Merge pull request #7013 from Azure/sivanguetta-patch-2
Update title in imDns.yaml and imAuditEvent.yaml
This commit is contained in:
Ofer Shezaf
GitHub
Коммит
475e68e337
|
|
@ -32,10 +32,10 @@
|
|||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "Audit event ASIM parser",
|
||||
"displayName": "Audit event ASIM filtering parser.",
|
||||
"category": "ASIM",
|
||||
"FunctionAlias": "imAuditEvent",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))",
|
||||
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludevimAuditEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet BuiltInDisabled=toscalar('ExcludevimAuditEventBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimAuditEventEmpty, \n ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),\n ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),\n ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))\n",
|
||||
"version": 1,
|
||||
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),operation_has_any:dynamic=dynamic([]),eventtype_in:dynamic=dynamic([]),eventresult:string='*',object_has_any:dynamic=dynamic([]),newvalue_has_any:dynamic=dynamic([]),pack:bool=False"
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
Parser:
|
||||
Title: Audit event ASIM parser
|
||||
Title: Audit event ASIM filtering parser.
|
||||
Version: '0.1'
|
||||
LastUpdated: Dec 13, 2022
|
||||
Product:
|
||||
|
|
@ -62,4 +62,4 @@ ParserQuery: |
|
|||
vimAuditEventEmpty,
|
||||
ASimAuditEventMicrosoftExchangeAdmin365 (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftExchangeAdmin365' in (DisabledParsers))),
|
||||
ASimAuditEventMicrosoftWindowsEvents (BuiltInDisabled or ('ExcludevimAuditEventMicrosoftWindowsEvents' in (DisabledParsers))),
|
||||
ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))
|
||||
ASimAuditEventAzureActivity (BuiltInDisabled or ('ExcludevimAuditEventAzureActivity' in (DisabledParsers)))
|
||||
|
|
|
|||
|
|
@ -32,7 +32,7 @@
|
|||
],
|
||||
"properties": {
|
||||
"etag": "*",
|
||||
"displayName": "DNS activity ASIM parser",
|
||||
"displayName": "DNS activity ASIM filtering parser.",
|
||||
"category": "ASIM",
|
||||
"FunctionAlias": "imDns",
|
||||
"query": "let Generic=(starttime:datetime=datetime(null), endtime:datetime=datetime(null) , srcipaddr:string='*' , domain_has_any:dynamic=dynamic([]) , responsecodename:string='*', response_has_ipv4:string='*' , response_has_any_prefix:dynamic=dynamic([]) , eventtype:string='lookup', pack:bool=false ){\nlet DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimDns') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet imDnsBuiltInDisabled=toscalar('ExcludeimDnsBuiltIn' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n vimDnsEmpty\n , vimDnsCiscoUmbrella ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsCiscoUmbrella' in (DisabledParsers) )))\n , vimDnsInfobloxNIOS ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsInfobloxNIOS' in (DisabledParsers) )))\n , vimDnsMicrosoftOMS ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftOMS' in (DisabledParsers) )))\n , vimDnsGcp ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsDnsGcp' in (DisabledParsers) )))\n , vimDnsCorelightZeek ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsCorelightZeek' in (DisabledParsers) )))\n , vimDnsMicrosoftSysmon( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftSysmon' in (DisabledParsers) )))\n , vimDnsAzureFirewall ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsAzureFirewall' in (DisabledParsers) )))\n , vimDnsMicrosoftNXlog ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsMicrosoftNXlog' in (DisabledParsers) )))\n , vimDnsZscalerZIA ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsZscalerZIA' in (DisabledParsers) )))\n , vimDnsNative ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsNative' in (DisabledParsers) )))\n , vimDnsVectraAI ( starttime, endtime, srcipaddr, domain_has_any, responsecodename, response_has_ipv4, response_has_any_prefix, eventtype, (imDnsBuiltInDisabled or('ExcludevimDnsVectraAI' in (DisabledParsers) )))\n };\nGeneric( starttime=starttime, endtime=endtime, srcipaddr=srcipaddr, domain_has_any=domain_has_any, responsecodename=responsecodename, response_has_ipv4=response_has_ipv4, response_has_any_prefix=response_has_any_prefix, eventtype=eventtype, pack=pack)\n",
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
Parser:
|
||||
Title: DNS activity ASIM parser
|
||||
Title: DNS activity ASIM filtering parser.
|
||||
Version: '0.5'
|
||||
LastUpdated: Feb 21, 2021
|
||||
Product:
|
||||
|
|
@ -77,4 +77,4 @@ Parsers:
|
|||
- _Im_Dns_MicrosoftNXlog
|
||||
- _Im_Dns_ZscalerZIA
|
||||
- _Im_Dns_Native
|
||||
- _Im_Dns_VectraAI
|
||||
- _Im_Dns_VectraAI
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче