistoricServiceConnectionAdds.yaml
@ -1,8 +1,8 @@
 id: 5efb0cfd-063d-417a-803b-562eae5b0301
-name: Azure DevOps Service Conection Addition/Abuse - Historic Allowlist
+name: Azure DevOps Service Connection Addition/Abuse - Historic allow list
 description: |
-  'This detection builds a allowlist of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use in non manually allowlisted, non historically allowlisted Build/Release runs.
-  This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.'
+  'This detection builds an allow list of historic service connection use by Builds and Releases and compares to recent history, flagging growth of service connection use which are not manually included in the allow list and 
+  not historically included in the allow list Build/Release runs.  This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.'
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 6h
@ -58,5 +58,5 @@ entityMappings:
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOPatSessionMisuse.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOPatSessionMisuse.yaml
@ -1,7 +1,7 @@
 id: ac891683-53c3-4f86-86b4-c361708e2b2b
 name: Azure DevOps Personal Access Token (PAT) misuse
 description: |
-  'This Alert detects whenever a PAT is used in ways that PATs are not normally used.  May require Allowlisting and baselining.
+  'This Alert detects whenever a PAT is used in ways that PATs are not normally used.  May require an allow list and baselining.
  Reference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page
  Use this query for baselining:
  AzureDevOpsAuditing
@ -41,5 +41,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/AzDOServiceConnectionUsage.yaml
+++ b/Detections/AzureDevOpsAuditing/AzDOServiceConnectionUsage.yaml
@ -1,7 +1,7 @@
 id: d564ff12-8f53-41b8-8649-44f76b37b99f
-name: Azure DevOps Service Conection Abuse
+name: Azure DevOps Service Connection Abuse
 description: |
-  'Flags builds/releases that use a large number of service connections if they aren't manually allowlisted.
+  'Flags builds/releases that use a large number of service connections if they aren't manually in the allow list.
  This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse 
  or dump credentials from service connections.'
 severity: Medium
@ -38,5 +38,5 @@ query: |
    Type == "Build", strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_build?definitionId=', DefId),
    strcat('https://dev.azure.com/', OrganizationName, '/', ProjectName, '/_release?_a=releases&view=mine&definitionId=', DefId))
  | extend timestamp = StartTime
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml
+++ b/Detections/AzureDevOpsAuditing/ExternalUpstreamSourceAddedtoAzureDevOpsFeed.yaml
@ -1,7 +1,8 @@
 id: adc32a33-1cd6-46f5-8801-e3ed8337885f
 name: External Upstream Source Added to Azure DevOps Feed
 description: |
-  'The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. An attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.'
+  'The detection looks for new external sources added to an Azure DevOps feed. An allow list can be customized to explicitly allow known good sources. 
+  An attacker could look to add a malicious feed in order to inject malicious packages into a build pipeline.'
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 1d
@ -44,5 +45,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/NewAgentAddedToPoolbyNewUserorofNewOS.yaml
+++ b/Detections/AzureDevOpsAuditing/NewAgentAddedToPoolbyNewUserorofNewOS.yaml
@ -1,7 +1,10 @@
 id: 4ce177b3-56b1-4f0e-b83e-27eed4cb0b16
-name: New Agent Added to Pool by New User or of a New OS Type.
+name: New Agent Added to Pool by New User or Added to a New OS Type.
 description: |
-  'As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. An attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a configurable allow list to allow for certain users to be excluded from the logic.'
+  'As seen in attacks such as SolarWinds attackers can look to subvert a build process by controlling build servers. Azure DevOps uses agent pools to execute pipeline tasks. 
+  An attacker could insert compromised agents that they control into the pools in order to execute malicious code. This query looks for users adding agents to pools they have 
+  not added agents to before, or adding agents to a pool of an OS that has not been added to that pool before. This detection has potential for false positives so has a 
+  configurable allow list to allow for certain users to be excluded from the logic.'
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 1d
@ -61,5 +64,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/AzureDevOpsAuditing/NewPAPCAPCASaddedtoADO.yaml
+++ b/Detections/AzureDevOpsAuditing/NewPAPCAPCASaddedtoADO.yaml
@ -1,7 +1,10 @@
 id: 35ce9aff-1708-45b8-a295-5e9a307f5f17
 name: New PA, PCA, or PCAS added to Azure DevOps
 description: |
-  'In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. This detection looks for users being granted key administrative permissions. If the principal of least privilege is applied the number of users granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these should also be conducted.'
+  'In order for an attacker to be able to conduct many potential attacks against Azure DevOps they will need to gain elevated permissions. 
+  This detection looks for users being granted key administrative permissions. If the principal of least privilege is applied, the number of 
+  users granted these permissions should be small. Note that permissions can also be granted via Azure AD groups and monitoring of these 
+  should also be conducted.'
 severity: Medium
 requiredDataConnectors: []
 queryFrequency: 1d
@ -39,5 +42,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
+version: 1.0.1
 kind: Scheduled
--- a/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml
+++ b/Detections/SigninLogs/SigninAttemptsByIPviaDisabledAccounts.yaml
@ -1,7 +1,8 @@
 id: 500c103a-0319-4d56-8e99-3cec8d860757
 name: Sign-ins from IPs that attempt sign-ins to disabled accounts
 description: |
-  'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.
+  'Identifies IPs with failed attempts to sign in to one or more disabled accounts and where that same IP has had successful signins from other accounts.
+  This could indicate an attacker who obtained credentials for a list of accounts and is attempting to login with those accounts, some of which may have already been disabled.
  References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
  50057 - User account is disabled. The account has been disabled by an administrator.'
 severity: Medium
@ -29,14 +30,14 @@ query: |
  | where ResultType == "50057" 
  | where ResultDescription == "User account is disabled. The account has been disabled by an administrator." 
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), disabledAccountLoginAttempts = count(), 
-  disabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = makeset(UserPrincipalName), 
-  applicationSet = makeset(AppDisplayName) by IPAddress, Type
+  disabledAccountsTargeted = dcount(UserPrincipalName), applicationsTargeted = dcount(AppDisplayName), disabledAccountSet = make_set(UserPrincipalName), 
+  applicationSet = make_set(AppDisplayName) by IPAddress, Type
  | order by disabledAccountLoginAttempts desc
  | join kind= leftouter (
      // Consider these IPs suspicious - and alert any related  successful sign-ins
-      SigninLogs
+      table(tableName)
      | where ResultType == 0
-      | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = makeset(UserPrincipalName, 15) by IPAddress, Type
+      | summarize successfulAccountSigninCount = dcount(UserPrincipalName), successfulAccountSigninSet = make_set(UserPrincipalName, 15) by IPAddress, Type
      // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
      | where successfulAccountSigninCount < 100
  ) on IPAddress  
@ -55,5 +56,5 @@ entityMappings:
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
-version: 1.0.0
-kind: Scheduled
+version: 1.1.0
+kind: Scheduled
--- a/Queries/InputEntity_Account/Acc2Host_HostWithMostFails.yaml
+++ b/Queries/InputEntity_Account/Acc2Host_HostWithMostFails.yaml
@ -17,44 +17,66 @@ Tactics:
  - LateralMovement
  - Collection
 query: |
-
-  let SuccessfulLoginEventId = 4624;
  let FailedLoginEventId = 4625;
-  let MostFailedLogins = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){
-  SecurityEvent
-  | extend p_Account_Name = case(
-      // Handles mixed use scenario of NTDomain\AccountName@UPNSuffix
-      v_Account_Name has '@' and v_Account_Name has '\\', tostring(split(tostring(split(v_Account_Name, '\\')[1]),'@')[0]),
-      v_Account_Name has '@', tostring(split(v_Account_Name, '@')[0]),
-      v_Account_Name has '\\', tostring(split(v_Account_Name, '\\')[1]),
-      v_Account_Name
-  )
-  | extend p_Account_UPNSuffix = case(
-      v_Account_UPNSuffix has '@', tostring(split(v_Account_UPNSuffix, '@')[1]),
-      v_Account_UPNSuffix has '\\', tostring(split(v_Account_UPNSuffix, '\\')[0]),
-      v_Account_UPNSuffix
-  )
-  | extend p_Account_NTDomain = case(
-      v_Account_NTDomain has '\\', tostring(split(v_Account_UPNSuffix, '\\')[0]),
-      v_Account_NTDomain
-  )  
-  // parse Account sections
-  | extend Account_UPNSuffix = iff(Account has '@', tostring(split(Account,'@')[1]),'')
-  | extend Account_NTDomain = iff(Account has '\\', tostring(split(Account,'\\')[0]),'')
-  | extend Account_Name = extract(@'^([^\\]*\\)?([^@]+)@?',2,Account)
-  // filter by account: Name has to match, NTDomain and UPNSuffix should not be different
-  | where ( (isnotempty(Account_Name) and Account_Name==p_Account_Name) 
-                and 
-                iff(isnotempty(p_Account_NTDomain) and isnotempty(Account_NTDomain) ,p_Account_NTDomain==Account_NTDomain,true )
-                and
-                iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )
-           )
-  | summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId), Host_Aux_FailedLoginsCount	= countif(EventID==FailedLoginEventId), Host_Aux_LogonTypes=make_set(LogonType)
-   by Computer, Account, SourceComputerId, _ResourceId
-  | top 10 by Host_Aux_FailedLoginsCount
-  | parse Computer with Host_NTDomain '\\' *
-  | extend Host_HostName = tostring(split(Computer,'.')[0]), 
-   Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.'), Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId
-  | project-away Computer, Account, _ResourceId, SourceComputerId
-  };
-  MostFailedLogins('<Name>','<NTDomain>','<UPNSuffix>')
+  let isimAuthenticationInstalled=toscalar(union isfuzzy=true  (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count>1));
+  let Legacy = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){
+    (datatable(exists:int)[1] | where not(isimAuthenticationInstalled)) | join
+    ( 
+          SecurityEvent
+          | extend p_Account_Name = case(
+              // Handles mixed use scenario of NTDomain\AccountName@UPNSuffix
+              v_Account_Name has '@' and v_Account_Name has '\\', tostring(split(tostring(split(v_Account_Name, '\\')[1]),'@')[0]),
+              v_Account_Name has '@', tostring(split(v_Account_Name, '@')[0]),
+              v_Account_Name has '\\', tostring(split(v_Account_Name, '\\')[1]),
+              v_Account_Name
+          )
+          | extend p_Account_UPNSuffix = case(
+              v_Account_UPNSuffix has '@', tostring(split(v_Account_UPNSuffix, '@')[1]),
+              v_Account_UPNSuffix has '\\', tostring(split(v_Account_UPNSuffix, '\\')[0]),
+              v_Account_UPNSuffix
+          )
+          | extend p_Account_NTDomain = case(
+              v_Account_NTDomain has '\\', tostring(split(v_Account_UPNSuffix, '\\')[0]),
+              v_Account_NTDomain
+          )  
+          // parse Account sections
+          | extend Account_UPNSuffix = iff(Account has '@', tostring(split(Account,'@')[1]),'')
+          | extend Account_NTDomain = iff(Account has '\\', tostring(split(Account,'\\')[0]),'')
+          | extend Account_Name = extract(@'^([^\\]*\\)?([^@]+)@?',2,Account)
+          // filter by account: Name has to match, NTDomain and UPNSuffix should not be different
+          | where ( (isnotempty(Account_Name) and Account_Name==p_Account_Name) 
+                          and 
+                          iff(isnotempty(p_Account_NTDomain) and isnotempty(Account_NTDomain) ,p_Account_NTDomain==Account_NTDomain,true )
+                          and
+                          iff(isnotempty(p_Account_UPNSuffix) and isnotempty(Account_UPNSuffix) ,p_Account_UPNSuffix==Account_UPNSuffix,true )
+                  )
+          | summarize Host_Aux_SuccessfulLoginCount = countif(EventID==SuccessfulLoginEventId)
+                  , Host_Aux_FailedLoginsCount	= countif(EventID==FailedLoginEventId)
+                  , Host_Aux_LogonTypes=make_set(LogonType)
+            by Computer, Account, SourceComputerId, _ResourceId
+          | top 10 by Host_Aux_FailedLoginsCount
+          | parse Computer with Host_NTDomain '\\' *
+          | extend Host_HostName = tostring(split(Computer,'.')[0]), 
+                  Host_DnsDomain = strcat_array(array_slice(split(Computer,'.'),1,256),'.')
+                , Host_OMSAgentID=SourceComputerId, Host_AzureID = _ResourceId
+          | project-away Computer, Account, _ResourceId, SourceComputerId
+      | extend exists=int(1) ) on exists | project-away exists, exists1 
+    };
+    let Normalized = (v_Account_Name:string, v_Account_NTDomain:string, v_Account_UPNSuffix:string){
+    (datatable(exists:int)[1] | where isimAuthenticationInstalled) | join 
+    (
+        imAuthentication(starttime=ago(24h),targetusername_has=v_Account_Name) 
+        | where isnotempty(TargetDvcHostname)
+        //* postfiltering *//  
+        | where TargetUsername has v_Account_Name
+        | summarize Host_Aux_SuccessfulLoginCount = countif(EventResult=='Success')
+                  , Host_Aux_FailedLoginsCount	= countif(EventResult=='Failure')
+                  , Host_Aux_LogonTypes=make_set(EventSubType)
+          by TargetDvcHostname, TargetDvcId
+        | top 10 by Host_Aux_FailedLoginsCount
+        | parse TargetDvcHostname with Host_NTDomain '\\' *
+        | extend Host_UnstructuredName = TargetDvcHostname
+        | project-keep Host_*
+      | extend exists=int(1) )   on exists | project-away exists, exists1 
+    };
+    union isfuzzy=true Legacy('<Name>','<NTDomain>','<UPNSuffix>'),Normalized('<Name>','<NTDomain>','<UPNSuffix>')
--- a/Queries/InputEntity_Account/UserAccount_LogonsFromIPAddress.yaml
+++ b/Queries/InputEntity_Account/UserAccount_LogonsFromIPAddress.yaml
@ -16,9 +16,11 @@ Tactics:
  - LateralMovement
  - Collection
 query: |
-
-  let GetAllIPbyAccount = (v_Account_Name:string){
-  OfficeActivity
+  let isimAuthenticationInstalled=toscalar(union isfuzzy=true  (datatable(Test:string)[]), (imAuthentication| take 0) | getschema | count | project Exists=(Count>1));
+  let Legacy = (v_Account_Name:string){
+  (datatable(exists:int)[1] | where not(isimAuthenticationInstalled)) // if table is not installed this table is [1]
+  | join
+  (OfficeActivity
  | extend v_Account_Name = case(
    v_Account_Name has '@', tostring(split(v_Account_Name, '@')[0]),
    v_Account_Name has '\\', tostring(split(v_Account_Name, '\\')[1]),
@ -29,7 +31,15 @@ query: |
  | summarize min(TimeGenerated), max(TimeGenerated), IP_Aux_info = makeset(info) by ClientIP
  | project IP_Aux_StartTime = min_TimeGenerated, IP_Aux_EndTime = max_TimeGenerated, ClientIP, IP_Aux_info
  | project-rename IP_Address=ClientIP
-  | top 10 by IP_Aux_StartTime desc nulls last 
+  | top 10 by IP_Aux_StartTime desc nulls last | extend exists=int(1)) on exists
+  | project-away exists, exists1 
  };
-  // change <Name> value below
-  GetAllIPbyAccount ('<Name>')
+  let Normalized = (v_Account_Name:string){
+  (datatable(exists:int)[1] | where isimAuthenticationInstalled)
+  | join (
+    imAuthentication(targetusername_has=v_Account_Name)
+  | summarize IP_Aux_StartTime=min(TimeGenerated), IP_Aux_EndTime=max(TimeGenerated) by SrcDvcIpAddr
+  | project-rename IP_Address=SrcDvcIpAddr
+  | top 10 by IP_Aux_StartTime desc nulls last | extend exists=int(1)) on exists | project-away exists, exists1 
+  };
+  union isfuzzy=true Legacy('<Name>'), Normalized('<Name>')
--- a/Parsers/ASimAuthentication/ARM/AuthenticationGeneric/AuthenticationGeneric.json
+++ b/Parsers/ASimAuthentication/ARM/AuthenticationGeneric/AuthenticationGeneric.json
@ -19,7 +19,7 @@
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
-          "name": "imAuthentication",
+          "name": "ASimAuthentication",
          "dependsOn": [
            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
          ],
@ -27,8 +27,8 @@
            "etag": "*",
            "displayName": "ASIM Source Agnostic Authentication Parser",
            "category": "Security",
-            "FunctionAlias": "imAuthentication",
-            "query": "union isfuzzy=true\nvimAuthenticationEmpty\n  , vimAuthenticationAADManagedIdentitySignInLogs\n  , vimAuthenticationAADNonInteractiveUserSignInLogs\n  , vimAuthenticationAADServicePrincipalSignInLogs\n  , vimAuthenticationSigninLogs\n  , vimAuthenticationAWSCloudTrail\n  , vimAuthenticationOktaSSO\n  , vimAuthenticationWindowsSecurityEvent\n  , vimAuthenticationM365Defender\n  , vimAuthenticationMicrosoftWindowsEvent\n",
+            "FunctionAlias": "ASimAuthentication",
+            "query": "union isfuzzy=true\nvimAuthenticationEmpty\n  , ASimAuthenticationAADManagedIdentitySignInLogs\n  , ASimAuthenticationAADNonInteractiveUserSignInLogs\n  , ASimAuthenticationAADServicePrincipalSignInLogs\n  , ASimAuthenticationSigninLogs\n  , ASimAuthenticationAWSCloudTrail\n  , ASimAuthenticationOktaSSO\n  , ASimAuthenticationWindowsSecurityEvent\n  , ASimAuthenticationM365Defender\n  , ASimAuthenticationMicrosoftWindowsEvent\n  , ASimAuthenticationMD4IoT",
            "version": 1
          }
        }
--- a/Parsers/ASimAuthentication/ARM/AuthenticationGeneric/README.md
+++ b/Parsers/ASimAuthentication/ARM/AuthenticationGeneric/README.md
@ -1,6 +1,6 @@
 # ASIM Authentication Normalization source agnostic parser

-This template deploys the ASIM Authentication source agnostic parser. The parser is a part of the Azure Sentinel Information Mode.
+This template deploys the ASIM Authentication source agnostic parser. The parser is a part of the Azure Sentinel Information Model.

 The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.

@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationGeneric%2FAuthenticationGeneric.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthentication%2FASimAuthentication.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json
@ -19,7 +19,7 @@
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
-          "name": "vimAuthenticationAADManagedIdentitySignInLogs",
+          "name": "ASimAuthenticationAADManagedIdentitySignInLogs",
          "dependsOn": [
            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
          ],
@ -27,7 +27,7 @@
            "etag": "*",
            "displayName": "Azure active directory managed identity authentication",
            "category": "Security",
-            "FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs",
+            "FunctionAlias": "ASimAuthenticationAADManagedIdentitySignInLogs",
            "query": "let AADMIAuthentication=(){\n  AADManagedIdentitySignInLogs\n  | extend\n      EventVendor = 'Microsoft'\n      , EventProduct = 'AAD Managed Identity'\n      , EventCount=int(1)\n      , EventSchemaVersion='0.1.0'\n      , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n      //, EventOriginalResultDetails = ResultType\n      , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n      , EventStartTime = TimeGenerated\n      , EventEndTime= TimeGenerated\n      , EventType= 'Logon'\n      , Location = todynamic(LocationDetails)\n      , TargetAppId = ResourceIdentity \n      , TargetAppName=ResourceDisplayName\n      , TargetUserType='ServicePrincipal'\n      , TargetUsername=ServicePrincipalName\n      , TargetUserId=ServicePrincipalId\n      , TargetUsernameType='Simple'\n      , TargetUserIdType='AADID'\n  | extend\n      SrcGeoCity=tostring(Location.city)\n      , SrcGeoCountry=tostring(Location.countryOrRegion)\n      , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n      , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n  | project-rename\n      EventOriginalUid = Id\n      , TargetSessionId = CorrelationId\n      , SrcDvcIpAddr = IPAddress\n  | project-reorder\n      TimeGenerated\n      ,EventProduct\n      , EventOriginalUid\n      , EventResult\n      //, EventOriginalResultDetails \n      , EventOriginalResultDetails\n      , EventStartTime\n      , EventEndTime\n      , TargetSessionId\n      , SrcGeoCountry\n      , SrcGeoCity\n      , TargetAppName\n      , TargetAppId\n      | lookup AADSTSErrorCodes on ResultType\n      // ** Aliases\n      | extend \n        User=TargetUsername\n      , LogonTarget=ResourceIdentity\n      , Dvc=EventVendor\n      };\nAADMIAuthentication",
            "version": 1
          }
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/README.md
@ -0,0 +1,15 @@
+# Azure active directory managed identity signin logs ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Azure active directory managed identity signin logs. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADManagedIdentity%2FASimAuthenticationAADManagedIdentity.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json
@ -19,7 +19,7 @@
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
-          "name": "vimAuthenticationAADNonInteractiveUserSignInLogs",
+          "name": "ASimAuthenticationAADNonInteractiveUserSignInLogs",
          "dependsOn": [
            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
          ],
@ -27,7 +27,7 @@
            "etag": "*",
            "displayName": "Azure active directory non interactive authentication",
            "category": "Security",
-            "FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs",
+            "FunctionAlias": "ASimAuthenticationAADNonInteractiveUserSignInLogs",
            "query": "let AADNIAuthentication=(){\n  AADNonInteractiveUserSignInLogs\n  | extend\n      EventVendor = 'Microsoft'\n      , EventProduct = 'AAD Non Interactive'\n      , EventSchemaVersion='0.1.0'\n      , EventCount=int(1)\n      , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n      , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n      , EventStartTime = TimeGenerated\n      , EventEndTime= TimeGenerated\n      , EventType= 'Logon'\n      , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n      , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n      , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n      , Location = todynamic(LocationDetails)\n      , TargetAppId = ResourceIdentity \n      , TargetUserType='NonInteractive'\n      , TargetUsernameType='Upn'\n      , TargetUserIdType='AADID'\n      , TargetAppName=ResourceDisplayName\n  | extend\n      SrcGeoCity=tostring(Location.city)\n      , SrcGeoCountry=tostring(Location.countryOrRegion)\n      , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n      , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n  | project-rename\n      EventOriginalUid =Id\n      , LogonMethod = AuthenticationRequirement\n      , HttpUserAgent=UserAgent\n      , TargetSessionId=CorrelationId\n      , TargetUserId = UserId\n      , TargetUsername=UserPrincipalName\n      , SrcDvcIpAddr=IPAddress\n      | lookup AADSTSErrorCodes on ResultType\n  | project-reorder\n      TimeGenerated\n      ,EventProduct\n      , EventOriginalUid\n      , EventResult\n      , EventOriginalResultDetails\n      , EventStartTime\n      , EventEndTime\n      , LogonMethod \n      , TargetSessionId\n      , TargetUserId\n      , TargetUsername\n      , SrcDvcId\n      , SrcDvcHostname \n      , SrcDvcOs\n      , HttpUserAgent \n      , SrcGeoCountry\n      , SrcGeoCity\n      , TargetAppId\n      , TargetAppName\n      // ** Aliases\n      | extend \n        User=TargetUsername\n      , LogonTarget=ResourceIdentity\n      , Dvc=EventVendor};\nAADNIAuthentication",
            "version": 1
          }
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/README.md
@ -0,0 +1,15 @@
+# Azure active directory nonInteractive signin logs ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Azure active directory nonInteractive signin logs. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADNonInteractive%2FASimAuthenticationAADNonInteractive.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json
@ -19,7 +19,7 @@
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
-          "name": "vimAuthenticationAADServicePrincipalSignInLogs",
+          "name": "ASimAuthenticationAADServicePrincipalSignInLogs",
          "dependsOn": [
            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
          ],
@ -27,7 +27,7 @@
            "etag": "*",
            "displayName": "Azure active directory service principal authentication",
            "category": "Security",
-            "FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs",
+            "FunctionAlias": "ASimAuthenticationAADServicePrincipalSignInLogs",
            "query": "let AADSvcPrincipal=(){\n  AADServicePrincipalSignInLogs\n  | extend\n      EventVendor = 'Microsoft'\n      , EventProduct = 'AAD Service Principal'\n      , EventCount=int(1)\n      , EventSchemaVersion='0.1.0'\n      , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n      //, EventResultDetails= ResultType\n      , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n      , EventStartTime = TimeGenerated\n      , EventEndTime= TimeGenerated\n      , EventType= 'Logon'\n      , Location = todynamic(LocationDetails)\n      , TargetAppId = ResourceIdentity \n      , TargetAppName=ResourceDisplayName\n    , TargetUserType='ServicePrincipal'\n    , TargetUsername=ServicePrincipalName\n    , TargetUserId=ServicePrincipalId\n    , TargetUsernameType='Simple'\n    , TargetUserIdType='AADID'\n  | extend\n      SrcGeoCity=tostring(Location.city)\n      , SrcGeoCountry=tostring(Location.countryOrRegion)\n      , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n      , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n  | project-rename\n      EventOriginalUid =Id\n      , TargetSessionId=CorrelationId\n      , SrcDvcIpAddr=IPAddress\n      | lookup AADSTSErrorCodes on ResultType\n  | project-reorder\n      TimeGenerated\n      ,EventProduct\n      , EventOriginalUid\n      , EventResult\n      //, EventResultDetails\n      , EventOriginalResultDetails\n      , EventStartTime\n      , EventEndTime\n      , TargetSessionId\n      , SrcGeoCity\n      , SrcGeoCountry\n      , TargetAppId\n      // ** Aliases\n      | extend \n        User=TargetUsername\n    , LogonTarget=ResourceIdentity\n    , Dvc=EventVendor};\nAADSvcPrincipal",
            "version": 1
          }
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/README.md
@ -0,0 +1,15 @@
+# Azure active directory service principal signin logs ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Azure active directory service principal signin logs. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADServicePrincipalSignInLogs%2FASimAuthenticationAADServicePrincipalSignInLogs.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
@ -19,7 +19,7 @@
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
-          "name": "vimAuthenticationSigninLogs",
+          "name": "ASimAuthenticationSigninLogs",
          "dependsOn": [
            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
          ],
@ -27,8 +27,8 @@
            "etag": "*",
            "displayName": "Azure active directory authentication",
            "category": "Security",
-            "FunctionAlias": "vimAuthenticationSigninLogs",
-            "query": "let AADSigninLogs=(){\nSigninLogs\n| extend\n  EventVendor = 'Microsoft'\n  , EventProduct = 'AAD Sign In Logs'\n  , EventCount=int(1)\n  , EventSchemaVersion='0.1.0'\n  , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n  , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n  , EventStartTime = TimeGenerated\n  , EventEndTime= TimeGenerated\n  , EventType= 'Logon'\n  , SrcDvcId=tostring(DeviceDetail.deviceId)\n  , SrcDvcHostname =tostring(DeviceDetail.displayName)\n  , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n  // , SrcBrowser= tostring(DeviceDetail.browser)\n  , Location = todynamic(LocationDetails)\n  , TargetUsernameType='Upn'\n  , TargetUserIdType='AADID'\n| extend\n      SrcGeoCity=tostring(Location.city)\n      , SrcGeoCountry=tostring(Location.countryOrRegion)\n      , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n      , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup AADSTSErrorCodes on ResultType\n | project-rename\n     EventOriginalUid =Id\n     , LogonMethod  = AuthenticationRequirement\n     , HttpUserAgent=UserAgent\n     , TargetSessionId=CorrelationId\n     , TargetUserId = UserId\n     , TargetUsername=UserPrincipalName\n     , TargetUserType=UserType\n     , TargetAppId = ResourceIdentity\n     , TargetAppName=ResourceDisplayName\n | project-reorder\n     TimeGenerated\n     ,EventProduct\n     , EventOriginalUid\n     , EventResult\n     , EventOriginalResultDetails\n     , EventStartTime\n     , EventEndTime\n     , LogonMethod \n     , TargetSessionId\n     , TargetUserId\n     , TargetUsername\n     , SrcDvcId\n     , SrcDvcHostname \n     , SrcDvcOs\n     , HttpUserAgent \n     , SrcGeoCity\n     , SrcGeoCountry\n     , TargetAppId\n     , TargetAppName\n     // ** Aliases\n      | extend \n        User=TargetUsername\n      , LogonTarget=TargetAppName\n      , Dvc=EventVendor};\n     AADSigninLogs",
+            "FunctionAlias": "ASimAuthenticationSigninLogs",
+            "query": "let AADSigninLogs=(){\nSigninLogs\n| extend\n  EventVendor = 'Microsoft'\n  , EventProduct = 'AAD Sign In Logs'\n  , EventCount=int(1)\n  , EventSchemaVersion='0.1.0'\n  , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n  , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n  , EventStartTime = TimeGenerated\n  , EventEndTime= TimeGenerated\n  , EventType= 'Logon'\n  , SrcDvcId=tostring(DeviceDetail.deviceId)\n  , SrcDvcHostname =tostring(DeviceDetail.displayName)\n  , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n  // , SrcBrowser= tostring(DeviceDetail.browser)\n  , Location = todynamic(LocationDetails)\n  , TargetUsernameType='Upn'\n  , TargetUserIdType='AADID'\n  , SrcDvcIpAddr=IPAddress\n| extend\n      SrcGeoCity=tostring(Location.city)\n      , SrcGeoCountry=tostring(Location.countryOrRegion)\n      , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n      , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup AADSTSErrorCodes on ResultType\n | project-rename\n     EventOriginalUid =Id\n     , LogonMethod  = AuthenticationRequirement\n     , HttpUserAgent=UserAgent\n     , TargetSessionId=CorrelationId\n     , TargetUserId = UserId\n     , TargetUsername=UserPrincipalName\n     , TargetUserType=UserType\n     , TargetAppId = ResourceIdentity\n     , TargetAppName=ResourceDisplayName\n | project-reorder\n     TimeGenerated\n     ,EventProduct\n     , EventOriginalUid\n     , EventResult\n     , EventOriginalResultDetails\n     , EventStartTime\n     , EventEndTime\n     , LogonMethod \n     , TargetSessionId\n     , TargetUserId\n     , TargetUsername\n     , SrcDvcId\n     , SrcDvcHostname \n     , SrcDvcOs\n     , HttpUserAgent \n     , SrcGeoCity\n     , SrcGeoCountry\n     , TargetAppId\n     , TargetAppName\n     , SrcDvcIpAddr\n     // ** Aliases\n      | extend \n        User=TargetUsername\n      , LogonTarget=TargetAppName\n      , Dvc=EventVendor};\n     AADSigninLogs\n",
            "version": 1
          }
        }
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/README.md
@ -0,0 +1,15 @@
+# Azure SigninLogs ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Azure SigninLogs. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAADSigninLogs%2FASimAuthenticationAADSigninLogs.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json
@ -19,7 +19,7 @@
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
-          "name": "vimAuthenticationAWSCloudTrail",
+          "name": "ASimAuthenticationAWSCloudTrail",
          "dependsOn": [
            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
          ],
@ -27,7 +27,7 @@
            "etag": "*",
            "displayName": "ASIM AWS authentication",
            "category": "Security",
-            "FunctionAlias": "vimAuthenticationAWSCloudTrail",
+            "FunctionAlias": "ASimAuthenticationAWSCloudTrail",
            "query": "let AWSLogon=(){\nAWSCloudTrail\n | where EventName == 'ConsoleLogin'\n | extend\n  EventVendor = 'AWS'\n  , EventProduct='AWSCloudTrail'\n  , EventCount=int(1)\n  , EventSchemaVersion='0.1.0'\n  , EventResult= iff (ResponseElements has_cs 'Success', 'Success', 'Failure')\n  , EventStartTime=TimeGenerated\n  , EventEndTime=TimeGenerated\n  , EventType='Logon'\n  , LogonMethod=iff(AdditionalEventData has '\"MFAUsed\": \"No\"', 'NoMFA', 'MFA')\n  , TargetUrl =tostring(todynamic(AdditionalEventData).LoginTo)\n  , TargetUsernameType='Simple'\n  , TargetUserIdType='AWSId'\n  | project-rename\n    EventOriginalUid= AwsEventId\n  , EventOriginalResultDetails= ErrorMessage\n  , TargetUsername= UserIdentityUserName\n  , TargetUserType=UserIdentityType\n  , TargetUserId=UserIdentityAccountId \n  , SrcDvcIpAddr=SourceIpAddress\n  , HttpUserAgent=UserAgent\n// **** Aliases\n| extend\n       User=TargetUsername\n      , LogonTarget=tostring(split(TargetUrl,'?')[0])\n      , Dvc=EventVendor\n  };\n  AWSLogon\n",
            "version": 1
          }
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/README.md
@ -0,0 +1,15 @@
+# Amazon web services cloud trail ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Amazon web services cloud trail. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationAWSCloudTrail%2FASimAuthenticationAWSCloudTrail.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365D/ASimAuthenticationM365D.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365D/ASimAuthenticationM365D.json
@ -0,0 +1,38 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimAuthenticationM365Defender",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM Microsoft 365 Defender DeviceLogonEvent Authentication parser",
+            "category": "Security",
+            "FunctionAlias": "ASimAuthenticationM365Defender",
+            "query": "let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n  'InvalidUserNameOrPassword','No such user or password'\n  ];\nlet AuthM365D=(){\n  DeviceLogonEvents \n  //\n  | project-rename \n     EventOriginalResultDetails=FailureReason \n  | extend \n  // ----  Event\n      EventSubType=iff(LogonType=='Remote interactive (RDP) logons','RemoteInteractive',LogonType)\n     , EventCount=int(1)\n     , EventStartTime=TimeGenerated\n     , EventEndTime=TimeGenerated\n     , EventOriginalType = LogonType\n     , EventProduct='M365 Defender for EndPoint'\n     ,  EventResult = case(ActionType =='LogonSuccess', 'Success'\n                          , ActionType=='LogonFailed', 'Failure'\n                          , ActionType=='LogonAttempted', 'NA'\n                          , 'NA')\n    , EventSchemaVersion='0.1.0'\n    , EventType='Logon'\n    , EventVendor ='Microsoft'\n   //  ----   Target and Actor Users\n   | project-rename \n       TargetUserId=AccountSid\n     , ActorUserId =InitiatingProcessAccountSid\n     , ActorUserUpn=InitiatingProcessAccountUpn\n     , ActorUserObjectId=InitiatingProcessAccountObjectId\n    | extend \n       TargetUserIdType ='SID'\n     , TargetUsername = strcat(AccountDomain,'\\\\',AccountName)\n     , TargetUsernameType='Windows'\n     , ActorUserIdType='SID'\n     , ActorUsername=coalesce(ActorUserUpn, strcat(InitiatingProcessAccountDomain,'\\\\',InitiatingProcessAccountName)) // InitiatingProcessAccountName\n     , ActorUsernameType=case(isnotempty( ActorUserUpn), 'Upn/Email'\n                              , isnotempty(InitiatingProcessAccountDomain), 'Windows'\n                              , 'Simple')\n     , TargetDvcHostname=tostring(split(DeviceName,'.')[0])\n     , TargetDvcFQDN=DeviceName\n    | project-rename \n      LogonProtocol=Protocol\n    , TargetDvcId=DeviceId\n    , SrcDvcIpAddr=RemoteIP\n    , OriginalEventUid=ReportId\n    , SrcDvcHostname=RemoteDeviceName \n  //\n  , ActingProcessCommandLine = InitiatingProcessCommandLine\n  , ActingProcessCreationTime=InitiatingProcessCreationTime\n  , ActingProcessPath=InitiatingProcessFolderPath\n  , ActingProcessId=InitiatingProcessId\n  , ActingProcessMD5=InitiatingProcessMD5\n  , ActingProcessSHA1=InitiatingProcessSHA1\n  , ActingProcessSHA256= InitiatingProcessSHA256\n  , ActingProcessIntegrityLevel= InitiatingProcessIntegrityLevel\n  , ActingProcessTokenElevation=InitiatingProcessTokenElevation\n  , ParentProcessName=InitiatingProcessParentFileName\n  , ParentProcessId=InitiatingProcessParentId\n  , ParentProcessCreationTime=InitiatingProcessParentCreationTime\n    | extend \n        ActingProcessName=iff(ActingProcessPath hassuffix InitiatingProcessFileName\n                          , ActingProcessPath\n                          , strcat(ActingProcessPath,'\\\\',InitiatingProcessFileName))\n    ,  TargetDvcHostnameType='FQDN'\n    , TargetDvcIdType='MDE'\n    , TargetPortNumber=RemotePort\n    , TargetSessionId = tostring(LogonId)\n    | lookup FaliureReason on EventOriginalResultDetails \n  // TargetUrl \n  // -----------  Alias\n    | extend \n      User=TargetUsername \n      , LogonTarget=TargetDvcHostname\n      , Dvc=TargetDvcHostname\n      };AuthM365D\n",
+            "version": 1
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365D/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365D/README.md
@ -0,0 +1,15 @@
+# M365 Defender ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for M365 Defender. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationM365D%2FASimAuthenticationM365D.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/ASimAuthenticationM365Defender.json
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365Defender/README.md
@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationM365Defender%2FAuthenticationM365Defender.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationM365Defender%2FASimAuthenticationM365Defender.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json
@ -19,15 +19,15 @@
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
-          "name": "vimAuthenticationMD4IoT",
+          "name": "ASimAuthenticationMD4IoT",
          "dependsOn": [
            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
          ],
          "properties": {
            "etag": "*",
-            "displayName": "ASIM Azure Defender for IoT Authentication Parser",
+            "displayName": "ASIM Authentication Parser for Microsoft Defender for IoT - Endpoint",
            "category": "Security",
-            "FunctionAlias": "vimAuthenticationMD4IoT",
+            "FunctionAlias": "ASimAuthenticationMD4IoT",
            "query": "let Authentication_MD4IoT=()\n  {\n    SecurityIoTRawEvent \n    | where RawEventName == \"Login\" \n    | extend\n      EventDetails = todynamic(EventDetails)\n      //\n    | extend\n      EventOriginalUid = tostring(EventDetails.OriginalEventId), \n      EventProduct = 'Azure Defender for IoT',\n      EventCount=int(1),\n      EventVendor = 'Microsoft', \n      EventSchemaVersion = '0.1.0', \n      EventStartTime = todatetime(EventDetails.TimestampUTC), \n      EventEndTime = todatetime(TimeGenerated), \n      EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'),  \n      EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success')  \n      //\n    | extend\n      ActingProcessId = tostring(EventDetails.ProcessId),  \n      ActingProcessName = tostring(EventDetails.Executable),  // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n      DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"),  // -- Intermediate fix\n      TargetUsernameType = \"Simple\",\n      TargetUsername = tostring(EventDetails.UserName),\n      SrcIpAddr = tostring(EventDetails.RemoteAddress) \n    | project-rename\n      DvcHostname = DeviceId, \n      EventProductVersion = AgentVersion,  // -- Not available in Windows\n      _ResourceId = AssociatedResourceId, \n      _SubscriptionId = AzureSubscriptionId \n      //\n      // -- aliases\n    | extend \n      User = TargetUsername, \n      Process = ActingProcessName, \n      Dvc = DvcHostname,\n      SrcDvcIpAddr = SrcIpAddr,\n      IpAddr = SrcIpAddr\n   };\n   Authentication_MD4IoT",
            "version": 1
          }
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/README.md
@ -0,0 +1,15 @@
+# Microsoft Defender for IoT - Endpoint ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Microsoft Defender for IoT - Endpoint. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationMicrosoftMD4IoT%2FASimAuthenticationMicrosoftMD4IoT.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/README.md
@ -0,0 +1,15 @@
+# Microsoft Windows Events ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationMicrosoftWindowsEvent%2FASimAuthenticationMicrosoftWindowsEvent.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json
@ -19,7 +19,7 @@
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
-          "name": "vimAuthenticationOktaSSO",
+          "name": "ASimAuthenticationOktaSSO",
          "dependsOn": [
            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
          ],
@ -27,8 +27,8 @@
            "etag": "*",
            "displayName": "ASIM Okta identity management authentication parser",
            "category": "Security",
-            "FunctionAlias": "vimAuthenticationOktaSSO",
-            "query": "let OktaSignin=(){\n  let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n  let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n  let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n  // https://developer.okta.com/docs/reference/api/event-types/#catalog\n  Okta_CL\n  | where eventType_s_s in (OktaSigninEvents)\n  | extend \n      EventProduct='Okta'\n      , EventVendor='Okta'\n      , EventCount=int(1)\n      , EventSchemaVersion='0.1.0'\n      , EventResult = case (outcome_result_s_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s_s in (OktaFailedOutcome),'Failure', 'Partial')\n      , EventStartTime=TimeGenerated\n      , EventEndTime=TimeGenerated\n      , EventType=iff(eventType_s_s hassuffix 'start', 'Logon', 'Logoff')\n      , EventSubType=legacyEventType_s_s\n      , TargetUserIdType='OktaId'\n      , TargetUsernameType='Upn'\n      , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d_s)\n      , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d_s)\n      , ActingAppType = \"Browser\"\n  | project-rename \n      EventMessage=displayMessage_s_s\n      ,EventOriginalResultDetails=outcome_reason_s_s\n      , LogonMethod = authenticationContext_credentialType_s_s\n      , TargetSessionId=authenticationContext_externalSessionId_s_s\n      , TargetUserId= actor_id_s_s\n      , TargetUsername=actor_alternateId_s_s\n      , TargetUserType=actor_type_s_s\n      , SrcDvcOs=client_userAgent_os_s_s\n      , HttpUserAgent=client_userAgent_rawUserAgent_s_s\n      , ActingAppName = client_userAgent_browser_s_s\n      , SrcIsp=securityContext_isp_s_s\n      , SrcGeoCity=client_geographicalContext_city_s_s\n      , SrcGeoCountry=client_geographicalContext_country_s_s\n      , EventOriginalUid = uuid_g_g\n  | project-reorder\n      EventProduct\n      , EventOriginalUid\n      , TimeGenerated\n      , EventMessage\n      , EventResult\n      , EventOriginalResultDetails\n      , EventStartTime\n      , EventEndTime\n      , EventType\n      , EventSubType\n      , LogonMethod\n      , TargetSessionId\n      , TargetUserId\n      , TargetUsername\n      , TargetUserType\n      , SrcDvcOs\n      , HttpUserAgent\n      , SrcIsp\n      , SrcGeoCity\n      , SrcGeoCountry\n      , SrcGeoLongitude\n      , SrcGeoLatitude\n      // ** Aliases\n      | extend \n        User=TargetUsername\n        , Dvc=EventVendor\n  };\nOktaSignin\n",
+            "FunctionAlias": "ASimAuthenticationOktaSSO",
+            "query": "let OktaSignin=(){\n  let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n  let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n  let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n  // https://developer.okta.com/docs/reference/api/event-types/#catalog\n  Okta_CL\n  | where eventType_s_s in (OktaSigninEvents)\n  | extend \n      EventProduct='Okta'\n      , EventVendor='Okta'\n      , EventCount=int(1)\n      , EventSchemaVersion='0.1.0'\n      , EventResult = case (outcome_result_s_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s_s in (OktaFailedOutcome),'Failure', 'Partial')\n      , EventStartTime=TimeGenerated\n      , EventEndTime=TimeGenerated\n      , EventType=iff(eventType_s_s hassuffix 'start', 'Logon', 'Logoff')\n      , EventSubType=legacyEventType_s_s\n      , TargetUserIdType='OktaId'\n      , TargetUsernameType='Upn'\n      , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n      , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n      , ActingAppType = \"Browser\"\n  | project-rename \n      EventMessage=displayMessage_s_s\n      ,EventOriginalResultDetails=outcome_reason_s_s\n      , LogonMethod = authenticationContext_credentialType_s_s\n      , TargetSessionId=authenticationContext_externalSessionId_s_s\n      , TargetUserId= actor_id_s_s\n      , TargetUsername=actor_alternateId_s_s\n      , TargetUserType=actor_type_s_s\n      , SrcDvcOs=client_userAgent_os_s_s\n      , HttpUserAgent=client_userAgent_rawUserAgent_s_s\n      , ActingAppName = client_userAgent_browser_s_s\n      , SrcIsp=securityContext_isp_s_s\n      , SrcGeoCity=client_geographicalContext_city_s_s\n      , SrcGeoCountry=client_geographicalContext_country_s_s\n      , EventOriginalUid = uuid_g_g\n  | project-reorder\n      EventProduct\n      , EventOriginalUid\n      , TimeGenerated\n      , EventMessage\n      , EventResult\n      , EventOriginalResultDetails\n      , EventStartTime\n      , EventEndTime\n      , EventType\n      , EventSubType\n      , LogonMethod\n      , TargetSessionId\n      , TargetUserId\n      , TargetUsername\n      , TargetUserType\n      , SrcDvcOs\n      , HttpUserAgent\n      , SrcIsp\n      , SrcGeoCity\n      , SrcGeoCountry\n      , SrcGeoLongitude\n      , SrcGeoLatitude\n      // ** Aliases\n      | extend \n        User=TargetUsername\n        , Dvc=EventVendor\n  };\nOktaSignin\n",
            "version": 1
          }
        }
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/README.md
@ -0,0 +1,15 @@
+# Okta identity management ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Okta identity management. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationOktaOSS%2FASimAuthenticationOktaOSS.json)
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationWindowsSecurityEvent/AuthenticationWindowsSecurityEvent.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationWindowsSecurityEvent/AuthenticationWindowsSecurityEvent.json
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationWindowsSecurityEvent/README.md
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationWindowsSecurityEvent/README.md
@ -1,6 +1,6 @@
 # Microsoft Windows Events ASIM Authentication Normalization Parser

-This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Mode.
+This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Model.

 The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.

@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationMicrosoftWindowsEvent%2FAuthenticationMicrosoftWindowsEvent.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationWindowsSecurityEvent%2FASimAuthenticationWindowsSecurityEvent.json)
--- a/Parsers/ASimAuthentication/ARM/AuthenticationMicrosoftMD4IoT/README.md
+++ b/Parsers/ASimAuthentication/ARM/AuthenticationMicrosoftMD4IoT/README.md
@ -1,15 +0,0 @@
-# Azure Defender 4 IoT ASIM Authentication Normalization Parser
-
-This template deploys the ASIM Authentication schema parser for Azure Defender 4 IoT. The parser is a part of the Azure Sentinel Information Model.
-
-The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
-
-For more information, see:
-
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
-
-<br>
- 
-
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationMicrosoftMD4IoT%2FAuthenticationMicrosoftMD4IoT.json)
--- a/Parsers/ASimAuthentication/ARM/AuthenticationWindowsSecurityEvent/README.md
+++ b/Parsers/ASimAuthentication/ARM/AuthenticationWindowsSecurityEvent/README.md
@ -1,15 +0,0 @@
-# Microsoft Windows ASIM Authentication Normalization Parser
-
-This template deploys the ASIM Authentication schema parser for Microsoft Windows. The parser is a part of the Azure Sentinel Information Mode.
-
-The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
-
-For more information, see:
-
- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
-
-<br>
- 
-
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationWindowsSecurityEvent%2FAuthenticationWindowsSecurityEvent.json)
--- a/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
+++ b/Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json
@ -1,277 +0,0 @@
-{
-    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
-    "contentVersion": "1.0.0.0",
-    "parameters": {
-        "workspaceName": {
-            "type": "string"
-        },
-        "location": {
-            "type": "string"
-        }
-    },
-    "variables": {},
-    "resources": [
-        {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAADSTSErrCodes",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AADSTSErrorCodes/AADSTSErrorCodes.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-         {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAAuthenticationEmpty",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationEmpty/AuthenticationEmpty.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-         },
-         {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAuthenticationGeneric",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationGeneric/AuthenticationGeneric.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-        {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAuthenticationAADManagedIdentity",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADManagedIdentity/AuthenticationAADManagedIdentity.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-        {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAuthenticationAADNonInteractive",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADNonInteractive/AuthenticationAADNonInteractive.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-        {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAuthenticationAADServicePrincipalSignInLogs",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADServicePrincipalSignInLogs/AuthenticationAADServicePrincipalSignInLogs.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-        {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAuthenticationAADSigninLogs",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAADSigninLogs/AuthenticationAADSigninLogs.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-        {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAuthenticationAWSCloudTrail",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationAWSCloudTrail/AuthenticationAWSCloudTrail.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-                {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAuthenticationM365Defender",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/AuthenticationM365Defender.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-        {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAuthenticationOktaOSS",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationOktaOSS/AuthenticationOktaOSS.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-        {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAuthenticationWindowsSecurityEvent",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationWindowsSecurityEvent/AuthenticationWindowsSecurityEvent.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-        {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedAuthenticationMicrosoftMD4IoT",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationMicrosoftMD4IoT/AuthenticationMicrosoftMD4IoT.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        },
-        {
-            "type": "Microsoft.Resources/deployments",
-            "apiVersion": "2020-10-01",
-            "name": "linkedvimAuthenticationMicrosoftWindowsEvent",
-            "properties": {
-                "mode": "Incremental",
-                "templateLink": {
-                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AuthenticationMicrosoftWindowsEvent/AuthenticationMicrosoftWindowsEvent.json",
-                    "contentVersion": "1.0.0.0"
-                },
-                "parameters": {
-                    "workspaceName": {
-                        "value": "[parameters('workspaceName')]"
-                    },
-                    "location": {
-                        "value": "[parameters('location')]"
-                    }
-                }
-            }
-        }
-    ],
-    "outputs": {
-    }
-}
--- a/Parsers/ASimAuthentication/ARM/README.md
+++ b/Parsers/ASimAuthentication/ARM/README.md
@ -1,17 +0,0 @@
-# Authentication - Azure Sentinel Information Model
-
-This template deploys the following:
-* imAuthentication - Authentication events from all normalized authentication providers
-* vimAuthenticationAADManagedIdentitySignInLogs
-* vimAuthenticationAADNonInteractiveUserSignInLogs
-* vimAuthenticationAADServicePrincipalSignInLogs
-* vimAuthenticationSigninLogs
-* vimAuthenticationAWSCloudTrail
-* vimAuthenticationOktaSSO
-* vimAuthenticationWindowsSecurityEvent
-* vimAuthenticationMicrosoftWindowsEvent
-* vimAuthenticationMD4IoT
-* AADSTSErrorCodes
-
-
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://aka.ms/AzSentinelAuthenticationARM)
--- a/Parsers/ASimAuthentication/ARM/imAuthenticationGeneric/README.md
+++ b/Parsers/ASimAuthentication/ARM/imAuthenticationGeneric/README.md
@ -0,0 +1,14 @@
+# ASIM Authentication Normalization source agnostic parser
+This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FimAuthentication%2FimAuthentication.json)
--- a/Parsers/ASimAuthentication/ARM/imAuthenticationGeneric/imAuthenticationGeneric.json
+++ b/Parsers/ASimAuthentication/ARM/imAuthenticationGeneric/imAuthenticationGeneric.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "imAuthentication",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM Source Agnostic Authentication Parser",
+            "category": "Security",
+            "FunctionAlias": "imAuthentication",
+            "query": "let imAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\nunion isfuzzy=true\nvimAuthenticationEmpty\n  , vimAuthenticationAADManagedIdentitySignInLogs(starttime, endtime, targetusername_has)\n  , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has)\n  , vimAuthenticationAADServicePrincipalSignInLogs(starttime, endtime, targetusername_has)\n  , vimAuthenticationSigninLogs(starttime, endtime, targetusername_has)\n  , vimAuthenticationAWSCloudTrail(starttime, endtime, targetusername_has)\n  , vimAuthenticationOktaSSO(starttime, endtime, targetusername_has)\n  , vimAuthenticationWindowsSecurityEvent(starttime, endtime, targetusername_has)\n  , vimAuthenticationM365Defender(starttime, endtime, targetusername_has)\n  , vimAuthenticationMicrosoftWindowsEvent(starttime, endtime, targetusername_has)\n  , vimAuthenticationMD4IoT(starttime, endtime, targetusername_has)\n  };\n  imAuthentication(starttime, endtime, targetusername_has)\n",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/README.md
@ -1,6 +1,6 @@
 # Azure active directory managed identity signin logs ASIM Authentication Normalization Parser

-This template deploys the ASIM Authentication schema parser for Azure active directory managed identity signin logs. The parser is a part of the Azure Sentinel Information Mode.
+This template deploys the ASIM Authentication schema parser for Azure active directory managed identity signin logs. The parser is a part of the Azure Sentinel Information Model.

 The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.

@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationAADManagedIdentity%2FAuthenticationAADManagedIdentity.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADManagedIdentity%2FvimAuthenticationAADManagedIdentity.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuthenticationAADManagedIdentitySignInLogs",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Azure active directory managed identity authentication",
+            "category": "Security",
+            "FunctionAlias": "vimAuthenticationAADManagedIdentitySignInLogs",
+            "query": "let AADMIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\n  AADManagedIdentitySignInLogs\n  // ************************************************************************* \n  //       <Prefilterring>\n  // *************************************************************************\n  | where \n    (isnull(starttime)   or TimeGenerated >= starttime) \n    and (isnull(endtime)     or TimeGenerated <= starttime)\n    and (targetusername_has=='*' or (ServicePrincipalName has targetusername_has))\n  // ************************************************************************* \n  //       </Prefilterring>\n  // ************************************************************************* \n  | extend\n      EventVendor = 'Microsoft'\n      , EventProduct = 'AAD Managed Identity'\n      , EventCount=int(1)\n      , EventSchemaVersion='0.1.0'\n      , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n      //, EventOriginalResultDetails = ResultType\n      , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n      , EventStartTime = TimeGenerated\n      , EventEndTime= TimeGenerated\n      , EventType= 'Logon'\n      , Location = todynamic(LocationDetails)\n      , TargetAppId = ResourceIdentity \n      , TargetAppName=ResourceDisplayName\n      , TargetUserType='ServicePrincipal'\n      , TargetUsername=ServicePrincipalName\n      , TargetUserId=ServicePrincipalId\n      , TargetUsernameType='Simple'\n      , TargetUserIdType='AADID'\n  | extend\n      SrcGeoCity=tostring(Location.city)\n      , SrcGeoCountry=tostring(Location.countryOrRegion)\n      , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n      , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n  | project-rename\n      EventOriginalUid = Id\n      , TargetSessionId = CorrelationId\n      , SrcDvcIpAddr = IPAddress\n  | project-reorder\n      TimeGenerated\n      ,EventProduct\n      , EventOriginalUid\n      , EventResult\n      //, EventOriginalResultDetails \n      , EventOriginalResultDetails\n      , EventStartTime\n      , EventEndTime\n      , TargetSessionId\n      , SrcGeoCountry\n      , SrcGeoCity\n      , TargetAppName\n      , TargetAppId\n      | lookup AADSTSErrorCodes on ResultType\n      // ** Aliases\n      | extend \n        User=TargetUsername\n      , LogonTarget=ResourceIdentity\n      , Dvc=EventVendor\n      };\nAADMIAuthentication(starttime, endtime, targetusername_has)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/README.md
@ -1,6 +1,6 @@
 # Azure active directory nonInteractive signin logs ASIM Authentication Normalization Parser

-This template deploys the ASIM Authentication schema parser for Azure active directory nonInteractive signin logs. The parser is a part of the Azure Sentinel Information Mode.
+This template deploys the ASIM Authentication schema parser for Azure active directory nonInteractive signin logs. The parser is a part of the Azure Sentinel Information Model.

 The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.

@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationAADNonInteractive%2FAuthenticationAADNonInteractive.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADNonInteractive%2FvimAuthenticationAADNonInteractive.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuthenticationAADNonInteractiveUserSignInLogs",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Azure active directory non interactive authentication",
+            "category": "Security",
+            "FunctionAlias": "vimAuthenticationAADNonInteractiveUserSignInLogs",
+            "query": "let AADNIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\n  AADNonInteractiveUserSignInLogs\n  // ************************************************************************* \n  //       <Prefilterring>\n  // *************************************************************************\n  | where \n    (isnull(starttime)   or TimeGenerated >= starttime) \n    and (isnull(endtime)     or TimeGenerated <= starttime)\n    and (targetusername_has=='*' or (UserPrincipalName  has targetusername_has ))\n  // ************************************************************************* \n  //       </Prefilterring>\n  // ************************************************************************* \n  | extend\n      EventVendor = 'Microsoft'\n      , EventProduct = 'AAD Non Interactive'\n      , EventSchemaVersion='0.1.0'\n      , EventCount=int(1)\n      , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n      , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n      , EventStartTime = TimeGenerated\n      , EventEndTime= TimeGenerated\n      , EventType= 'Logon'\n      , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)\n      , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)\n      , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)\n      , Location = todynamic(LocationDetails)\n      , TargetAppId = ResourceIdentity \n      , TargetUserType='NonInteractive'\n      , TargetUsernameType='Upn'\n      , TargetUserIdType='AADID'\n      , TargetAppName=ResourceDisplayName\n  | extend\n      SrcGeoCity=tostring(Location.city)\n      , SrcGeoCountry=tostring(Location.countryOrRegion)\n      , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n      , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n  | project-rename\n      EventOriginalUid =Id\n      , LogonMethod = AuthenticationRequirement\n      , HttpUserAgent=UserAgent\n      , TargetSessionId=CorrelationId\n      , TargetUserId = UserId\n      , TargetUsername=UserPrincipalName\n      , SrcDvcIpAddr=IPAddress\n      | lookup AADSTSErrorCodes on ResultType\n  | project-reorder\n      TimeGenerated\n      ,EventProduct\n      , EventOriginalUid\n      , EventResult\n      , EventOriginalResultDetails\n      , EventStartTime\n      , EventEndTime\n      , LogonMethod \n      , TargetSessionId\n      , TargetUserId\n      , TargetUsername\n      , SrcDvcId\n      , SrcDvcHostname \n      , SrcDvcOs\n      , HttpUserAgent \n      , SrcGeoCountry\n      , SrcGeoCity\n      , TargetAppId\n      , TargetAppName\n      // ** Aliases\n      | extend \n        User=TargetUsername\n      , LogonTarget=ResourceIdentity\n      , Dvc=EventVendor};\nAADNIAuthentication(starttime, endtime, targetusername_has)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/README.md
@ -1,6 +1,6 @@
 # Azure active directory service principal signin logs ASIM Authentication Normalization Parser

-This template deploys the ASIM Authentication schema parser for Azure active directory service principal signin logs. The parser is a part of the Azure Sentinel Information Mode.
+This template deploys the ASIM Authentication schema parser for Azure active directory service principal signin logs. The parser is a part of the Azure Sentinel Information Model.

 The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.

@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationAADServicePrincipalSignInLogs%2FAuthenticationAADServicePrincipalSignInLogs.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADServicePrincipalSignInLogs%2FvimAuthenticationAADServicePrincipalSignInLogs.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuthenticationAADServicePrincipalSignInLogs",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Azure active directory service principal authentication",
+            "category": "Security",
+            "FunctionAlias": "vimAuthenticationAADServicePrincipalSignInLogs",
+            "query": "let AADSvcPrincipal=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\n  AADServicePrincipalSignInLogs\n  // ************************************************************************* \n  //       <Prefilterring>\n  // *************************************************************************\n  | where \n    (isnull(starttime)   or TimeGenerated >= starttime)\n    and (isnull(endtime)     or TimeGenerated <= starttime) \n    and (targetusername_has=='*' or (ServicePrincipalName =~ targetusername_has))\n  // ************************************************************************* \n  //       </Prefilterring>\n  // ************************************************************************* \n  | extend\n      EventVendor = 'Microsoft'\n      , EventProduct = 'AAD Service Principal'\n      , EventCount=int(1)\n      , EventSchemaVersion='0.1.0'\n      , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n      //, EventResultDetails= ResultType\n      , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n      , EventStartTime = TimeGenerated\n      , EventEndTime= TimeGenerated\n      , EventType= 'Logon'\n      , Location = todynamic(LocationDetails)\n      , TargetAppId = ResourceIdentity \n      , TargetAppName=ResourceDisplayName\n    , TargetUserType='ServicePrincipal'\n    , TargetUsername=ServicePrincipalName\n    , TargetUserId=ServicePrincipalId\n    , TargetUsernameType='Simple'\n    , TargetUserIdType='AADID'\n  | extend\n      SrcGeoCity=tostring(Location.city)\n      , SrcGeoCountry=tostring(Location.countryOrRegion)\n      , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n      , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n  | project-rename\n      EventOriginalUid =Id\n      , TargetSessionId=CorrelationId\n      , SrcDvcIpAddr=IPAddress\n      | lookup AADSTSErrorCodes on ResultType\n  | project-reorder\n      TimeGenerated\n      ,EventProduct\n      , EventOriginalUid\n      , EventResult\n      //, EventResultDetails\n      , EventOriginalResultDetails\n      , EventStartTime\n      , EventEndTime\n      , TargetSessionId\n      , SrcGeoCity\n      , SrcGeoCountry\n      , TargetAppId\n      // ** Aliases\n      | extend \n        User=TargetUsername\n    , LogonTarget=ResourceIdentity\n    , Dvc=EventVendor};\nAADSvcPrincipal(starttime, endtime, targetusername_has)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/README.md
@ -1,6 +1,6 @@
 # Azure SigninLogs ASIM Authentication Normalization Parser

-This template deploys the ASIM Authentication schema parser for Azure SigninLogs. The parser is a part of the Azure Sentinel Information Mode.
+This template deploys the ASIM Authentication schema parser for Azure SigninLogs. The parser is a part of the Azure Sentinel Information Model.

 The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.

@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationAADSigninLogs%2FAuthenticationAADSigninLogs.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAADSigninLogs%2FvimAuthenticationAADSigninLogs.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuthenticationSigninLogs",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Azure active directory authentication",
+            "category": "Security",
+            "FunctionAlias": "vimAuthenticationSigninLogs",
+            "query": "let AADSigninLogs=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\nSigninLogs\n// ************************************************************************* \n//       <Prefilterring>\n// *************************************************************************\n| where \n  (isnull(starttime)   or TimeGenerated >= starttime) \n  and (isnull(endtime)     or TimeGenerated <= starttime) \n  and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))\n// ************************************************************************* \n//       </Prefilterring>\n// ************************************************************************* \n| extend\n  EventVendor = 'Microsoft'\n  , EventProduct = 'AAD Sign In Logs'\n  , EventCount=int(1)\n  , EventSchemaVersion='0.1.0'\n  , EventResult = iff (ResultType ==0, 'Success', 'Failure')\n  , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)\n  , EventStartTime = TimeGenerated\n  , EventEndTime= TimeGenerated\n  , EventType= 'Logon'\n  , SrcDvcId=tostring(DeviceDetail.deviceId)\n  , SrcDvcHostname =tostring(DeviceDetail.displayName)\n  , SrcDvcOs=tostring(DeviceDetail.operatingSystem)\n  // , SrcBrowser= tostring(DeviceDetail.browser)\n  , Location = todynamic(LocationDetails)\n  , TargetUsernameType='Upn'\n  , TargetUserIdType='AADID'\n  , SrcDvcIpAddr=IPAddress\n| extend\n      SrcGeoCity=tostring(Location.city)\n      , SrcGeoCountry=tostring(Location.countryOrRegion)\n      , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)\n      , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)\n | lookup AADSTSErrorCodes on ResultType\n | project-rename\n     EventOriginalUid =Id\n     , LogonMethod  = AuthenticationRequirement\n     , HttpUserAgent=UserAgent\n     , TargetSessionId=CorrelationId\n     , TargetUserId = UserId\n     , TargetUsername=UserPrincipalName\n     , TargetUserType=UserType\n     , TargetAppId = ResourceIdentity\n     , TargetAppName=ResourceDisplayName\n | project-reorder\n     TimeGenerated\n     ,EventProduct\n     , EventOriginalUid\n     , EventResult\n     , EventOriginalResultDetails\n     , EventStartTime\n     , EventEndTime\n     , LogonMethod \n     , TargetSessionId\n     , TargetUserId\n     , TargetUsername\n     , SrcDvcId\n     , SrcDvcHostname \n     , SrcDvcOs\n     , HttpUserAgent \n     , SrcGeoCity\n     , SrcGeoCountry\n     , TargetAppId\n     , TargetAppName\n     , SrcDvcIpAddr\n     // ** Aliases\n      | extend \n        User=TargetUsername\n      , LogonTarget=TargetAppName\n      , Dvc=EventVendor};\n     AADSigninLogs(starttime, endtime, targetusername_has)\n",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/README.md
@ -1,6 +1,6 @@
 # Amazon web services cloud trail ASIM Authentication Normalization Parser

-This template deploys the ASIM Authentication schema parser for Amazon web services cloud trail. The parser is a part of the Azure Sentinel Information Mode.
+This template deploys the ASIM Authentication schema parser for Amazon web services cloud trail. The parser is a part of the Azure Sentinel Information Model.

 The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.

@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationAWSCloudTrail%2FAuthenticationAWSCloudTrail.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationAWSCloudTrail%2FvimAuthenticationAWSCloudTrail.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuthenticationAWSCloudTrail",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM AWS authentication",
+            "category": "Security",
+            "FunctionAlias": "vimAuthenticationAWSCloudTrail",
+            "query": "let AWSLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\nAWSCloudTrail\n// ************************************************************************* \n//       <Prefilterring>\n// *************************************************************************\n| where \n  (isnull(starttime)   or TimeGenerated >= starttime) \n  and (isnull(endtime)     or TimeGenerated <= starttime) \n  and (targetusername_has=='*' or (UserIdentityUserName has targetusername_has ))\n// ************************************************************************* \n//       </Prefilterring>\n// ************************************************************************* \n | where EventName == 'ConsoleLogin'\n | extend\n  EventVendor = 'AWS'\n  , EventProduct='AWSCloudTrail'\n  , EventCount=int(1)\n  , EventSchemaVersion='0.1.0'\n  , EventResult= iff (ResponseElements has_cs 'Success', 'Success', 'Failure')\n  , EventStartTime=TimeGenerated\n  , EventEndTime=TimeGenerated\n  , EventType='Logon'\n  , LogonMethod=iff(AdditionalEventData has '\"MFAUsed\": \"No\"', 'NoMFA', 'MFA')\n  , TargetUrl =tostring(todynamic(AdditionalEventData).LoginTo)\n  , TargetUsernameType='Simple'\n  , TargetUserIdType='AWSId'\n  | project-rename\n    EventOriginalUid= AwsEventId\n  , EventOriginalResultDetails= ErrorMessage\n  , TargetUsername= UserIdentityUserName\n  , TargetUserType=UserIdentityType\n  , TargetUserId=UserIdentityAccountId \n  , SrcDvcIpAddr=SourceIpAddress\n  , HttpUserAgent=UserAgent\n// **** Aliases\n| extend\n       User=TargetUsername\n      , LogonTarget=tostring(split(TargetUrl,'?')[0])\n      , Dvc=EventVendor\n  };\n  AWSLogon(starttime, endtime, targetusername_has)\n",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/README.md
@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationEmpty%2FAuthenticationEmpty.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationEmpty%2FvimAuthenticationEmpty.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationEmpty/vimAuthenticationEmpty.json
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365D/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365D/README.md
@ -0,0 +1,15 @@
+# M365 Defender ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for M365 Defender. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationM365D%2FvimAuthenticationM365D.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationM365D/vimAuthenticationM365D.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationM365D/vimAuthenticationM365D.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuthenticationM365Defender",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM Microsoft 365 Defender DeviceLogonEvent Authentication parser",
+            "category": "Security",
+            "FunctionAlias": "vimAuthenticationM365Defender",
+            "query": "let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[\n  'InvalidUserNameOrPassword','No such user or password'\n  ];\nlet AuthM365D=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\n  DeviceLogonEvents \n// ************************************************************************* \n//       <Prefilterring>\n// *************************************************************************\n| where \n  (isnull(starttime)   or TimeGenerated >= starttime) \n  and (isnull(endtime)     or TimeGenerated <= starttime) \n  and (targetusername_has=='*' or (AccountName has targetusername_has))\n// ************************************************************************* \n//       </Prefilterring>\n// ************************************************************************* \n  //\n  | project-rename \n     EventOriginalResultDetails=FailureReason \n  | extend \n  // ----  Event\n      EventSubType=iff(LogonType=='Remote interactive (RDP) logons','RemoteInteractive',LogonType)\n     , EventCount=int(1)\n     , EventStartTime=TimeGenerated\n     , EventEndTime=TimeGenerated\n     , EventOriginalType = LogonType\n     , EventProduct='M365 Defender for EndPoint'\n     ,  EventResult = case(ActionType =='LogonSuccess', 'Success'\n                          , ActionType=='LogonFailed', 'Failure'\n                          , ActionType=='LogonAttempted', 'NA'\n                          , 'NA')\n    , EventSchemaVersion='0.1.0'\n    , EventType='Logon'\n    , EventVendor ='Microsoft'\n   //  ----   Target and Actor Users\n   | project-rename \n       TargetUserId=AccountSid\n     , ActorUserId =InitiatingProcessAccountSid\n     , ActorUserUpn=InitiatingProcessAccountUpn\n     , ActorUserObjectId=InitiatingProcessAccountObjectId\n    | extend \n       TargetUserIdType ='SID'\n     , TargetUsername = strcat(AccountDomain,'\\\\',AccountName)\n     , TargetUsernameType='Windows'\n     , ActorUserIdType='SID'\n     , ActorUsername=coalesce(ActorUserUpn, strcat(InitiatingProcessAccountDomain,'\\\\',InitiatingProcessAccountName)) // InitiatingProcessAccountName\n     , ActorUsernameType=case(isnotempty( ActorUserUpn), 'Upn/Email'\n                              , isnotempty(InitiatingProcessAccountDomain), 'Windows'\n                              , 'Simple')\n     , TargetDvcHostname=tostring(split(DeviceName,'.')[0])\n     , TargetDvcFQDN=DeviceName\n    | project-rename \n      LogonProtocol=Protocol\n    , TargetDvcId=DeviceId\n    , SrcDvcIpAddr=RemoteIP\n    , OriginalEventUid=ReportId\n    , SrcDvcHostname=RemoteDeviceName \n  //\n  , ActingProcessCommandLine = InitiatingProcessCommandLine\n  , ActingProcessCreationTime=InitiatingProcessCreationTime\n  , ActingProcessPath=InitiatingProcessFolderPath\n  , ActingProcessId=InitiatingProcessId\n  , ActingProcessMD5=InitiatingProcessMD5\n  , ActingProcessSHA1=InitiatingProcessSHA1\n  , ActingProcessSHA256= InitiatingProcessSHA256\n  , ActingProcessIntegrityLevel= InitiatingProcessIntegrityLevel\n  , ActingProcessTokenElevation=InitiatingProcessTokenElevation\n  , ParentProcessName=InitiatingProcessParentFileName\n  , ParentProcessId=InitiatingProcessParentId\n  , ParentProcessCreationTime=InitiatingProcessParentCreationTime\n    | extend \n        ActingProcessName=iff(ActingProcessPath hassuffix InitiatingProcessFileName\n                          , ActingProcessPath\n                          , strcat(ActingProcessPath,'\\\\',InitiatingProcessFileName))\n    ,  TargetDvcHostnameType='FQDN'\n    , TargetDvcIdType='MDE'\n    , TargetPortNumber=RemotePort\n    , TargetSessionId = tostring(LogonId)\n    | lookup FaliureReason on EventOriginalResultDetails \n  // TargetUrl \n  // -----------  Alias\n    | extend \n      User=TargetUsername \n      , LogonTarget=TargetDvcHostname\n      , Dvc=TargetDvcHostname\n      };AuthM365D(starttime, endtime, targetusername_has)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/README.md
@ -0,0 +1,15 @@
+# Microsoft Defender for IoT - Endpoint ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Microsoft Defender for IoT - Endpoint. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftMD4IoT%2FvimAuthenticationMicrosoftMD4IoT.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuthenticationMD4IoT",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM Authentication Parser for Microsoft Defender for IoT - Endpoint",
+            "category": "Security",
+            "FunctionAlias": "vimAuthenticationMD4IoT",
+            "query": "let Authentication_MD4IoT=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\")\n  {\n    SecurityIoTRawEvent \n    | where RawEventName == \"Login\"\n  // ************************************************************************* \n  //       <Prefilterring>\n  // *************************************************************************\n  | where \n    (isnull(starttime)   or TimeGenerated >= starttime) \n    and (isnull(endtime)     or TimeGenerated <= starttime)\n    and (targetusername_has=='*' or EventDetails has targetusername_has)\n  // ************************************************************************* \n  //       </Prefilterring>\n  // ************************************************************************* \n    | extend\n      EventDetails = todynamic(EventDetails)\n      //\n    | extend\n      EventOriginalUid = tostring(EventDetails.OriginalEventId), \n      EventProduct = 'Azure Defender for IoT',\n      EventCount=int(1),\n      EventVendor = 'Microsoft', \n      EventSchemaVersion = '0.1.0', \n      EventStartTime = todatetime(EventDetails.TimestampUTC), \n      EventEndTime = todatetime(TimeGenerated), \n      EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'),  \n      EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success')  \n      //\n    | extend\n      ActingProcessId = tostring(EventDetails.ProcessId),  \n      ActingProcessName = tostring(EventDetails.Executable),  // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty \n      DvcOs = iif (EventDetails.MessageSource == \"Linux\", \"Linux\", \"Windows\"),  // -- Intermediate fix\n      TargetUsernameType = \"Simple\",\n      TargetUsername = tostring(EventDetails.UserName),\n      // ************************************************************************* \n      //       <Postfilterring>\n      // *************************************************************************\n      | where \n          (targetusername_has=='*' or TargetUsername has targetusername_has)\n      // ************************************************************************* \n      //       <Postfilterring>\n      // *************************************************************************\n      SrcIpAddr = tostring(EventDetails.RemoteAddress) \n    | project-rename\n      DvcHostname = DeviceId, \n      EventProductVersion = AgentVersion,  // -- Not available in Windows\n      _ResourceId = AssociatedResourceId, \n      _SubscriptionId = AzureSubscriptionId \n      //\n      // -- aliases\n    | extend \n      User = TargetUsername, \n      Process = ActingProcessName, \n      Dvc = DvcHostname,\n      SrcDvcIpAddr = SrcIpAddr,\n      IpAddr = SrcIpAddr\n    };\n    Authentication_MD4IoT(starttime, endtime, targetusername_has)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/README.md
@ -0,0 +1,15 @@
+# Microsoft Windows Events ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Microsoft Windows Events. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationMicrosoftWindowsEvent%2FvimAuthenticationMicrosoftWindowsEvent.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/README.md
@ -1,6 +1,6 @@
 # Okta identity management ASIM Authentication Normalization Parser

-This template deploys the ASIM Authentication schema parser for Okta identity management. The parser is a part of the Azure Sentinel Information Mode.
+This template deploys the ASIM Authentication schema parser for Okta identity management. The parser is a part of the Azure Sentinel Information Model.

 The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.

@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationOktaOSS%2FAuthenticationOktaOSS.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationOktaOSS%2FvimAuthenticationOktaOSS.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuthenticationOktaSSO",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM Okta identity management authentication parser",
+            "category": "Security",
+            "FunctionAlias": "vimAuthenticationOktaSSO",
+            "query": "let OktaSignin=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string=\"*\"){\n  let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);\n  let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);\n  let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);\n  // https://developer.okta.com/docs/reference/api/event-types/#catalog\n  Okta_CL\n  // ************************************************************************* \n  //       <Prefilterring>\n  // *************************************************************************\n  | where \n    (isnull(starttime)   or TimeGenerated >= starttime) \n    and (isnull(endtime)     or TimeGenerated <= starttime)\n    and (targetusername_has=='*' or (actor_alternateId_s has targetusername_has))\n  // ************************************************************************* \n  //       </Prefilterring>\n  // ************************************************************************* \n  | where eventType_s in (OktaSigninEvents)\n  | extend \n      EventProduct='Okta'\n      , EventVendor='Okta'\n      , EventCount=int(1)\n      , EventSchemaVersion='0.1.0'\n      , EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial')\n      , EventStartTime=TimeGenerated\n      , EventEndTime=TimeGenerated\n      , EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')\n      , EventSubType=legacyEventType_s\n      , TargetUserIdType='OktaId'\n      , TargetUsernameType='Upn'\n      , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)\n      , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)\n      , ActingAppType = \"Browser\"\n  | project-rename \n      EventMessage=displayMessage_s\n      ,EventOriginalResultDetails=outcome_reason_s\n      , LogonMethod = authenticationContext_credentialType_s\n      , TargetSessionId=authenticationContext_externalSessionId_s\n      , TargetUserId= actor_id_s\n      , TargetUsername=actor_alternateId_s\n      , TargetUserType=actor_type_s\n      , SrcDvcOs=client_userAgent_os_s\n      , HttpUserAgent=client_userAgent_rawUserAgent_s\n      , ActingAppName = client_userAgent_browser_s\n      , SrcIsp=securityContext_isp_s\n      , SrcGeoCity=client_geographicalContext_city_s\n      , SrcGeoCountry=client_geographicalContext_country_s\n      , EventOriginalUid = uuid_g_g\n  | project-reorder\n      EventProduct\n      , EventOriginalUid\n      , TimeGenerated\n      , EventMessage\n      , EventResult\n      , EventOriginalResultDetails\n      , EventStartTime\n      , EventEndTime\n      , EventType\n      , EventSubType\n      , LogonMethod\n      , TargetSessionId\n      , TargetUserId\n      , TargetUsername\n      , TargetUserType\n      , SrcDvcOs\n      , HttpUserAgent\n      , SrcIsp\n      , SrcGeoCity\n      , SrcGeoCountry\n      , SrcGeoLongitude\n      , SrcGeoLatitude\n      // ** Aliases\n      | extend \n        User=TargetUsername\n        , Dvc=EventVendor\n  };\nOktaSignin(starttime, endtime, targetusername_has)\n",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string='*'"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationWindowsSecurityEvent/README.md
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationWindowsSecurityEvent/README.md
@ -0,0 +1,15 @@
+# Microsoft Security Events ASIM Authentication Normalization Parser
+
+This template deploys the ASIM Authentication schema parser for Microsoft Security Events. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Authentication normalization schema reference](https://aka.ms/AzSentinelAuthenticationDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationWindowsSecurityEvent%2FvimAuthenticationWindowsSecurityEvent.json)
--- a/Parsers/ASimAuthentication/ARM/vimAuthenticationWindowsSecurityEvent/vimAuthenticationWindowsSecurityEvent.json
+++ b/Parsers/ASimAuthentication/ARM/vimAuthenticationWindowsSecurityEvent/vimAuthenticationWindowsSecurityEvent.json
--- a/Parsers/ASimAuthentication/FullDeploymentAuthentication.json
+++ b/Parsers/ASimAuthentication/FullDeploymentAuthentication.json
@ -0,0 +1,476 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "variables": {},
+  "resources": [
+    {
+        "type": "Microsoft.Resources/deployments",
+        "apiVersion": "2020-10-01",
+        "name": "linkedAADSTSErrCodes",
+        "properties": {
+            "mode": "Incremental",
+            "templateLink": {
+                "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/AADSTSErrorCodes/AADSTSErrorCodes.json",
+                "contentVersion": "1.0.0.0"
+            },
+            "parameters": {
+                "workspaceName": {
+                    "value": "[parameters('workspaceName')]"
+                },
+                "location": {
+                    "value": "[parameters('location')]"
+                }
+            }
+        }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationAADManagedIdentity",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADManagedIdentity/ASimAuthenticationAADManagedIdentity.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationAADNonInteractive",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADNonInteractive/ASimAuthenticationAADNonInteractive.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationAADServicePrincipalSignInLogs",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADServicePrincipalSignInLogs/ASimAuthenticationAADServicePrincipalSignInLogs.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationAADSigninLogs",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationAWSCloudTrail",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationAWSCloudTrail/ASimAuthenticationAWSCloudTrail.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationGeneric",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationM365D",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationM365D/ASimAuthenticationM365D.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationMicrosoftMD4IoT",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftMD4IoT/ASimAuthenticationMicrosoftMD4IoT.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationMicrosoftWindowsEvent",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationMicrosoftWindowsEvent/ASimAuthenticationMicrosoftWindowsEvent.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationOktaOSS",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationOktaOSS/ASimAuthenticationOktaOSS.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedAuthenticationWindowsSecurityEvent",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationWindowsSecurityEvent/ASimAuthenticationWindowsSecurityEvent.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedimAuthenticationGeneric",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/imAuthentication/imAuthentication.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationAADManagedIdentity",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADManagedIdentity/vimAuthenticationAADManagedIdentity.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationAADNonInteractive",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADNonInteractive/vimAuthenticationAADNonInteractive.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationAADServicePrincipalSignInLogs",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADServicePrincipalSignInLogs/vimAuthenticationAADServicePrincipalSignInLogs.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationAADSigninLogs",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAADSigninLogs/vimAuthenticationAADSigninLogs.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationAWSCloudTrail",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationAWSCloudTrail/vimAuthenticationAWSCloudTrail.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationM365D",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationM365D/vimAuthenticationM365D.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationMicrosoftMD4IoT",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftMD4IoT/vimAuthenticationMicrosoftMD4IoT.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationMicrosoftWindowsEvent",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationMicrosoftWindowsEvent/vimAuthenticationMicrosoftWindowsEvent.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationOktaOSS",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationOktaOSS/vimAuthenticationOktaOSS.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationWindowsSecurityEvent",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationWindowsSecurityEvent/vimAuthenticationWindowsSecurityEvent.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    }
+  ],
+  "outputs": {}
+}
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthentication.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthentication.yaml
@ -14,7 +14,7 @@ References:
  Link: https:/aka.ms/AzSentinelNormalization
 Description: |
      This Query creates an empty table of the authentication schema.
-ParserName: imAuthentication
+ParserName: ASimAuthentication
 ParserQuery: |
  union isfuzzy=true
  vimAuthenticationEmpty
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationAADManagedIdentity.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationAADManagedIdentity.yaml
@ -14,7 +14,7 @@ References:
  Link: https:/aka.ms/AzSentinelNormalization
 Description: |
  This Query Parser maps Azure Active Directory Managed Identity sign in logs (AADManagedIdentitySignInLogs) to the Azure Sentinel Information Model authenticaion schema.
-ParserName: vimAuthenticationAADManagedIdentitySignInLogs
+ParserName: ASimAuthenticationAADManagedIdentitySignInLogs
 ParserQuery: |
  let AADMIAuthentication=(){
    AADManagedIdentitySignInLogs
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationAADNonInteractive.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationAADNonInteractive.yaml
@ -14,7 +14,7 @@ References:
  Link: https://aka.ms/AzSentinelAuthenticationDoc
 Description: |
    This Query Parser maps Azure Active Directory Non Interactive sign in logs (AADNonInteractiveUserSignInLogs) to the Azure Sentinel Information Model authenticaion schema.
-ParserName: vimAuthenticationAADNonInteractiveUserSignInLogs
+ParserName: ASimAuthenticationAADNonInteractiveUserSignInLogs
 ParserQuery: |
  let AADNIAuthentication=(){
    AADNonInteractiveUserSignInLogs
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationAADServicePrincipalSignInLogs.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationAADServicePrincipalSignInLogs.yaml
@ -14,7 +14,7 @@ References:
  Link: https://aka.ms/AzSentinelAuthenticationDoc
 Description: |
  This Query Parser maps Azure Active Directory Service Principal sign in logs (AADServicePrincipalSignInLogs) to the Azure Sentinel Information Model authenticaion schema.
-ParserName: vimAuthenticationAADServicePrincipalSignInLogs
+ParserName: ASimAuthenticationAADServicePrincipalSignInLogs
 ParserQuery: |
  let AADSvcPrincipal=(){
    AADServicePrincipalSignInLogs
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationAADSigninLogs.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationAADSigninLogs.yaml
@ -14,7 +14,7 @@ References:
  Link: https://aka.ms/AzSentinelAuthenticationDoc
 Description: |
  This Query Parser maps Azure Active Directory Signin logs (SigninLogs) to the Azure Sentinel Information Model authenticaion schema.
-ParserName: vimAuthenticationSigninLogs
+ParserName: ASimAuthenticationSigninLogs
 ParserQuery: |
  let AADSigninLogs=(){
  SigninLogs
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationAWSCloudTrail.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationAWSCloudTrail.yaml
@ -14,7 +14,7 @@ References:
  Link: https:/aka.ms/AzSentinelNormalization
 Description: |
      This Query Parser maps Amazon Web Service sign in logs (AWSCloudTrail) to the Azure Sentinel Information Model authenticaion schema.
-ParserName: vimAuthenticationAWSCloudTrail
+ParserName: ASimAuthenticationAWSCloudTrail
 ParserQuery: |
  let AWSLogon=(){
  AWSCloudTrail
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationM365D.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationM365D.yaml
@ -14,7 +14,7 @@ References:
  Link: https:/aka.ms/AzSentinelNormalization
 Description: |
      This Query Parser maps M365 Defender Device Logon Events (DeviceLogonEvents) to the Azure Sentinel Information Model authenticaion schema.
-ParserName: vimAuthenticationM365Defender
+ParserName: ASimAuthenticationM365Defender
 ParserQuery: |
  let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[
    'InvalidUserNameOrPassword','No such user or password'
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationMicrosoftMD4IoT.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationMicrosoftMD4IoT.yaml
@ -13,7 +13,7 @@ References:
 - Title: ASIM
  Link: https:/aka.ms/AzSentinelNormalization
 Description: ASIM Azure Defender for IoT Authentication Parser
-ParserName: vimAuthenticationMD4IoT
+ParserName: ASimAuthenticationMD4IoT
 ParserQuery: |
            let Authentication_MD4IoT=()
              {
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationMicrosoftWindowsEvent.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationMicrosoftWindowsEvent.yaml
@ -14,7 +14,7 @@ References:
  Link: https:/aka.ms/AzSentinelNormalization
 Description: |
      This Query Parser maps Windows sign in logs (WindowsEvent) to the Azure Sentinel Information Model authenticaion schema.
-ParserName: vimAuthenticationMicrosoftWindowsEvent
+ParserName: ASimAuthenticationMicrosoftWindowsEvent
 ParserQuery: |  
                  let LogonEvents=dynamic([4624,4625]);
                  let LogoffEvents=dynamic([4634,4647]);
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationOktaOSS.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationOktaOSS.yaml
@ -14,7 +14,7 @@ References:
  Link: https:/aka.ms/AzSentinelNormalization
 Description: |
      This Query Parser maps Okta sign in logs (Okta_CL) to the Azure Sentinel Information Model authenticaion schema.
-ParserName: vimAuthenticationOktaSSO
+ParserName: ASimAuthenticationOktaSSO
 ParserQuery: |
  let OktaSignin=(){
    let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);
@ -22,36 +22,36 @@ ParserQuery: |
    let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);
    // https://developer.okta.com/docs/reference/api/event-types/#catalog
    Okta_CL
-    | where eventType_s_s in (OktaSigninEvents)
+    | where eventType_s in (OktaSigninEvents)
    | extend 
        EventProduct='Okta'
        , EventVendor='Okta'
        , EventCount=int(1)
        , EventSchemaVersion='0.1.0'
-        , EventResult = case (outcome_result_s_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s_s in (OktaFailedOutcome),'Failure', 'Partial')
+        , EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial')
        , EventStartTime=TimeGenerated
        , EventEndTime=TimeGenerated
-        , EventType=iff(eventType_s_s hassuffix 'start', 'Logon', 'Logoff')
-        , EventSubType=legacyEventType_s_s
+        , EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')
+        , EventSubType=legacyEventType_s
        , TargetUserIdType='OktaId'
        , TargetUsernameType='Upn'
-        , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d_s)
-        , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d_s)
+        , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)
+        , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)
        , ActingAppType = "Browser"
    | project-rename 
-        EventMessage=displayMessage_s_s
-        ,EventOriginalResultDetails=outcome_reason_s_s
-        , LogonMethod = authenticationContext_credentialType_s_s
-        , TargetSessionId=authenticationContext_externalSessionId_s_s
-        , TargetUserId= actor_id_s_s
-        , TargetUsername=actor_alternateId_s_s
-        , TargetUserType=actor_type_s_s
-        , SrcDvcOs=client_userAgent_os_s_s
-        , HttpUserAgent=client_userAgent_rawUserAgent_s_s
-        , ActingAppName = client_userAgent_browser_s_s
-        , SrcIsp=securityContext_isp_s_s
-        , SrcGeoCity=client_geographicalContext_city_s_s
-        , SrcGeoCountry=client_geographicalContext_country_s_s
+        EventMessage=displayMessage_s
+        ,EventOriginalResultDetails=outcome_reason_s
+        , LogonMethod = authenticationContext_credentialType_s
+        , TargetSessionId=authenticationContext_externalSessionId_s
+        , TargetUserId= actor_id_s
+        , TargetUsername=actor_alternateId_s
+        , TargetUserType=actor_type_s
+        , SrcDvcOs=client_userAgent_os_s
+        , HttpUserAgent=client_userAgent_rawUserAgent_s
+        , ActingAppName = client_userAgent_browser_s
+        , SrcIsp=securityContext_isp_s
+        , SrcGeoCity=client_geographicalContext_city_s
+        , SrcGeoCountry=client_geographicalContext_country_s
        , EventOriginalUid = uuid_g_g
    | project-reorder
        EventProduct
--- a/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationWindowsSecurityEvent.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/ASimAuthenticationWindowsSecurityEvent.yaml
@ -14,7 +14,7 @@ References:
  Link: https:/aka.ms/AzSentinelNormalization
 Description: |
      This Query Parser maps Windows Active Directory sign in logs (SecurityEvent) to the Azure Sentinel Information Model authenticaion schema.
-ParserName: vimAuthenticationWindowsSecurityEvent
+ParserName: ASimAuthenticationWindowsSecurityEvent
 ParserQuery: |
  let LogonEvents=dynamic([4624,4625]);
  let LogoffEvents=dynamic([4634,4647]);
--- a/Parsers/ASimAuthentication/ProductParsers/imAuthentication.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/imAuthentication.yaml
@ -0,0 +1,43 @@
+Parser:
+  Title: ASIM Source Agnostic Authentication Parser
+  Version: '0.0'
+  LastUpdated: June 9, 2021
+Product:
+  Name: Microsoft Windows Events
+Normalization:
+  Schema: Authentication
+  Version: '0.1.0'
+References:
+- Title: ASIM Authentication Schema
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+- Title: ASIM
+  Link: https:/aka.ms/AzSentinelNormalization
+Description: |
+      This Query creates an empty table of the authentication schema.
+ParserName: imAuthentication
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |
+  let imAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
+  union isfuzzy=true
+  vimAuthenticationEmpty
+    , vimAuthenticationAADManagedIdentitySignInLogs(starttime, endtime, targetusername_has)
+    , vimAuthenticationAADNonInteractiveUserSignInLogs(starttime, endtime, targetusername_has)
+    , vimAuthenticationAADServicePrincipalSignInLogs(starttime, endtime, targetusername_has)
+    , vimAuthenticationSigninLogs(starttime, endtime, targetusername_has)
+    , vimAuthenticationAWSCloudTrail(starttime, endtime, targetusername_has)
+    , vimAuthenticationOktaSSO(starttime, endtime, targetusername_has)
+    , vimAuthenticationWindowsSecurityEvent(starttime, endtime, targetusername_has)
+    , vimAuthenticationM365Defender(starttime, endtime, targetusername_has)
+    , vimAuthenticationMicrosoftWindowsEvent(starttime, endtime, targetusername_has)
+    , vimAuthenticationMD4IoT(starttime, endtime, targetusername_has)
+    };
+    imAuthentication(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationAADManagedIdentity.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationAADManagedIdentity.yaml
@ -0,0 +1,90 @@
+Parser:
+  Title: Azure active directory managed identity authentication
+  Version: '0.1.0'
+  LastUpdated: June 17, 2021
+Product:
+  Name: Azure active directory managed identity signin logs
+Normalization:
+  Schema: Authentication
+  Version: 0.1.0'
+References:
+- Title: ASIM Authentication Schema
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+- Title: ASIM
+  Link: https:/aka.ms/AzSentinelNormalization
+Description: |
+  This Query Parser maps Azure Active Directory Managed Identity sign in logs (AADManagedIdentitySignInLogs) to the Azure Sentinel Information Model authenticaion schema.
+ParserName: vimAuthenticationAADManagedIdentitySignInLogs
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |
+  let AADMIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
+    AADManagedIdentitySignInLogs
+    // ************************************************************************* 
+    //       <Prefilterring>
+    // *************************************************************************
+    | where 
+      (isnull(starttime)   or TimeGenerated >= starttime) 
+      and (isnull(endtime)     or TimeGenerated <= starttime)
+      and (targetusername_has=='*' or (ServicePrincipalName has targetusername_has))
+    // ************************************************************************* 
+    //       </Prefilterring>
+    // ************************************************************************* 
+    | extend
+        EventVendor = 'Microsoft'
+        , EventProduct = 'AAD Managed Identity'
+        , EventCount=int(1)
+        , EventSchemaVersion='0.1.0'
+        , EventResult = iff (ResultType ==0, 'Success', 'Failure')
+        //, EventOriginalResultDetails = ResultType
+        , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)
+        , EventStartTime = TimeGenerated
+        , EventEndTime= TimeGenerated
+        , EventType= 'Logon'
+        , Location = todynamic(LocationDetails)
+        , TargetAppId = ResourceIdentity 
+        , TargetAppName=ResourceDisplayName
+        , TargetUserType='ServicePrincipal'
+        , TargetUsername=ServicePrincipalName
+        , TargetUserId=ServicePrincipalId
+        , TargetUsernameType='Simple'
+        , TargetUserIdType='AADID'
+    | extend
+        SrcGeoCity=tostring(Location.city)
+        , SrcGeoCountry=tostring(Location.countryOrRegion)
+        , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)
+        , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)
+    | project-rename
+        EventOriginalUid = Id
+        , TargetSessionId = CorrelationId
+        , SrcDvcIpAddr = IPAddress
+    | project-reorder
+        TimeGenerated
+        ,EventProduct
+        , EventOriginalUid
+        , EventResult
+        //, EventOriginalResultDetails 
+        , EventOriginalResultDetails
+        , EventStartTime
+        , EventEndTime
+        , TargetSessionId
+        , SrcGeoCountry
+        , SrcGeoCity
+        , TargetAppName
+        , TargetAppId
+        | lookup AADSTSErrorCodes on ResultType
+        // ** Aliases
+        | extend 
+          User=TargetUsername
+        , LogonTarget=ResourceIdentity
+        , Dvc=EventVendor
+        };
+  AADMIAuthentication(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationAADNonInteractive.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationAADNonInteractive.yaml
@ -0,0 +1,99 @@
+Parser:
+  Title: Azure active directory non interactive authentication
+  Version: '0.0'
+  LastUpdated: June 3, 2021
+Product:
+  Name: Azure active directory nonInteractive signin logs
+Normalization:
+  Schema: Authentication
+  Version: '0.1.0'
+References:
+- Title: Using functions
+  Link: https://docs.microsoft.com/azure/azure-monitor/log-query/function
+- Title: Authentication schema documentation
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+Description: |
+    This Query Parser maps Azure Active Directory Non Interactive sign in logs (AADNonInteractiveUserSignInLogs) to the Azure Sentinel Information Model authenticaion schema.
+ParserName: vimAuthenticationAADNonInteractiveUserSignInLogs
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |
+  let AADNIAuthentication=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
+    AADNonInteractiveUserSignInLogs
+    // ************************************************************************* 
+    //       <Prefilterring>
+    // *************************************************************************
+    | where 
+      (isnull(starttime)   or TimeGenerated >= starttime) 
+      and (isnull(endtime)     or TimeGenerated <= starttime)
+      and (targetusername_has=='*' or (UserPrincipalName  has targetusername_has ))
+    // ************************************************************************* 
+    //       </Prefilterring>
+    // ************************************************************************* 
+    | extend
+        EventVendor = 'Microsoft'
+        , EventProduct = 'AAD Non Interactive'
+        , EventSchemaVersion='0.1.0'
+        , EventCount=int(1)
+        , EventResult = iff (ResultType ==0, 'Success', 'Failure')
+        , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)
+        , EventStartTime = TimeGenerated
+        , EventEndTime= TimeGenerated
+        , EventType= 'Logon'
+        , SrcDvcId=tostring(todynamic(DeviceDetail).deviceId)
+        , SrcDvcHostname =tostring(todynamic(DeviceDetail).displayName)
+        , SrcDvcOs=tostring(todynamic(DeviceDetail).operatingSystem)
+        , Location = todynamic(LocationDetails)
+        , TargetAppId = ResourceIdentity 
+        , TargetUserType='NonInteractive'
+        , TargetUsernameType='Upn'
+        , TargetUserIdType='AADID'
+        , TargetAppName=ResourceDisplayName
+    | extend
+        SrcGeoCity=tostring(Location.city)
+        , SrcGeoCountry=tostring(Location.countryOrRegion)
+        , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)
+        , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)
+    | project-rename
+        EventOriginalUid =Id
+        , LogonMethod = AuthenticationRequirement
+        , HttpUserAgent=UserAgent
+        , TargetSessionId=CorrelationId
+        , TargetUserId = UserId
+        , TargetUsername=UserPrincipalName
+        , SrcDvcIpAddr=IPAddress
+        | lookup AADSTSErrorCodes on ResultType
+    | project-reorder
+        TimeGenerated
+        ,EventProduct
+        , EventOriginalUid
+        , EventResult
+        , EventOriginalResultDetails
+        , EventStartTime
+        , EventEndTime
+        , LogonMethod 
+        , TargetSessionId
+        , TargetUserId
+        , TargetUsername
+        , SrcDvcId
+        , SrcDvcHostname 
+        , SrcDvcOs
+        , HttpUserAgent 
+        , SrcGeoCountry
+        , SrcGeoCity
+        , TargetAppId
+        , TargetAppName
+        // ** Aliases
+        | extend 
+          User=TargetUsername
+        , LogonTarget=ResourceIdentity
+        , Dvc=EventVendor};
+  AADNIAuthentication(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationAADServicePrincipalSignInLogs.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationAADServicePrincipalSignInLogs.yaml
@ -0,0 +1,88 @@
+Parser:
+  Title: Azure active directory service principal authentication
+  Version: '0.0'
+  LastUpdated: June 3, 2021
+Product:
+  Name: Azure active directory service principal signin logs
+Normalization:
+  Schema: Authentication
+  Version: '0.1.0'
+References:
+- Title: Using functions
+  Link: https://docs.microsoft.com/azure/azure-monitor/log-query/function
+- Title: Authentication schema documentation
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+Description: |
+  This Query Parser maps Azure Active Directory Service Principal sign in logs (AADServicePrincipalSignInLogs) to the Azure Sentinel Information Model authenticaion schema.
+ParserName: vimAuthenticationAADServicePrincipalSignInLogs
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |
+  let AADSvcPrincipal=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
+    AADServicePrincipalSignInLogs
+    // ************************************************************************* 
+    //       <Prefilterring>
+    // *************************************************************************
+    | where 
+      (isnull(starttime)   or TimeGenerated >= starttime)
+      and (isnull(endtime)     or TimeGenerated <= starttime) 
+      and (targetusername_has=='*' or (ServicePrincipalName =~ targetusername_has))
+    // ************************************************************************* 
+    //       </Prefilterring>
+    // ************************************************************************* 
+    | extend
+        EventVendor = 'Microsoft'
+        , EventProduct = 'AAD Service Principal'
+        , EventCount=int(1)
+        , EventSchemaVersion='0.1.0'
+        , EventResult = iff (ResultType ==0, 'Success', 'Failure')
+        //, EventResultDetails= ResultType
+        , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)
+        , EventStartTime = TimeGenerated
+        , EventEndTime= TimeGenerated
+        , EventType= 'Logon'
+        , Location = todynamic(LocationDetails)
+        , TargetAppId = ResourceIdentity 
+        , TargetAppName=ResourceDisplayName
+      , TargetUserType='ServicePrincipal'
+      , TargetUsername=ServicePrincipalName
+      , TargetUserId=ServicePrincipalId
+      , TargetUsernameType='Simple'
+      , TargetUserIdType='AADID'
+    | extend
+        SrcGeoCity=tostring(Location.city)
+        , SrcGeoCountry=tostring(Location.countryOrRegion)
+        , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)
+        , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)
+    | project-rename
+        EventOriginalUid =Id
+        , TargetSessionId=CorrelationId
+        , SrcDvcIpAddr=IPAddress
+        | lookup AADSTSErrorCodes on ResultType
+    | project-reorder
+        TimeGenerated
+        ,EventProduct
+        , EventOriginalUid
+        , EventResult
+        //, EventResultDetails
+        , EventOriginalResultDetails
+        , EventStartTime
+        , EventEndTime
+        , TargetSessionId
+        , SrcGeoCity
+        , SrcGeoCountry
+        , TargetAppId
+        // ** Aliases
+        | extend 
+          User=TargetUsername
+      , LogonTarget=ResourceIdentity
+      , Dvc=EventVendor};
+  AADSvcPrincipal(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationAADSigninLogs.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationAADSigninLogs.yaml
@ -0,0 +1,101 @@
+Parser:
+  Title: Azure active directory authentication
+  Version: '0.0'
+  LastUpdated: June 3, 2021
+Product:
+  Name: Azure SigninLogs
+Normalization:
+  Schema: Authentication
+  Version: '0.1.0'
+References:
+- Title: Using functions
+  Link: https://docs.microsoft.com/azure/azure-monitor/log-query/function
+- Title: Authentication schema documentation
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+Description: |
+  This Query Parser maps Azure Active Directory Signin logs (SigninLogs) to the Azure Sentinel Information Model authenticaion schema.
+ParserName: vimAuthenticationSigninLogs
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |
+  let AADSigninLogs=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
+  SigninLogs
+  // ************************************************************************* 
+  //       <Prefilterring>
+  // *************************************************************************
+  | where 
+    (isnull(starttime)   or TimeGenerated >= starttime) 
+    and (isnull(endtime)     or TimeGenerated <= starttime) 
+    and (targetusername_has=='*' or (UserPrincipalName has targetusername_has ))
+  // ************************************************************************* 
+  //       </Prefilterring>
+  // ************************************************************************* 
+  | extend
+    EventVendor = 'Microsoft'
+    , EventProduct = 'AAD Sign In Logs'
+    , EventCount=int(1)
+    , EventSchemaVersion='0.1.0'
+    , EventResult = iff (ResultType ==0, 'Success', 'Failure')
+    , EventOriginalResultDetails = coalesce(ResultDescription, ResultType)
+    , EventStartTime = TimeGenerated
+    , EventEndTime= TimeGenerated
+    , EventType= 'Logon'
+    , SrcDvcId=tostring(DeviceDetail.deviceId)
+    , SrcDvcHostname =tostring(DeviceDetail.displayName)
+    , SrcDvcOs=tostring(DeviceDetail.operatingSystem)
+    // , SrcBrowser= tostring(DeviceDetail.browser)
+    , Location = todynamic(LocationDetails)
+    , TargetUsernameType='Upn'
+    , TargetUserIdType='AADID'
+    , SrcDvcIpAddr=IPAddress
+  | extend
+        SrcGeoCity=tostring(Location.city)
+        , SrcGeoCountry=tostring(Location.countryOrRegion)
+        , SrcGeoLatitude=toreal(Location.geoCoordinates.latitude)
+        , SrcGeoLongitude=toreal(Location.geoCoordinates.longitude)
+   | lookup AADSTSErrorCodes on ResultType
+   | project-rename
+       EventOriginalUid =Id
+       , LogonMethod  = AuthenticationRequirement
+       , HttpUserAgent=UserAgent
+       , TargetSessionId=CorrelationId
+       , TargetUserId = UserId
+       , TargetUsername=UserPrincipalName
+       , TargetUserType=UserType
+       , TargetAppId = ResourceIdentity
+       , TargetAppName=ResourceDisplayName
+   | project-reorder
+       TimeGenerated
+       ,EventProduct
+       , EventOriginalUid
+       , EventResult
+       , EventOriginalResultDetails
+       , EventStartTime
+       , EventEndTime
+       , LogonMethod 
+       , TargetSessionId
+       , TargetUserId
+       , TargetUsername
+       , SrcDvcId
+       , SrcDvcHostname 
+       , SrcDvcOs
+       , HttpUserAgent 
+       , SrcGeoCity
+       , SrcGeoCountry
+       , TargetAppId
+       , TargetAppName
+       , SrcDvcIpAddr
+       // ** Aliases
+        | extend 
+          User=TargetUsername
+        , LogonTarget=TargetAppName
+        , Dvc=EventVendor};
+       AADSigninLogs(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationAWSCloudTrail.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationAWSCloudTrail.yaml
@ -0,0 +1,69 @@
+Parser:
+  Title: ASIM AWS authentication
+  Version: '0.1.0'
+  LastUpdated: June 17, 2021
+Product:
+  Name: Amazon web services cloud trail
+Normalization:
+  Schema: Authentication
+  Version: '0.1.0'
+References:
+- Title: ASIM Authentication Schema
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+- Title: ASIM
+  Link: https:/aka.ms/AzSentinelNormalization
+Description: |
+      This Query Parser maps Amazon Web Service sign in logs (AWSCloudTrail) to the Azure Sentinel Information Model authenticaion schema.
+ParserName: vimAuthenticationAWSCloudTrail
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |
+  let AWSLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
+  AWSCloudTrail
+  // ************************************************************************* 
+  //       <Prefilterring>
+  // *************************************************************************
+  | where 
+    (isnull(starttime)   or TimeGenerated >= starttime) 
+    and (isnull(endtime)     or TimeGenerated <= starttime) 
+    and (targetusername_has=='*' or (UserIdentityPrincipalid has targetusername_has ))
+  // ************************************************************************* 
+  //       </Prefilterring>
+  // ************************************************************************* 
+   | where EventName == 'ConsoleLogin'
+   | extend
+    EventVendor = 'AWS'
+    , EventProduct='AWSCloudTrail'
+    , EventCount=int(1)
+    , EventSchemaVersion='0.1.0'
+    , EventResult= iff (ResponseElements has_cs 'Success', 'Success', 'Failure')
+    , EventStartTime=TimeGenerated
+    , EventEndTime=TimeGenerated
+    , EventType='Logon'
+    , LogonMethod=iff(AdditionalEventData has '"MFAUsed": "No"', 'NoMFA', 'MFA')
+    , TargetUrl =tostring(todynamic(AdditionalEventData).LoginTo)
+    , TargetUsernameType='Simple'
+    , TargetUserIdType='AWSId'
+    , TargetUsername= tostring(split(UserIdentityPrincipalid,':',1))
+    | project-rename
+      EventOriginalUid= AwsEventId
+    , EventOriginalResultDetails= ErrorMessage
+    , TargetUserType=UserIdentityType
+    , TargetUserId=UserIdentityAccountId 
+    , SrcDvcIpAddr=SourceIpAddress
+    , HttpUserAgent=UserAgent
+  // **** Aliases
+  | extend
+         User=TargetUsername
+        , LogonTarget=tostring(split(TargetUrl,'?')[0])
+        , Dvc=EventVendor
+    };
+    AWSLogon(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationM365D.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationM365D.yaml
@ -0,0 +1,113 @@
+Parser:
+  Title: ASIM Microsoft 365 Defender DeviceLogonEvent Authentication parser
+  Version: '0.1.0'
+  LastUpdated: July 1, 2021
+Product:
+  Name: M365 Defender
+Normalization:
+  Schema: Authentication
+  Version: '0.1.0'
+References:
+- Title: ASIM Authentication Schema
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+- Title: ASIM
+  Link: https:/aka.ms/AzSentinelNormalization
+Description: |
+      This Query Parser maps M365 Defender Device Logon Events (DeviceLogonEvents) to the Azure Sentinel Information Model authenticaion schema.
+ParserName: vimAuthenticationM365Defender
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |
+  let FaliureReason=datatable(EventOriginalResultDetails:string, EventResultDetails:string)[
+    'InvalidUserNameOrPassword','No such user or password'
+    ];
+  let AuthM365D=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
+    DeviceLogonEvents 
+  // ************************************************************************* 
+  //       <Prefilterring>
+  // *************************************************************************
+  | where 
+    (isnull(starttime)   or TimeGenerated >= starttime) 
+    and (isnull(endtime)     or TimeGenerated <= starttime) 
+    and (targetusername_has=='*' or (AccountName has targetusername_has))
+  // ************************************************************************* 
+  //       </Prefilterring>
+  // ************************************************************************* 
+    //
+    | project-rename 
+       EventOriginalResultDetails=FailureReason 
+    | extend 
+    // ----  Event
+        EventSubType=iff(LogonType=='Remote interactive (RDP) logons','RemoteInteractive',LogonType)
+       , EventCount=int(1)
+       , EventStartTime=TimeGenerated
+       , EventEndTime=TimeGenerated
+       , EventOriginalType = LogonType
+       , EventProduct='M365 Defender for EndPoint'
+       ,  EventResult = case(ActionType =='LogonSuccess', 'Success'
+                            , ActionType=='LogonFailed', 'Failure'
+                            , ActionType=='LogonAttempted', 'NA'
+                            , 'NA')
+      , EventSchemaVersion='0.1.0'
+      , EventType='Logon'
+      , EventVendor ='Microsoft'
+     //  ----   Target and Actor Users
+     | project-rename 
+         TargetUserId=AccountSid
+       , ActorUserId =InitiatingProcessAccountSid
+       , ActorUserUpn=InitiatingProcessAccountUpn
+       , ActorUserObjectId=InitiatingProcessAccountObjectId
+      | extend 
+         TargetUserIdType ='SID'
+       , TargetUsername = strcat(AccountDomain,'\\',AccountName)
+       , TargetUsernameType='Windows'
+       , ActorUserIdType='SID'
+       , ActorUsername=coalesce(ActorUserUpn, strcat(InitiatingProcessAccountDomain,'\\',InitiatingProcessAccountName)) // InitiatingProcessAccountName
+       , ActorUsernameType=case(isnotempty( ActorUserUpn), 'Upn/Email'
+                                , isnotempty(InitiatingProcessAccountDomain), 'Windows'
+                                , 'Simple')
+       , TargetDvcHostname=tostring(split(DeviceName,'.')[0])
+       , TargetDvcFQDN=DeviceName
+      | project-rename 
+        LogonProtocol=Protocol
+      , TargetDvcId=DeviceId
+      , SrcDvcIpAddr=RemoteIP
+      , OriginalEventUid=ReportId
+      , SrcDvcHostname=RemoteDeviceName 
+    //
+    , ActingProcessCommandLine = InitiatingProcessCommandLine
+    , ActingProcessCreationTime=InitiatingProcessCreationTime
+    , ActingProcessPath=InitiatingProcessFolderPath
+    , ActingProcessId=InitiatingProcessId
+    , ActingProcessMD5=InitiatingProcessMD5
+    , ActingProcessSHA1=InitiatingProcessSHA1
+    , ActingProcessSHA256= InitiatingProcessSHA256
+    , ActingProcessIntegrityLevel= InitiatingProcessIntegrityLevel
+    , ActingProcessTokenElevation=InitiatingProcessTokenElevation
+    , ParentProcessName=InitiatingProcessParentFileName
+    , ParentProcessId=InitiatingProcessParentId
+    , ParentProcessCreationTime=InitiatingProcessParentCreationTime
+      | extend 
+          ActingProcessName=iff(ActingProcessPath hassuffix InitiatingProcessFileName
+                            , ActingProcessPath
+                            , strcat(ActingProcessPath,'\\',InitiatingProcessFileName))
+      ,  TargetDvcHostnameType='FQDN'
+      , TargetDvcIdType='MDE'
+      , TargetPortNumber=RemotePort
+      , TargetSessionId = tostring(LogonId)
+      | lookup FaliureReason on EventOriginalResultDetails 
+    // TargetUrl 
+    // -----------  Alias
+      | extend 
+        User=TargetUsername 
+        , LogonTarget=TargetDvcHostname
+        , Dvc=TargetDvcHostname
+        };AuthM365D(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationMicrosoftMD4IoT.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationMicrosoftMD4IoT.yaml
@ -0,0 +1,85 @@
+Parser:
+  Title: ASIM Authentication Parser for Microsoft Defender for IoT - Endpoint 
+  Version: '0.1.0'
+  LastUpdated: Aug 16, 2021
+Product:
+  Name: Microsoft Defender for IoT - Endpoint
+Normalization:
+  Schema: Authentication
+  Version: '0.1.0'
+References:
+- Title: ASIM Authentication Schema
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+- Title: ASIM
+  Link: https:/aka.ms/AzSentinelNormalization
+Description: ASIM Azure Defender for IoT Authentication Parser
+ParserName: vimAuthenticationMD4IoT
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |
+  let Authentication_MD4IoT=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*")
+    {
+      SecurityIoTRawEvent 
+      | where RawEventName == "Login"
+    // ************************************************************************* 
+    //       <Prefilterring>
+    // *************************************************************************
+    | where 
+      (isnull(starttime)   or TimeGenerated >= starttime) 
+      and (isnull(endtime)     or TimeGenerated <= starttime)
+      and (targetusername_has=='*' or EventDetails has targetusername_has)
+    // ************************************************************************* 
+    //       </Prefilterring>
+    // ************************************************************************* 
+      | extend
+        EventDetails = todynamic(EventDetails)
+        //
+      | extend
+        EventOriginalUid = tostring(EventDetails.OriginalEventId), 
+        EventProduct = 'Azure Defender for IoT',
+        EventCount=int(1),
+        EventVendor = 'Microsoft', 
+        EventSchemaVersion = '0.1.0', 
+        EventStartTime = todatetime(EventDetails.TimestampUTC), 
+        EventEndTime = todatetime(TimeGenerated), 
+        EventType = iff (EventDetails.Operation == 'Logout', 'Logoff', 'Logon'),  
+        EventResult = iff (EventDetails.Operation == 'LoginFailed', 'Failure', 'Success')  
+        //
+      | extend
+        ActingProcessId = tostring(EventDetails.ProcessId),  
+        ActingProcessName = tostring(EventDetails.Executable),  // -- Linux input device or service used to authenticate, for example pts/1, tty1, pts/0, ssh:notty 
+        DvcOs = iif (EventDetails.MessageSource == "Linux", "Linux", "Windows"),  // -- Intermediate fix
+        TargetUsernameType = "Simple",
+        TargetUsername = tostring(EventDetails.UserName)
+        // ************************************************************************* 
+        //       <Postfilterring>
+        // *************************************************************************
+        | where 
+            (targetusername_has=='*' or TargetUsername has targetusername_has)
+        // ************************************************************************* 
+        //       <Postfilterring>
+        // *************************************************************************
+      | extend SrcIpAddr = tostring(EventDetails.RemoteAddress) 
+      | project-rename
+        DvcHostname = DeviceId, 
+        EventProductVersion = AgentVersion,  // -- Not available in Windows
+        _ResourceId = AssociatedResourceId, 
+        _SubscriptionId = AzureSubscriptionId 
+        //
+        // -- aliases
+      | extend 
+        User = TargetUsername, 
+        Process = ActingProcessName, 
+        Dvc = DvcHostname,
+        SrcDvcIpAddr = SrcIpAddr,
+        IpAddr = SrcIpAddr
+      };
+      Authentication_MD4IoT(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationMicrosoftWindowsEvent.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationMicrosoftWindowsEvent.yaml
@ -0,0 +1,160 @@
+Parser:
+  Title: Microsoft Windows Events Logon and Logoff
+  Version: '1.0.0'
+  LastUpdated: Aug 8, 2021
+Product:
+  Name: Microsoft Windows Events
+Normalization:
+  Schema: Authentication
+  Version: '0.1.0'
+References:
+- Title: ASIM Authentication Schema
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+- Title: ASIM
+  Link: https:/aka.ms/AzSentinelNormalization
+Description: |
+      This Query Parser maps Windows sign in logs (WindowsEvent) to the Azure Sentinel Information Model authenticaion schema.
+ParserName: vimAuthenticationMicrosoftWindowsEvent
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |  
+  let LogonEvents=dynamic([4624,4625]);
+  let LogoffEvents=dynamic([4634,4647]);
+  let LogonTypes=datatable(LogonType:string, EventSubType:string)[
+      2, 'Interactive',
+      3, 'Network',
+      4, 'Batch',
+      5, 'Service',
+      7, 'Unlock',
+      8, 'NetworkCleartext',
+      9, 'NewCredentials',
+      10, 'RemoteInteractive',
+      11, 'CachedInteractive'];
+  // https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000
+  let LogonStatus=datatable 
+      (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[
+      '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',
+      '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',
+      '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',
+      '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',
+      '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',
+      '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',
+      '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',
+      '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',
+      '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',
+      '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',
+      '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',
+      '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',
+      '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',
+      '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',
+      '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',
+      '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',
+      '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',
+      '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',
+      '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',
+      '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',
+      '0x80090308', 'SEC_E_INVALID_TOKEN','Other',
+      '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',
+      '0xc0000008', 'STATUS_INVALID_HANDLE','Other',
+      '0xc0000017', 'STATUS_NO_MEMORY','Other',
+      '0xc0000022', 'STATUS_ACCESS_DENIED','Other',
+      '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',
+      '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',
+      '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',
+      '0xc000006d', 'STATUS_LOGON_FAILURE','Other',
+      '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',
+      '0xc0000073', 'STATUS_NONE_MAPPED','Other',
+      '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',
+      '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',
+      '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',
+      '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',
+      '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',
+      '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',
+      '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',
+      '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',
+      '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',
+      '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];
+      let WinLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){ 
+          WindowsEvent
+          // ************************************************************************* 
+          //       <Prefilterring>
+          // *************************************************************************
+          | where 
+            (isnull(starttime)   or TimeGenerated >= starttime)
+            and (isnull(endtime)     or TimeGenerated <= starttime)
+            and (targetusername_has=='*' or EventData.TargetUserName has targetusername_has)
+          // ************************************************************************* 
+          //       </Prefilterring>
+          // ************************************************************************* 
+          | where Provider == 'Microsoft-Windows-Security-Auditing'
+          | where     EventID in (LogonEvents) or EventID in (LogoffEvents)
+          | extend    LogonProtocol = tostring(EventData.AuthenticationPackageName),
+                      SrcDvcIpAddr = tostring(EventData.IpAddress),
+                      TargetPortNumber = toint(EventData.IpPort),
+                      LogonGuid = tostring(EventData.LogonGuid),
+                      LogonType = tostring(EventData.LogonType),
+                      ActingProcessCreationTime = EventData.ProcessCreationTime,
+                      ActingProcessId = tostring(toint(EventData.ProcessId)),
+                      ActingProcessName = tostring(EventData.ProcessName),
+                      Status = tostring(EventData.Status),
+                      ActorSessionId = tostring(EventData.SubjectLogonId),
+                      ActorUsername = tostring(iff (EventData.SubjectDomainName == '-', EventData.SubjectUserName, strcat(EventData.SubjectDomainName, @"\" , EventData.SubjectUserName))),
+                      ActorUserId = tostring(EventData.SubjectUserSid),
+                      SubStatus = tostring(EventData.SubStatus),
+                      TargetDomainName = tostring(EventData.TargetDomainName),
+                      TargetSessionId = tostring(EventData.TargetLogonId),
+                      TargetUserId = tostring(EventData.TargetUserSid),
+                      TargetUsername = tostring(iff (EventData.TargetDomainName == '-', EventData.TargetUserName, strcat(EventData.TargetDomainName, @"\" , EventData.TargetUserName)))
+                      // ************************************************************************* 
+                      //       <Postfilterring>
+                      // *************************************************************************
+                      | where (targetusername_has=='*' or TargetUsername has targetusername_has),
+                      // ************************************************************************* 
+                      //       <Postfilterring>
+                      // ************************************************************************* 
+                      | extend 
+                      SrcDvcHostname = tostring(EventData.WorkstationName),
+                      EventProduct = "Security Events"
+          | extend EventStatus= iff(SubStatus=='0x0',Status,SubStatus)
+          // -- creating EventMessage matching EventMessage in SecurityEvent table
+          | extend EventMessage = case(EventID == 4634, "4634 - An account was logged off.", 
+                                      EventID == 4625, "4625 - An account failed to log on.",
+                                      EventID == 4624 ,"4624 - An account was successfully logged on.",
+                                      "4647 - User initiated logoff."),
+                  EventResult = iff(EventID == 4625, 'Failure', 'Success')
+          | project-rename 
+              TargetDvcHostname = Computer
+          // , TargetUserType=AccountType - no AccountType in windowsEvents
+          // , EventOriginalUid = EventOriginId - no EventOriginalId in WindowsEvents
+          , EventOriginId=EventID
+          | extend  EventCount=int(1)
+                  , EventSchemaVersion='0.1.0'
+                  , ActorUserIdType='SID'
+                  , TargetUserIdType='SID'
+                  , EventVendor='Microsoft'  
+                  , EventStartTime =TimeGenerated
+                  , EventEndTime=TimeGenerated
+                  , EventType=iff(EventOriginId in (LogoffEvents), 'Logoff', 'Logon')
+                  , ActorUsername = tostring(EventData.SubjectUserName)
+                  , ActorUsernameType= iff(EventData.SubjectDomainName == '-','Simple', 'Windows' )
+                  , TargetUsername = tostring(EventData.TargetUsername)
+                  , TargetUsernameType=iff (TargetDomainName == '-', 'Simple', 'Windows')
+                  , SrcDvcOs = 'Windows'
+                  , EventStatus= iff(SubStatus=='0x0',Status,SubStatus)
+          | lookup LogonStatus on EventStatus
+          | lookup LogonTypes on LogonType
+              /// ** Aliases 
+              | extend
+                  User=TargetUsername
+                  , LogonTarget=TargetDvcHostname
+                  , Dvc=SrcDvcHostname
+              };
+    WinLogon(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationOktaOSS.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationOktaOSS.yaml
@ -0,0 +1,104 @@
+Parser:
+  Title: ASIM Okta identity management authentication parser
+  Version: '0.1.0'
+  LastUpdated: June 17, 2021
+Product:
+  Name: Okta identity management
+Normalization:
+  Schema: Authentication
+  Version: '0.1.0'
+References:
+- Title: ASIM Authentication Schema
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+- Title: ASIM
+  Link: https:/aka.ms/AzSentinelNormalization
+Description: |
+      This Query Parser maps Okta sign in logs (Okta_CL) to the Azure Sentinel Information Model authenticaion schema.
+ParserName: vimAuthenticationOktaSSO
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |
+  let OktaSignin=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
+    let OktaSuccessfulOutcome = dynamic(['SUCCESS', 'ALLOW']);
+    let OktaFailedOutcome = dynamic(['FAILURE', 'SKIPPED','DENY']);
+    let OktaSigninEvents=dynamic(['user.session.start', 'user.session.end']);
+    // https://developer.okta.com/docs/reference/api/event-types/#catalog
+    Okta_CL
+    // ************************************************************************* 
+    //       <Prefilterring>
+    // *************************************************************************
+    | where 
+      (isnull(starttime)   or TimeGenerated >= starttime) 
+      and (isnull(endtime)     or TimeGenerated <= starttime)
+      and (targetusername_has=='*' or (actor_alternateId_s has targetusername_has))
+    // ************************************************************************* 
+    //       </Prefilterring>
+    // ************************************************************************* 
+    | where eventType_s in (OktaSigninEvents)
+    | extend 
+        EventProduct='Okta'
+        , EventVendor='Okta'
+        , EventCount=int(1)
+        , EventSchemaVersion='0.1.0'
+        , EventResult = case (outcome_result_s in (OktaSuccessfulOutcome), 'Success',outcome_result_s in (OktaFailedOutcome),'Failure', 'Partial')
+        , EventStartTime=TimeGenerated
+        , EventEndTime=TimeGenerated
+        , EventType=iff(eventType_s hassuffix 'start', 'Logon', 'Logoff')
+        , EventSubType=legacyEventType_s
+        , TargetUserIdType='OktaId'
+        , TargetUsernameType='Upn'
+        , SrcGeoLatitude=toreal(client_geographicalContext_geolocation_lat_d)
+        , SrcGeoLongitude=toreal(client_geographicalContext_geolocation_lon_d)
+        , ActingAppType = "Browser"
+    | project-rename 
+        EventMessage=displayMessage_s
+        ,EventOriginalResultDetails=outcome_reason_s
+        , LogonMethod = authenticationContext_credentialType_s
+        , TargetSessionId=authenticationContext_externalSessionId_s
+        , TargetUserId= actor_id_s
+        , TargetUsername=actor_alternateId_s
+        , TargetUserType=actor_type_s
+        , SrcDvcOs=client_userAgent_os_s
+        , HttpUserAgent=client_userAgent_rawUserAgent_s
+        , ActingAppName = client_userAgent_browser_s
+        , SrcIsp=securityContext_isp_s
+        , SrcGeoCity=client_geographicalContext_city_s
+        , SrcGeoCountry=client_geographicalContext_country_s
+        , EventOriginalUid = uuid_g_g
+    | project-reorder
+        EventProduct
+        , EventOriginalUid
+        , TimeGenerated
+        , EventMessage
+        , EventResult
+        , EventOriginalResultDetails
+        , EventStartTime
+        , EventEndTime
+        , EventType
+        , EventSubType
+        , LogonMethod
+        , TargetSessionId
+        , TargetUserId
+        , TargetUsername
+        , TargetUserType
+        , SrcDvcOs
+        , HttpUserAgent
+        , SrcIsp
+        , SrcGeoCity
+        , SrcGeoCountry
+        , SrcGeoLongitude
+        , SrcGeoLatitude
+        // ** Aliases
+        | extend 
+          User=TargetUsername
+          , Dvc=EventVendor
+    };
+  OktaSignin(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationWindowsSecurityEvent.yaml
+++ b/Parsers/ASimAuthentication/ProductParsers/vimAuthenticationWindowsSecurityEvent.yaml
@ -0,0 +1,158 @@
+Parser:
+  Title: Microsoft Windows Logon and Logoff
+  Version: '0.1.0'
+  LastUpdated: June 17, 2021
+Product:
+  Name: Microsoft Windows Events
+Normalization:
+  Schema: Authentication
+  Version: '0.1.0'
+References:
+- Title: ASIM Authentication Schema
+  Link: https://aka.ms/AzSentinelAuthenticationDoc
+- Title: ASIM
+  Link: https:/aka.ms/AzSentinelNormalization
+Description: |
+      This Query Parser maps Windows Active Directory sign in logs (SecurityEvent) to the Azure Sentinel Information Model authenticaion schema.
+ParserName: vimAuthenticationWindowsSecurityEvent
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: '*'
+ParserQuery: |
+  let LogonEvents=dynamic([4624,4625]);
+  let LogoffEvents=dynamic([4634,4647]);
+  let LogonTypes=datatable(LogonType:int, EventSubType:string)[
+    2, 'Interactive',
+    3, 'Network',
+    4, 'Batch',
+    5, 'Service',
+    7, 'Unlock',
+    8, 'NetworkCleartext',
+    9, 'NewCredentials',
+    10, 'RemoteInteractive',
+    11, 'CachedInteractive'
+  ];
+  // https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/quick-reference-troubleshooting-netlogon-error-codes/ba-p/256000
+  let LogonStatus=datatable 
+    (EventStatus:string,EventOriginalResultDetails:string, EventResultDetails:string)[
+    '0x80090325', 'SEC_E_UNTRUSTED_ROOT','Other',
+    '0xc0000064', 'STATUS_NO_SUCH_USER','No such user or password',
+    '0xc000006f', 'STATUS_INVALID_LOGON_HOURS','Logon violates policy',
+    '0xc0000070', 'STATUS_INVALID_WORKSTATION','Logon violates policy',
+    '0xc0000071', 'STATUS_PASSWORD_EXPIRED','Password expired',
+    '0xc0000072', 'STATUS_ACCOUNT_DISABLED','User disabled',
+    '0xc0000133', 'STATUS_TIME_DIFFERENCE_AT_DC','Other',
+    '0xc000018d', 'STATUS_TRUSTED_RELATIONSHIP_FAILURE','Other',
+    '0xc0000193', 'STATUS_ACCOUNT_EXPIRED','Account expired',
+    '0xc0000380', 'STATUS_SMARTCARD_WRONG_PIN','Other',
+    '0xc0000381', 'STATUS_SMARTCARD_CARD_BLOCKED','Other',
+    '0xc0000382', 'STATUS_SMARTCARD_CARD_NOT_AUTHENTICATED','Other',
+    '0xc0000383', 'STATUS_SMARTCARD_NO_CARD','Other',
+    '0xc0000384', 'STATUS_SMARTCARD_NO_KEY_CONTAINER','Other',
+    '0xc0000385', 'STATUS_SMARTCARD_NO_CERTIFICATE','Other',
+    '0xc0000386', 'STATUS_SMARTCARD_NO_KEYSET','Other',
+    '0xc0000387', 'STATUS_SMARTCARD_IO_ERROR','Other',
+    '0xc0000388', 'STATUS_DOWNGRADE_DETECTED','Other',
+    '0xc0000389', 'STATUS_SMARTCARD_CERT_REVOKED','Other',
+    '0x80090302', 'SEC_E_UNSUPPORTED_FUNCTION','Other',
+    '0x80090308', 'SEC_E_INVALID_TOKEN','Other',
+    '0x8009030e', 'SEC_E_NO_CREDENTIALS','Other',
+    '0xc0000008', 'STATUS_INVALID_HANDLE','Other',
+    '0xc0000017', 'STATUS_NO_MEMORY','Other',
+    '0xc0000022', 'STATUS_ACCESS_DENIED','Other',
+    '0xc0000034', 'STATUS_OBJECT_NAME_NOT_FOUND','Other',
+    '0xc000005e', 'STATUS_NO_LOGON_SERVERS','Other',
+    '0xc000006a', 'STATUS_WRONG_PASSWORD','Incorrect password',
+    '0xc000006d', 'STATUS_LOGON_FAILURE','Other',
+    '0xc000006e', 'STATUS_ACCOUNT_RESTRICTION','Logon violates policy',
+    '0xc0000073', 'STATUS_NONE_MAPPED','Other',
+    '0xc00000fe', 'STATUS_NO_SUCH_PACKAGE','Other',
+    '0xc000009a', 'STATUS_INSUFFICIENT_RESOURCES','Other',
+    '0xc00000dc', 'STATUS_INVALID_SERVER_STATE','Other',
+    '0xc0000106', 'STATUS_NAME_TOO_LONG','Other',
+    '0xc000010b', 'STATUS_INVALID_LOGON_TYPE','Logon violates policy',
+    '0xc000015b', 'STATUS_LOGON_TYPE_NOT_GRANTED','Logon violates policy',
+    '0xc000018b', 'STATUS_NO_TRUST_SAM_ACCOUNT','Logon violates policy',
+    '0xc0000224', 'STATUS_PASSWORD_MUST_CHANGE','Other',
+    '0xc0000234', 'STATUS_ACCOUNT_LOCKED_OUT','User locked',
+    '0xc00002ee', 'STATUS_UNFINISHED_CONTEXT_DELETED','Other'];
+  let WinLogon=(starttime:datetime=datetime(null), endtime:datetime=datetime(null), targetusername_has:string="*"){
+    SecurityEvent
+    // ************************************************************************* 
+    //       <Prefilterring>
+    // *************************************************************************
+    | where 
+      (isnull(starttime)   or TimeGenerated >= starttime)
+      and (isnull(endtime)     or TimeGenerated <= starttime)
+      and (targetusername_has=='*' or TargetUserName has targetusername_has)
+    // ************************************************************************* 
+    //       </Prefilterring>
+    // ************************************************************************* 
+    | where EventID in (LogonEvents) or 
+            EventID in (LogoffEvents)
+    | project-rename 
+         EventMessage = Activity
+       , ActorSessionId=SubjectLogonId
+       , TargetSessionId=TargetLogonId
+       , ActorUserId=SubjectUserSid
+       , TargetUserId =TargetUserSid
+       , TargetUserType=AccountType
+       , SrcDvcHostname = WorkstationName
+       , TargetDvcHostname = Computer
+       , EventOriginalUid = EventOriginId
+       , LogonProtocol=AuthenticationPackageName
+       , SrcDvcIpAddr=IpAddress
+    | extend EventOriginId=EventID | project-away EventID 
+    | extend EventResult = iff(EventOriginId == 4625, 'Failure', 'Success')
+      , EventCount=int(1)
+      , EventSchemaVersion='0.1.0'
+      , EventProduct = "Security Event"
+      , ActorUserIdType='SID'
+      , TargetUserIdType='SID'
+      , EventVendor='Microsoft' 
+      , EventStartTime =TimeGenerated
+      , EventEndTime=TimeGenerated
+      , EventType=iff(EventOriginId in (LogoffEvents), 'Logoff', 'Logon')
+      , ActorUsername = iff (SubjectDomainName == '-', SubjectUserName, SubjectAccount)
+      , ActorUsernameType= iff(SubjectDomainName == '-','Simple', 'Windows' )
+      , TargetUsername = iff (TargetDomainName == '-', trim(@'\\',TargetUserName), trim(@'\\',TargetAccount))
+      , TargetUsernameType=iff (TargetDomainName == '-', 'Simple', 'Windows')
+      , SrcDvcOs = 'Windows'
+      , EventStatus= iff(SubStatus=='0x0',Status,SubStatus)
+    | lookup LogonStatus on EventStatus
+    | lookup LogonTypes  on LogonType
+    | project-reorder 
+        TimeGenerated
+        , EventProduct
+        , EventMessage
+        , EventResult
+        , EventOriginalResultDetails
+        , EventStartTime
+        , EventEndTime
+        , EventType
+        , EventSubType
+        , ActorSessionId
+        , TargetSessionId
+        , ActorUserId
+        , ActorUsername
+        , TargetUserId
+        , TargetUsername
+        , TargetUserType
+        , SrcDvcOs
+        , TargetDvcHostname
+        , LogonProtocol
+        , ImpersonationLevel
+    /// ** Aliases 
+    | extend
+         User=TargetUsername
+        , LogonTarget=TargetDvcHostname
+        , Dvc=SrcDvcHostname
+    };
+  WinLogon(starttime, endtime, targetusername_has)
--- a/Parsers/ASimAuthentication/README.md
+++ b/Parsers/ASimAuthentication/README.md
@ -22,7 +22,8 @@ To deploy all parsers to your workspace using ARM templates use the button below
 This template deploys the following parsers:

 - Source agnostic parsers:
-  - imAuthentication - Authentication events from all normalized authentication providers
+  - ASimAuthentication - Authentication events from all normalized authentication providers
+  - imAuthentication - Use this parser, which supports the optimization parameters desribed below, when using Authentication logs in your content such as detection, hunting queries or workbooks. You can also use it interactively if you want to optimize your query
  - vimAuthenticationEmpty - Empty ASim Authentication table

 - Source specific parsers:
@ -36,3 +37,19 @@ This template deploys the following parsers:
  - **Windows Security Events** collecting using the Log Analytics Agent or Azure Monitor Agent - vimAuthenticationWindowsSecurityEvent
  - **Windows Events** collecting using the Azure Monitor Agent - vimAuthenticationMicrosoftWindowsEvent. Note that those are the same original events as Windows Security events, but collected to the WindowsEvent table, for example when collecting using Windows Event Forwarding.
  - **Microsoft Defender for IoT - Endpoint**, reporting Linux authentication events - vimAuthenticationMD4IoT
+
+## Parser parameters
+
+Parametersize parsers support the following parameters which allow for pre-filtering and therefore significantly enhance parser perofrmance. All parameters are optional. The results will match all of the used parameters (AND logic).
+
+To use parameters, set their value as you invoke the parser, for example
+
+`imAuthentication (targetusername_has = 'mike') | ...`
+
+Supported parameters: 
+
+| Name     | Type      | Default value |
+|----------|-----------|---------------|
+| starttime|  datetime | datetime(null)|
+|  endtime |  datetime | datetime(null) |
+|  targetusername |  string | '*' |
--- a/Parsers/ASimDns/ARM/ASimDnszScalerZIA/ASimDnszScalerZIA.json
+++ b/Parsers/ASimDns/ARM/ASimDnszScalerZIA/ASimDnszScalerZIA.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimDnszScalerZIA",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "zScaler ZIA DNS",
+            "category": "Security",
+            "FunctionAlias": "ASimDnszScalerZIA",
+            "query": "let zScalerDNSevents=(disabled:bool=false){\n  CommonSecurityLog \n  | where not(disabled)\n  | where DeviceProduct == \"NSSDNSlog\"\n  | project-rename\n      Dvc=Computer , \n      SrcIpAddr = SourceIP, \n      SrcUsername = SourceUserName,\n      DstIpAddr = DestinationIP, \n      DstPortNumber = DestinationPort, \n      EventProductVersion = DeviceVersion, \n      DnsQueryTypeName = DeviceCustomString4, \n      DnsQuery = DeviceCustomString5, \n      DnsDuration = DeviceCustomNumber1, \n      Department = DeviceCustomString1, // Not part of the schema\n      reqaction = DeviceCustomString2, \n      resaction = DeviceCustomString3 \n  | extend\n      EventCount=int(1), \n      EventStartTime=TimeGenerated, \n      EventVendor = \"zScaler\", \n      EventProduct = \"ZIA DNS\", \n      EventSchemaVersion=\"0.1.2\", \n      EventEndTime=TimeGenerated, \n      SrcUsernameType = \"Upn\",\n      EventSubType = iff(resaction == 'None', 'request', 'response'), \n      DvcAction = iff(resaction == 'None', reqaction, resaction), \n      EventResultDetails = iff (DeviceCustomString6 matches regex '^\\\\d', 'NOERROR', DeviceCustomString6), \n      EventType = 'Query', \n      UrlCategory = extract(\"cat=(.*)\", 1, AdditionalExtensions), \n      DnsRuleName = strcat (FlexString1, \" / \", FlexString2)\n    | extend \n      EventResult = case (\n        EventSubType == 'request', 'NA', \n        EventResultDetails == 'NOERROR', 'Success',\n        'Failure'),\n      DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\n  // -- Aliases\n  | extend\n      DnsResponseCodeName = EventResultDetails,\n      Domain = DnsQuery,\n      IpAddr = SrcIpAddr,\n      DvcHostname = Dvc,\n      Duration = DnsDuration,\n      User = SrcUsername\n  // -- Backward Compatibility\n  | extend\n      Query=DnsQuery, \n      QueryTypeName=DnsQueryTypeName, \n      ResponseName=DnsResponseName, \n      ResponseCodeName=DnsResponseCodeName\n  };\nzScalerDNSevents (disabled)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Parsers/ASimDns/ARM/ASimDnszScalerZIA/README.md
+++ b/Parsers/ASimDns/ARM/ASimDnszScalerZIA/README.md
@ -0,0 +1,15 @@
+# zScaler ZIA DNS ASIM Normalization Parser
+
+This template deploys the ASIM DNS schema parser for zScaler ZIA DNS. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Dns normalization schema reference](https://aka.ms/AzSentinelDnsDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FASimDnszScalerZIA%2FASimDnszScalerZIA.json)
--- a/Parsers/ASimDns/ARM/vimDnszScalerZIA/README.md
+++ b/Parsers/ASimDns/ARM/vimDnszScalerZIA/README.md
@ -0,0 +1,15 @@
+# zScaler ZIA DNS ASIM Normalization Parser
+
+This template deploys the ASIM DNS schema parser for zScaler ZIA DNS. The parser is a part of the Azure Sentinel Information Model.
+
+The Azure Sentinel Information Mode (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Azure Sentinel Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
+- [Azure Sentinel Dns normalization schema reference](https://aka.ms/AzSentinelDnsDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimDns%2FARM%2FvimDnszScalerZIA%2FvimDnszScalerZIA.json)
--- a/Parsers/ASimDns/ARM/vimDnszScalerZIA/vimDnszScalerZIA.json
+++ b/Parsers/ASimDns/ARM/vimDnszScalerZIA/vimDnszScalerZIA.json
@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimDnszScalerZIA",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "zScaler ZIA DNS",
+            "category": "Security",
+            "FunctionAlias": "vimDnszScalerZIA",
+            "query": "let zScalerDNSevents=(\n  starttime:datetime=datetime(null), endtime:datetime=datetime(null)\n  , srcipaddr:string='*'\n  , domain_has_any:dynamic=dynamic([]) \n  , responsecodename:string='*', response_has_ipv4:string='*'\n  , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='Query'\n  , disabled:bool=false\n){\n  CommonSecurityLog \n  | where not(disabled)\n  | where DeviceProduct == \"NSSDNSlog\"\n  //  -- Pre-parsing filtering\n  | where\n      (eventtype in ('lookup', 'Query')\n      and (isnull(starttime) or TimeGenerated >= starttime)\n      and (isnull(endtime) or TimeGenerated <= endtime) \n      and (srcipaddr=='*' or SourceIP==srcipaddr)\n      and (array_length(domain_has_any) == 0 or DeviceCustomString5 has_any (domain_has_any))\n      and (response_has_ipv4=='*' or has_ipv4(DeviceCustomString6,response_has_ipv4) )\n      and (array_length(response_has_any_prefix) == 0 or has_any_ipv4_prefix(DeviceCustomString6, response_has_any_prefix))\n      and (responsecodename in ('*', 'NOERROR') or DeviceCustomString6 =~ responsecodename)) // NOERROR is determined only later\n  | extend\n      EventResultDetails = iff (DeviceCustomString6 matches regex '^\\\\d', 'NOERROR', DeviceCustomString6)\n  | where\n      (responsecodename=='*' or EventResultDetails =~ responsecodename)\n  // --\n  | project-rename\n      Dvc=Computer , \n      SrcIpAddr = SourceIP, \n      SrcUsername = SourceUserName,\n      DstIpAddr = DestinationIP, \n      DstPortNumber = DestinationPort, \n      EventProductVersion = DeviceVersion, \n      DnsQueryTypeName = DeviceCustomString4, \n      DnsQuery = DeviceCustomString5, \n      DnsDuration = DeviceCustomNumber1, \n      Department = DeviceCustomString1, // Not part of the schema\n      reqaction = DeviceCustomString2, \n      resaction = DeviceCustomString3 \n  | extend\n      EventCount=int(1), \n      EventStartTime=TimeGenerated, \n      EventVendor = \"zScaler\", \n      EventProduct = \"ZIA DNS\", \n      EventSchemaVersion=\"0.1.2\", \n      EventEndTime=TimeGenerated, \n      SrcUsernameType = \"Upn\",\n      EventSubType = iff(resaction == 'None', 'request', 'response'), \n      DvcAction = iff(resaction == 'None', reqaction, resaction), \n      EventType = 'Query', \n      UrlCategory = extract(\"cat=(.*)\", 1, AdditionalExtensions), \n      DnsRuleName = strcat (FlexString1, \" / \", FlexString2)\n    | extend \n      EventResult = case (\n        EventSubType == 'request', 'NA', \n        EventResultDetails == 'NOERROR', 'Success',\n        'Failure'),\n      DnsResponseName = iff (EventResultDetails == 'NOERROR', DeviceCustomString6, '')\n  // -- Aliases\n  | extend\n      DnsResponseCodeName = EventResultDetails,\n      Domain = DnsQuery,\n      IpAddr = SrcIpAddr,\n      DvcHostname = Dvc,\n      Duration = DnsDuration,\n      User = SrcUsername\n  // -- Backward Compatibility\n  | extend\n      Query=DnsQuery, \n      QueryTypeName=DnsQueryTypeName, \n      ResponseName=DnsResponseName, \n      ResponseCodeName=DnsResponseCodeName\n  };\nzScalerDNSevents (starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, disabled)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr:string='*', domain_has_any:dynamic=dynamic([]), responsecodename:string='*', response_has_ipv4:string='*', response_has_any_prefix:dynamic=dynamic([]), eventtype:string='lookup', disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}
--- a/Показать больше
+++ b/Показать больше