Merge pull request #6167 from Azure/asim-ASimAuthenticationSalesforceSC

Salesforce-asim-authentication parser

.script/tests/KqlvalidationsTests/CustomTables/SalesforceServiceCloud_CL.json

@@ -804,6 +804,54 @@
         {
             "Name": "TimeGenerated",
             "Type": "DateTime"
+        },
+        {
+            "Name": "_ItemId",
+            "Type": "String"
+        },
+        {
+            "Name": "starttime",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "endtime",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "targetusername_has",
+            "Type": "String"
+        },
+        {
+            "Name": "SourceSystem",
+            "Type": "String"
+        },
+        {
+            "Name": "Computer",
+            "Type": "String"
+        },
+        {
+            "Name": "MG",
+            "Type": "String"
+        },
+        {
+            "Name": "ManagementGroupName",
+            "Type": "String"
+        },
+        {
+            "Name": "Message",
+            "Type": "String"
+        },
+        {
+            "Name": "RawData",
+            "Type": "String"
+        },
+        {
+            "Name": "_ResourceId",
+            "Type": "String"
+        },
+        {
+            "Name": "TenantId",
+            "Type": "String"
         }
     ]
 }

Parsers/ASimAuthentication/ARM/ASimAuthentication/ASimAuthentication.json

@@ -35,7 +35,7 @@
             "displayName": "Authentication ASIM parser",
             "category": "ASIM",
             "FunctionAlias": "ASimAuthentication",
-            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))\n",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationPaloAltoCortexDataLake  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n  ASimAuthenticationVMwareCarbonBlackCloud  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) ))\n",
             "version": 1,
             "functionParameters": "disabled:bool=False"
           }

Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/README.md

@@ -0,0 +1,18 @@
+# Palo Alto Cortex Data Lake ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Palo Alto Cortex Data Lake.
+
+This ASIM parser supports normalizing Palo Alto Cortex Data Lake logs to the ASIM Authentication normalized schema. These events are captured through the Palo Alto Networks CDL data connector that ingests CDL logs into Microsoft Sentinel.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationPaloAltoCortexDataLake%2FASimAuthenticationPaloAltoCortexDataLake.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationPaloAltoCortexDataLake%2FASimAuthenticationPaloAltoCortexDataLake.json)

Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/README.md

@@ -0,0 +1,18 @@
+# Salesforce Service Cloud ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Salesforce Service Cloud.
+
+This ASIM parser supports normalizing Salesforce sign in logs, stored in the  SalesforceServiceCloud_CL table, to the ASIM Authentication schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationSalesforceSC%2FASimAuthenticationSalesforceSC.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationSalesforceSC%2FASimAuthenticationSalesforceSC.json)

Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json

@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimAuthenticationVMwareCarbonBlackCloud",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud",
+            "category": "ASIM",
+            "FunctionAlias": "ASimAuthenticationVMwareCarbonBlackCloud",
+            "query": "let parser = (disabled: bool=false) {\n    CarbonBlackAuditLogs_CL\n    | where not(disabled)\n    | where description_s has_any (\"logged in\", \"login\",\"second factor authentication\") and description_s !has \"connector\"\n    | extend\n        EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n        EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n        AdditionalFields = bag_pack(\"flagged\", flagged_b),\n        EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\")\n    | extend\n        EventCount = int(1),\n        EventProduct = \"Carbon Black Cloud\",\n        EventSchema = \"Authentication\",\n        EventSchemaVersion = \"0.1.3\",\n        EventVendor = \"VMware\",\n        EventType = \"Logon\",\n        EventResultDetails = case(\n                       EventResult == \"Failure\" and description_s has (\"locked\"),\n                       \"User locked\",\n                       EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n                       \"Incorrect password\",\n                       EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n                       \"MFA not satisfied\",\n                       \"\"\n                   ),\n        EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n    | project-rename\n        EventMessage = description_s,\n        EventOriginalUid = eventId_g,\n        TargetUsername = loginName_s,\n        SrcIpAddr = clientIp_s,\n        EventUid=_ItemId,\n        EventOwner = orgName_s\n    | extend\n        IpAddr = SrcIpAddr,\n        TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n        TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n        Dvc = EventProduct,\n        EventEndTime = EventStartTime,\n        User = TargetUsername,\n        Src = SrcIpAddr\n    | project-away\n        *_s,\n        *_d,\n        *_b,\n        _ResourceId,\n        Computer,\n        MG,\n        ManagementGroupName,\n        RawData,\n        SourceSystem,\n        TenantId \n};\nparser(disabled=disabled)\n",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/README.md

@@ -0,0 +1,18 @@
+# VMware Carbon Black Cloud ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for VMware Carbon Black Cloud.
+
+This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Authentication normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationVMwareCarbonBlackCloud%2FASimAuthenticationVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationVMwareCarbonBlackCloud%2FASimAuthenticationVMwareCarbonBlackCloud.json)

Parsers/ASimAuthentication/ARM/FullDeploymentAuthentication.json

@@ -318,6 +318,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAuthenticationPaloAltoCortexDataLake",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -338,6 +358,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAuthenticationSalesforceSC",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationSalesforceSC/ASimAuthenticationSalesforceSC.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -418,6 +458,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAuthenticationVMwareCarbonBlackCloud",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareCarbonBlackCloud/ASimAuthenticationVMwareCarbonBlackCloud.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -758,6 +818,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationPaloAltoCortexDataLake",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -778,6 +858,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationSalesforceSC",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/vimAuthenticationSalesforceSC.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -838,6 +938,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationVMwareCarbonBlackCloud",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",

Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/README.md

@@ -0,0 +1,18 @@
+# Palo Alto Cortex Data Lake ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Palo Alto Cortex Data Lake.
+
+This ASIM parser supports normalizing Palo Alto Cortex Data Lake logs to the ASIM Authentication normalized schema. These events are captured through the Palo Alto Networks CDL data connector that ingests CDL logs into Microsoft Sentinel.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationPaloAltoCortexDataLake%2FvimAuthenticationPaloAltoCortexDataLake.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationPaloAltoCortexDataLake%2FvimAuthenticationPaloAltoCortexDataLake.json)

Parsers/ASimAuthentication/ARM/vimAuthenticationSalesforceSC/README.md

@@ -0,0 +1,18 @@
+# Salesforce Service Cloud ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for Salesforce Service Cloud.
+
+This ASIM parser supports filtering and normalizing the Salesforce Service Cloud logs stored in 'SalesforceServiceCloud_CL' table to the ASIM authentication normalized schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSalesforceSC%2FvimAuthenticationSalesforceSC.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationSalesforceSC%2FvimAuthenticationSalesforceSC.json)

Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/README.md

@@ -0,0 +1,18 @@
+# VMware Carbon Black Cloud ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for VMware Carbon Black Cloud.
+
+This ASIM parser supports normalizing VMware Carbon Black Cloud logs to the ASIM Authentication normalized schema. VMware Carbon Black Cloud events are captured through VMware Carbon Black Cloud data connector which ingests Carbon Black Audit, Notification and Event data into Microsoft Sentinel through the REST API.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVMwareCarbonBlackCloud%2FvimAuthenticationVMwareCarbonBlackCloud.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FvimAuthenticationVMwareCarbonBlackCloud%2FvimAuthenticationVMwareCarbonBlackCloud.json)

Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareCarbonBlackCloud/vimAuthenticationVMwareCarbonBlackCloud.json

@@ -0,0 +1,46 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('Workspace')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimAuthenticationVMwareCarbonBlackCloud",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('Workspace'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM Authentication parser for VMware Carbon Black Cloud",
+            "category": "ASIM",
+            "FunctionAlias": "vimAuthenticationVMwareCarbonBlackCloud",
+            "query": "let parser = (\n    starttime: datetime=datetime(null), \n    endtime: datetime=datetime(null), \n    eventtype_in: dynamic=dynamic([]), \n    eventresultdetails_in: dynamic=dynamic([]), \n    eventresult: string='*', \n    targetusername_has_any: dynamic=dynamic([]), \n    targetappname_has_any: dynamic=dynamic([]), \n    actorusername_has_any: dynamic=dynamic([]), \n    srcipaddr_has_any_prefix: dynamic=dynamic([]), \n    srchostname_has_any: dynamic=dynamic([]), \n    targetipaddr_has_any_prefix: dynamic=dynamic([]), \n    dvcipaddr_has_any_prefix: dynamic=dynamic([]), \n    dvchostname_has_any: dynamic=dynamic([]), \n    disabled: bool = false\n    ) {\n    CarbonBlackAuditLogs_CL\n    | where not(disabled)\n    | where (isnull(starttime) or TimeGenerated >= starttime)\n        and (isnull(endtime) or TimeGenerated <= endtime)\n        and (description_s has_any (\"logged in\", \"login\",\"second factor authentication\") and description_s !has \"connector\")\n        and array_length(targetappname_has_any) == 0\n        and array_length(actorusername_has_any) == 0\n        and array_length(srchostname_has_any) == 0\n        and array_length(targetipaddr_has_any_prefix) == 0\n        and array_length(dvcipaddr_has_any_prefix) == 0\n        and array_length(dvchostname_has_any) == 0\n        and (array_length(targetusername_has_any) == 0 or loginName_s has_any(targetusername_has_any))\n        and (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(clientIp_s, srcipaddr_has_any_prefix))\n    | extend\n        EventResult = iff(description_s has \"successfully\", \"Success\", \"Failure\"),\n        EventType = \"Logon\"\n    | where (array_length(eventtype_in) == 0 or EventType has_any (eventtype_in))\n        and (eventresult == '*' or EventResult has eventresult)\n    | extend EventResultDetails = case(\n                                EventResult == \"Failure\" and description_s has (\"locked\"),\n                                \"User locked\",\n                                EventResult == \"Failure\" and description_s has_any (\"logged in\", \"login\"),\n                                \"Incorrect password\",\n                                EventResult == \"Failure\" and description_s has (\"second factor authentication\"),\n                                \"MFA not satisfied\",\n                                \"\"\n                            )\n    | where (array_length(eventresultdetails_in) == 0 or EventResultDetails has_any (eventresultdetails_in))\n    | extend\n        EventStartTime = unixtime_milliseconds_todatetime(eventTime_d),\n        AdditionalFields = bag_pack(\"flagged\", flagged_b),\n        EventSeverity = iff(flagged_b == true, \"Low\", \"Informational\"),\n        EventCount = int(1),\n        EventProduct = \"Carbon Black Cloud\",\n        EventSchema = \"Authentication\",\n        EventSchemaVersion = \"0.1.3\",\n        EventVendor = \"VMware\",\n        EventOriginalResultDetails = iff(EventResult == \"Failure\", tostring(split(description_s, ';')[1]), \"\")\n    | project-rename\n        EventMessage = description_s,\n        EventOriginalUid = eventId_g,\n        TargetUsername = loginName_s,\n        SrcIpAddr = clientIp_s,\n        EventUid=_ItemId,\n        EventOwner = orgName_s\n    | extend\n        IpAddr = SrcIpAddr,\n        TargetUsernameType = _ASIM_GetUsernameType(TargetUsername),\n        TargetUserType = _ASIM_GetUserType(TargetUsername, \"\"),\n        Dvc = EventProduct,\n        EventEndTime = EventStartTime,\n        User = TargetUsername,\n        Src = SrcIpAddr\n    | project-away\n        *_s,\n        *_d,\n        *_b,\n        _ResourceId,\n        Computer,\n        MG,\n        ManagementGroupName,\n        RawData,\n        SourceSystem,\n        TenantId \n};\nparser(\n    starttime=starttime, \n    endtime=endtime, \n    eventtype_in=eventtype_in, \n    eventresultdetails_in=eventresultdetails_in, \n    eventresult=eventresult, \n    targetusername_has_any=targetusername_has_any, \n    targetappname_has_any=targetappname_has_any, \n    actorusername_has_any=actorusername_has_any, \n    srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, \n    srchostname_has_any=srchostname_has_any, \n    targetipaddr_has_any_prefix=targetipaddr_has_any_prefix, \n    dvcipaddr_has_any_prefix=dvcipaddr_has_any_prefix, \n    dvchostname_has_any=dvchostname_has_any, \n    disabled=disabled\n)\n",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),eventresultdetails_in:dynamic=dynamic([]),eventresult:string='*',targetusername_has_any:dynamic=dynamic([]),targetappname_has_any:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),srchostname_has_any:dynamic=dynamic([]),targetipaddr_has_any_prefix:dynamic=dynamic([]),dvcipaddr_has_any_prefix:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimAuthentication/Parsers/ASimAuthentication.yaml

@@ -12,7 +12,6 @@ References:
   Link: https://aka.ms/ASimAuthenticationDoc
 - Title: ASIM
   Link: https:/aka.ms/AboutASIM
-
 Description: |
   This ASIM parser supports normalizing Authentication logs from all supported sources to the ASIM Authentication normalized schema.ParserName: ASimAuthentication
 ParserName: ASimAuthentication
@@ -42,6 +41,7 @@ ParserQuery: |
     ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),
     ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),
     ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),
+    ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) )),
     ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),
     ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),
     ASimAuthenticationPaloAltoCortexDataLake  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),
@@ -71,4 +71,5 @@ Parsers:
  - _ASim_Authentication_PaloAltoCortexDataLake
  - _ASim_Authentication_VMwareCarbonBlackCloud
  - _ASim_Authentication_CrowdStrikeFalconHost
- 
+ - _ASim_Authentication_SalesforceSC
+ 

Parsers/ASimAuthentication/Parsers/ASimAuthenticationSalesforceSC.yaml

@@ -0,0 +1,347 @@
+Parser:
+    Title: Authentication ASIM parser for Salesforce Service Cloud
+    Version: "0.1.0"
+    LastUpdated: Dec 12th, 2023
+Product:
+    Name: Salesforce Service Cloud
+Normalization:
+    Schema: Authentication
+    Version: "0.1.3"
+References:
+    - Title: ASIM Authentication Schema
+      Link: https://aka.ms/ASimAuthenticationDoc
+    - Title: ASIM
+      Link: https:/aka.ms/AboutASIM
+    - Title: Salesforce Service Cloud
+      Link: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm
+Description: |
+    This ASIM parser supports normalizing Salesforce sign in logs, stored in the  SalesforceServiceCloud_CL table, to the ASIM Authentication schema.
+ParserName: ASimAuthenticationSalesforceSC
+EquivalentBuiltInParser: _ASim_Authentication_SalesforceSC
+ParserParams:
+    - Name: disabled
+      Type: bool
+      Default: false
+ParserQuery: |
+    let parser = (
+    disabled: bool=false
+    ) {
+    let SalesforceSchema = datatable(
+    api_version_s: string,
+    browser_type_s: string,
+    cipher_suite_s: string,
+    client_ip_s: string,
+    delegated_user_id_s: string,
+    delegated_user_name_s: string,
+    event_type_s: string,
+    login_key_s: string,
+    login_status_s: string,
+    login_type_s: string,
+    login_sub_type_s: string,
+    organization_id_s: string,
+    platform_type_s: string,
+    request_id_s: string,
+    request_status_s: string,
+    session_key_s: string,
+    source_ip_s: string,
+    timestamp_s: string,
+    tls_protocol_s: string,
+    uri_s: string,
+    user_id_s: string,
+    user_name_s: string,
+    user_type_s: string,
+    wave_session_id_g: string
+    )[];
+        let EventResultLookup = datatable (
+        login_status_s: string,
+        DvcAction: string,
+        EventResultDetails: string,
+        EventResult: string,
+        EventSeverity: string
+    )[
+        "LOGIN_CHALLENGE_ISSUED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_CHALLENGE_PENDING", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_DATA_DOWNLOAD_ONLY", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_END_SESSION_TXN_SECURITY_POLICY", "Blocked", "Logon violates policy", "Failure", "Informational",
+        "LOGIN_ERROR_API_TOO_OLD", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_ASYNC_USER_CREATE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_AVANTGO_DISABLED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_AVANTGO_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_CLIENT_NO_ACCESS", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_CLIENT_REQ_UPDATE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_CSS_FROZEN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_CSS_PW_LOCKOUT", "Blocked", "User locked", "Failure", "Informational",
+        "LOGIN_ERROR_DUPLICATE_USERNAME", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_EXPORT_RESTRICTED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_HT_DOWN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_HTP_METHD_INVALID", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_INSECURE_LOGIN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_INVALID_GATEWAY", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_INVALID_ID_FIELD", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_INVALID_PASSWORD", "Blocked", "Incorrect password", "Failure", "Informational",
+        "LOGIN_ERROR_LOGINS_EXCEEDED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_MUST_USE_API_TOKEN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_MUTUAL_AUTHENTICATION", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_NETWORK_INACTIVE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_NO_HT_ACCESS", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_NO_NETWORK_ACCESS", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_NO_NETWORK_INFO", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_NO_SET_COOKIES", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_OFFLINE_DISABLED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_OFFLINE_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_ORG_CLOSED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_ORG_DOMAIN_ONLY", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_ORG_IN_MAINTENANCE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_ORG_INACTIVE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_ORG_IS_DOT_ORG", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_ORG_LOCKOUT", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_ORG_SIGNING_UP", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_ORG_SUSPENDED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_OUTLOOK_DISABLED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_PAGE_REQUIRES_LOGIN", "Blocked", "Session expired", "Failure", "Informational",
+        "LOGIN_ERROR_PASSWORD_EMPTY", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_PASSWORD_LOCKOUT", "Blocked", "User locked", "Failure", "Informational",
+        "LOGIN_ERROR_PORTAL_INACTIVE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_RATE_EXCEEDED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_RESTRICTED_DOMAIN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_RESTRICTED_TIME", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_SESSION_TIMEOUT", "Blocked", "Session expired", "Failure", "Informational",
+        "LOGIN_ERROR_SSO_PWD_INVALID", "Blocked", "Incorrect password", "Failure", "Informational",
+        "LOGIN_ERROR_SSO_SVC_DOWN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_SSO_URL_INVALID", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_STORE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_STORE_DOWN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_SWITCH_SFDC_INSTANCE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_SWITCH_SFDC_LOGIN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_SYNCOFFLINE_DISBLD", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_SYSTEM_DOWN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_USER_API_ONLY", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_USER_FROZEN", "Blocked", "User locked", "Failure", "Informational",
+        "LOGIN_ERROR_USER_INACTIVE", "Blocked", "User disabled", "Failure", "Informational",
+        "LOGIN_ERROR_USER_NON_MOBILE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_USER_STORE_ACCESS", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_USERNAME_EMPTY", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_WIRELESS_DISABLED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ERROR_WIRELESS_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_LIGHTNING_LOGIN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_NO_ERROR", "Allowed", "", "Success", "Informational",
+        "LOGIN_OAUTH_API_DISABLED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_CONSUMER_DELETED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_DS_NOT_EXPECTED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_EXCEED_GET_AT_LMT", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_CODE_CHALLENGE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_CODE_VERIFIER", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_DEVICE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_DS", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_DSIG", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_IP", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_NONCE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_SIG_METHOD", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_TIMESTAMP", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_TOKEN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_VERIFIER", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_INVALID_VERSION", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_MISSING_DS", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_NO_CALLBACK_URL", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_NO_CONSUMER", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_NO_TOKEN", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_NONCE_REPLAY", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_PACKAGE_MISSING", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_PACKAGE_OLD", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_OAUTH_UNEXPECTED_PARAM", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_ORG_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_READONLY_CANNOT_VALIDATE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_AUDIENCE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_CONFIG", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_FORMAT", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_IN_RES_TO", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_ISSUER", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_ORG_ID", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_PORTAL_ID", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_RECIPIENT", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_SESSION_LEVEL", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_SIGNATURE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_SITE_URL", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_STATUS", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_SUB_CONFIRM", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_TIMESTAMP", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_USERNAME", "Blocked", "No such user", "Failure", "Informational",
+        "LOGIN_SAML_INVALID_VERSION", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_MISMATCH_CERT", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_MISSING_ORG_ID", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_MISSING_PORTAL_ID", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_PROVISION_ERROR", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_REPLAY_ATTEMPTED", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_SAML_SITE_INACTIVE", "Blocked", "Other", "Failure", "Informational",
+        "LOGIN_TWOFACTOR_REQ", "Blocked", "Logon violates policy", "Failure", "Informational"
+    ];
+        let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);
+        let EventTypeLookup = datatable(event_type_s: string, EventType: string)[
+        "Login", "Logon",
+        "LoginAs", "Logon",
+        "Logout", "Logoff"
+    ];
+        let DvcOsLookup = datatable(
+        platform_type_s: string,
+        DvcOs: string,
+        DvcOsVersion: string
+    )[
+        "1000", "Windows", "",
+        "1008", "Windows", "2003",
+        "1013", "Windows", "8.1",
+        "1015", "Windows", "10",
+        "2003", "Macintosh/Apple", "OSX",
+        "4000", "Linux", "",
+        "5005", "Android", "",
+        "5006", "iPhone", "",
+        "5007", "iPad", "",
+        "5200", "Android", "10.0"
+    ];
+        let LogonMethodLookup = datatable(
+        LoginType_s: string,
+        LogonMethodOriginal: string,
+        LogonMethod: string
+    )[
+        "7", "AppExchange", "Other",
+        "A", "Application", "Other",
+        "s", "Certificate-based login", "PKI",
+        "k", "Chatter Communities External User", "Other",
+        "n", "Chatter Communities External User Third Party SSO", "Other",
+        "r", "Employee Login to Community", "Other",
+        "z", "Lightning Login", "Username & Password",
+        "l", "Networks Portal API Only", "Other",
+        "6", "Remote Access Client", "Other",
+        "i", "Remote Access 2.0", "Other",
+        "I", "Other Apex API", "Other",
+        "R", "Partner Product", "Other",
+        "w", "Passwordless Login", "Passwordless",
+        "3", "Customer Service Portal", "Other",
+        "q", "Partner Portal Third-Party SSO", "Other",
+        "9", "Partner Portal", "Other",
+        "5", "SAML Idp Initiated SSO", "Other",
+        "m", "SAML Chatter Communities External User SSO", "Other",
+        "b", "SAML Customer Service Portal SSO", "Other",
+        "c", "SAML Partner Portal SSO", "Other",
+        "h", "SAML Site SSO", "Other",
+        "8", "SAML Sfdc Initiated SSO", "Other",
+        "E", "SelfService", "Other",
+        "j", "Third Party SSO", "Other"
+    ];
+        let LogonProtocolLookup = datatable(
+        LoginSubType_s: string,
+        LogonProtocolOriginal: string,
+        LogonProtocol: string
+    )[
+        "uiup", "UI Username-Password", "Basic Auth",
+        "oauthpassword", "OAuth Username-Password", "OAuth",
+        "oauthtoken", "OAuth User-Agent", "OAuth",
+        "oauthhybridtoken", "OAuth User-Agent for Hybrid Apps", "OAuth",
+        "oauthtokenidtoken", "OAuth User-Agent with ID Token", "OAuth",
+        "oauthclientcredential", "OAuth Client Credential", "OAuth",
+        "oauthcode", "OAuth Web Server", "OAuth",
+        "oauthhybridauthcode", "OAuth Web Server for Hybrid Apps", "OAuth",
+    ];
+        let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[
+        "S", "Success",
+        "F", "Failure",
+        "A", "Failure",
+        "R", "Success",
+        "N", "Failure",
+        "U", "NA"
+    ];
+        let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[
+        "CsnOnly", "Other",
+        "CspLitePortal", "Other",
+        "CustomerSuccess", "Other",
+        "Guest", "Anonymous",
+        "PowerCustomerSuccess", "Other",
+        "PowerPartner", "Other",
+        "SelfService", "Other",
+        "Standard", "Regular",
+        "A", "Application",
+        "b", "Other",
+        "C", "Other",
+        "D", "Other",
+        "F", "Other",
+        "G", "Anonymous",
+        "L", "Other",
+        "N", "Service",
+        "n", "Other",
+        "O", "Other",
+        "o", "Other",
+        "P", "Other",
+        "p", "Other",
+        "S", "Regular",
+        "X", "Admin"
+    ];
+        union isfuzzy=true
+            SalesforceSchema,
+            SalesforceServiceCloud_CL 
+        | where not(disabled)
+        | where event_type_s in~ (SalesforceEventType)
+        | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))
+        | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s
+        | lookup EventResultLookup on login_status_s
+        | lookup EventTypeLookup on event_type_s
+        | lookup LogonMethodLookup on LoginType_s
+        | lookup LogonProtocolLookup on LoginSubType_s
+        | lookup TempEventResultLookup on request_status_s
+        | lookup DvcOsLookup on platform_type_s
+        | lookup UserTypeLookup on user_type_s
+        | project-rename
+            EventProductVersion = api_version_s,
+            EventOriginalResultDetails = login_status_s,
+            TargetUserId = user_id_s,
+            SrcIpAddr = source_ip_s,
+            EventOriginalUid = request_id_s,
+            TlsCipher = cipher_suite_s,
+            TlsVersion = tls_protocol_s,
+            HttpUserAgent= browser_type_s,
+            TargetUserScopeId = organization_id_s,
+            TargetUrl = uri_s,
+            TargetOriginalUserType = user_type_s,
+            ActorUsername = delegated_user_name_s,
+            ActorUserId = delegated_user_id_s,
+            TargetUsername = user_name_s
+        | extend
+            EventVendor = 'Salesforce',
+            EventProduct='Service Cloud',
+            EventCount = int(1),
+            EventSchema = 'Authentication',
+            EventSchemaVersion = '0.1.3',
+            TargetAppName = "Salesforce Dot Com(SFDC)",
+            TargetAppType = "SaaS application",
+            EventUid = _ItemId,
+            EventOriginalType=event_type_s,
+            SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)
+        | extend
+            TargetSessionId = coalesce(session_key_s, login_key_s),
+            TargetUserScope = "Salesforce Organization",
+            TargetUserIdType = iff(isnotempty(TargetUserId), "SaleforceId", ""),
+            ActorUserIdType = iff(isnotempty(ActorUserId), "SaleforceId", ""),
+            TargetUsernameType = iff(isnotempty(TargetUsername), "UPN", ""),
+            ActorUsernameType = iff(isnotempty(ActorUsername), "UPN", ""),
+            User = coalesce(TargetUsername, TargetUserId),
+            Src = SrcIpAddr,
+            IpAddr = SrcIpAddr,
+            Dvc = EventProduct,
+            EventResult = coalesce(EventResult, TempEventResult),
+            Application = TargetAppName,
+            EventStartTime = TimeGenerated,
+            EventEndTime = TimeGenerated
+        | project-away
+            *_s,
+            *_t,
+            *_g,
+            TenantId,
+            SourceSystem,
+            Computer,
+            MG,
+            ManagementGroupName,
+            Message,
+            RawData,
+            TempEventResult,
+            _ItemId
+    };
+    parser(disabled=disabled)

Parsers/ASimAuthentication/Parsers/imAuthentication.yaml

@@ -49,13 +49,13 @@ ParserQuery: |
       , vimAuthenticationCiscoISE                       (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationCiscoISE' in (DisabledParsers) )))
       , vimAuthenticationBarracudaWAF                   (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationBarracudaWAF' in (DisabledParsers) )))
       , vimAuthenticationVectraXDRAudit               (starttime, endtime, (imAuthenticationDisabled or('ExcludevimAuthenticationVectraXDRAudit' in (DisabledParsers) )))
+      , vimAuthenticationSalesforceSC                   (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSalesforceSC' in (DisabledParsers) )))
       , vimAuthenticationPaloAltoCortexDataLake         (starttime, endtime, targetusername_has_any=targetusername_has, disabled=(imAuthenticationDisabled or('ExcludevimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )))
       , vimAuthenticationSentinelOne                    (starttime, endtime, targetusername_has, (imAuthenticationDisabled or('ExcludevimAuthenticationSentinelOne' in (DisabledParsers) )))
       , vimAuthenticationCrowdStrikeFalconHost          (starttime=starttime, endtime=endtime, targetusername_has_any=targetusername_has, disabled=(imAuthenticationDisabled or('ExcludevimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )))
       , vimAuthenticationVMwareCarbonBlackCloud         (starttime=starttime, endtime=endtime,  targetusername_has_any=targetusername_has, disabled=(imAuthenticationDisabled or('ExcludevimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )))
   };
   Generic(starttime, endtime, targetusername_has)
-
 Parsers:
   - _Im_Authentication_Empty
   - _Im_Authentication_AADManagedIdentitySignInLogs  
@@ -76,6 +76,7 @@ Parsers:
   - _Im_Authentication_BarracudaWAF
   - _Im_Authentication_VectraXDRAudit
   - _Im_Authentication_SentinelOne
+  - _Im_Authentication_SalesforceSC
   - _Im_Authentication_PaloAltoCortexDataLake
   - _Im_Authentication_VMwareCarbonBlackCloud
   - _Im_Authentication_CrowdStrikeFalconHost

Parsers/ASimAuthentication/Parsers/vimAuthenticationSalesforceSC.yaml

@@ -0,0 +1,367 @@
+Parser:
+  Title: ASIM Authentication filtering parser for Salesforce Service Cloud
+  Version: "0.1.0"
+  LastUpdated: Dec 12th, 2023
+Product:
+  Name: Salesforce Service Cloud
+Normalization:
+  Schema: Authentication
+  Version: "0.1.3"
+References:
+  - Title: Using functions
+    Link: https://docs.microsoft.com/azure/azure-monitor/log-query/function
+  - Title: ASIM Authentication Schema
+    Link: https://aka.ms/ASimAuthenticationDoc
+  - Title: ASIM
+    Link: https:/aka.ms/AboutASIM
+  - Title: Salesforce Service Cloud
+    Link: https://developer.salesforce.com/docs/atlas.en-us.object_reference.meta/object_reference/sforce_api_objects_eventlogfile_login.htm
+Description: |
+  This ASIM parser supports filtering and normalizing the Salesforce Service Cloud logs stored in 'SalesforceServiceCloud_CL' table to the ASIM authentication normalized schema.
+ParserName: vimAuthenticationSalesforceSC
+EquivalentBuiltInParser: _Im_Authentication_SalesforceSC
+ParserParams:
+  - Name: starttime
+    Type: datetime
+    Default: datetime(null)
+  - Name: endtime
+    Type: datetime
+    Default: datetime(null)
+  - Name: targetusername_has
+    Type: string
+    Default: "*"
+  - Name: disabled
+    Type: bool
+    Default: false
+ParserQuery: |
+  let parser = (
+    starttime: datetime=datetime(null), 
+    endtime: datetime=datetime(null), 
+    targetusername_has: string="*",
+    disabled: bool=false
+    ) {
+    let SalesforceSchema = datatable(
+    api_version_s: string,
+    browser_type_s: string,
+    cipher_suite_s: string,
+    client_ip_s: string,
+    delegated_user_id_s: string,
+    delegated_user_name_s: string,
+    event_type_s: string,
+    login_key_s: string,
+    login_status_s: string,
+    login_type_s: string,
+    login_sub_type_s: string,
+    organization_id_s: string,
+    platform_type_s: string,
+    request_id_s: string,
+    request_status_s: string,
+    session_key_s: string,
+    source_ip_s: string,
+    timestamp_s: string,
+    tls_protocol_s: string,
+    uri_s: string,
+    user_id_s: string,
+    user_name_s: string,
+    user_type_s: string,
+    wave_session_id_g: string
+  )[];
+      let EventResultLookup = datatable (
+      login_status_s: string,
+      DvcAction: string,
+      EventResultDetails: string,
+      EventResult: string,
+      EventSeverity: string
+  )[
+      "LOGIN_CHALLENGE_ISSUED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_CHALLENGE_PENDING", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_DATA_DOWNLOAD_ONLY", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_END_SESSION_TXN_SECURITY_POLICY", "Blocked", "Logon violates policy", "Failure", "Informational",
+      "LOGIN_ERROR_API_TOO_OLD", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_ASYNC_USER_CREATE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_AVANTGO_DISABLED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_AVANTGO_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_CLIENT_NO_ACCESS", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_CLIENT_REQ_UPDATE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_CSS_FROZEN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_CSS_PW_LOCKOUT", "Blocked", "User locked", "Failure", "Informational",
+      "LOGIN_ERROR_DUPLICATE_USERNAME", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_EXPORT_RESTRICTED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_GLOBAL_BLOCK_DOMAIN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_HT_DOWN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_HTP_METHD_INVALID", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_INSECURE_LOGIN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_INVALID_GATEWAY", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_INVALID_ID_FIELD", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_INVALID_PASSWORD", "Blocked", "Incorrect password", "Failure", "Informational",
+      "LOGIN_ERROR_LOGINS_EXCEEDED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_MUST_USE_API_TOKEN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_MUTUAL_AUTHENTICATION", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_NETWORK_INACTIVE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_NO_HT_ACCESS", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_NO_NETWORK_ACCESS", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_NO_NETWORK_INFO", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_NO_SET_COOKIES", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_OFFLINE_DISABLED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_OFFLINE_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_ORG_CLOSED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_ORG_DOMAIN_ONLY", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_ORG_IN_MAINTENANCE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_ORG_INACTIVE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_ORG_IS_DOT_ORG", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_ORG_LOCKOUT", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_ORG_SIGNING_UP", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_ORG_SUSPENDED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_OUTLOOK_DISABLED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_PAGE_REQUIRES_LOGIN", "Blocked", "Session expired", "Failure", "Informational",
+      "LOGIN_ERROR_PASSWORD_EMPTY", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_PASSWORD_LOCKOUT", "Blocked", "User locked", "Failure", "Informational",
+      "LOGIN_ERROR_PORTAL_INACTIVE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_RATE_EXCEEDED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_RESTRICTED_DOMAIN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_RESTRICTED_TIME", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_SESSION_TIMEOUT", "Blocked", "Session expired", "Failure", "Informational",
+      "LOGIN_ERROR_SSO_PWD_INVALID", "Blocked", "Incorrect password", "Failure", "Informational",
+      "LOGIN_ERROR_SSO_SVC_DOWN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_SSO_URL_INVALID", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_STORE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_STORE_DOWN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_SWITCH_SFDC_INSTANCE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_SWITCH_SFDC_LOGIN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_SYNCOFFLINE_DISBLD", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_SYSTEM_DOWN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_USER_API_ONLY", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_USER_FROZEN", "Blocked", "User locked", "Failure", "Informational",
+      "LOGIN_ERROR_USER_INACTIVE", "Blocked", "User disabled", "Failure", "Informational",
+      "LOGIN_ERROR_USER_NON_MOBILE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_USER_STORE_ACCESS", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_USERNAME_EMPTY", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_WIRELESS_DISABLED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ERROR_WIRELESS_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_LIGHTNING_LOGIN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_NO_ERROR", "Allowed", "", "Success", "Informational",
+      "LOGIN_OAUTH_API_DISABLED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_CONSUMER_DELETED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_DS_NOT_EXPECTED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_EXCEED_GET_AT_LMT", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_CODE_CHALLENGE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_CODE_VERIFIER", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_DEVICE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_DS", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_DSIG", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_IP", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_NONCE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_SIG_METHOD", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_TIMESTAMP", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_TOKEN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_VERIFIER", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_INVALID_VERSION", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_MISSING_DS", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_NO_CALLBACK_URL", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_NO_CONSUMER", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_NO_TOKEN", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_NONCE_REPLAY", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_PACKAGE_MISSING", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_PACKAGE_OLD", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_OAUTH_UNEXPECTED_PARAM", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_ORG_TRIAL_EXP", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_READONLY_CANNOT_VALIDATE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_AUDIENCE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_CONFIG", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_FORMAT", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_IN_RES_TO", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_ISSUER", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_ORG_ID", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_PORTAL_ID", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_RECIPIENT", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_SESSION_LEVEL", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_SIGNATURE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_SITE_URL", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_STATUS", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_SUB_CONFIRM", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_TIMESTAMP", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_USERNAME", "Blocked", "No such user", "Failure", "Informational",
+      "LOGIN_SAML_INVALID_VERSION", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_MISMATCH_CERT", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_MISSING_ORG_ID", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_MISSING_PORTAL_ID", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_PROVISION_ERROR", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_REPLAY_ATTEMPTED", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_SAML_SITE_INACTIVE", "Blocked", "Other", "Failure", "Informational",
+      "LOGIN_TWOFACTOR_REQ", "Blocked", "Logon violates policy", "Failure", "Informational"
+  ];
+      let SalesforceEventType = dynamic(['Login', 'LoginAs', 'Logout']);
+      let EventTypeLookup = datatable(event_type_s: string, EventType: string)[
+      "Login", "Logon",
+      "LoginAs", "Logon",
+      "Logout", "Logoff"
+  ];
+      let DvcOsLookup = datatable(
+      platform_type_s: string,
+      DvcOs: string,
+      DvcOsVersion: string
+  )[
+      "1000", "Windows", "",
+      "1008", "Windows", "2003",
+      "1013", "Windows", "8.1",
+      "1015", "Windows", "10",
+      "2003", "Macintosh/Apple", "OSX",
+      "4000", "Linux", "",
+      "5005", "Android", "",
+      "5006", "iPhone", "",
+      "5007", "iPad", "",
+      "5200", "Android", "10.0"
+  ];
+      let LogonMethodLookup = datatable(
+      LoginType_s: string,
+      LogonMethodOriginal: string,
+      LogonMethod: string
+  )[
+      "7", "AppExchange", "Other",
+      "A", "Application", "Other",
+      "s", "Certificate-based login", "PKI",
+      "k", "Chatter Communities External User", "Other",
+      "n", "Chatter Communities External User Third Party SSO", "Other",
+      "r", "Employee Login to Community", "Other",
+      "z", "Lightning Login", "Username & Password",
+      "l", "Networks Portal API Only", "Other",
+      "6", "Remote Access Client", "Other",
+      "i", "Remote Access 2.0", "Other",
+      "I", "Other Apex API", "Other",
+      "R", "Partner Product", "Other",
+      "w", "Passwordless Login", "Passwordless",
+      "3", "Customer Service Portal", "Other",
+      "q", "Partner Portal Third-Party SSO", "Other",
+      "9", "Partner Portal", "Other",
+      "5", "SAML Idp Initiated SSO", "Other",
+      "m", "SAML Chatter Communities External User SSO", "Other",
+      "b", "SAML Customer Service Portal SSO", "Other",
+      "c", "SAML Partner Portal SSO", "Other",
+      "h", "SAML Site SSO", "Other",
+      "8", "SAML Sfdc Initiated SSO", "Other",
+      "E", "SelfService", "Other",
+      "j", "Third Party SSO", "Other"
+  ];
+      let LogonProtocolLookup = datatable(
+      LoginSubType_s: string,
+      LogonProtocolOriginal: string,
+      LogonProtocol: string
+  )[
+      "uiup", "UI Username-Password", "Basic Auth",
+      "oauthpassword", "OAuth Username-Password", "OAuth",
+      "oauthtoken", "OAuth User-Agent", "OAuth",
+      "oauthhybridtoken", "OAuth User-Agent for Hybrid Apps", "OAuth",
+      "oauthtokenidtoken", "OAuth User-Agent with ID Token", "OAuth",
+      "oauthclientcredential", "OAuth Client Credential", "OAuth",
+      "oauthcode", "OAuth Web Server", "OAuth",
+      "oauthhybridauthcode", "OAuth Web Server for Hybrid Apps", "OAuth",
+  ];
+      let TempEventResultLookup = datatable(request_status_s: string, TempEventResult: string)[
+      "S", "Success",
+      "F", "Failure",
+      "A", "Failure",
+      "R", "Success",
+      "N", "Failure",
+      "U", "NA"
+  ];
+      let UserTypeLookup = datatable(user_type_s: string, TargetUserType: string)[
+      "CsnOnly", "Other",
+      "CspLitePortal", "Other",
+      "CustomerSuccess", "Other",
+      "Guest", "Anonymous",
+      "PowerCustomerSuccess", "Other",
+      "PowerPartner", "Other",
+      "SelfService", "Other",
+      "Standard", "Regular",
+      "A", "Application",
+      "b", "Other",
+      "C", "Other",
+      "D", "Other",
+      "F", "Other",
+      "G", "Anonymous",
+      "L", "Other",
+      "N", "Service",
+      "n", "Other",
+      "O", "Other",
+      "o", "Other",
+      "P", "Other",
+      "p", "Other",
+      "S", "Regular",
+      "X", "Admin"
+  ];
+      union isfuzzy=true
+          SalesforceSchema,
+          SalesforceServiceCloud_CL 
+      | where not(disabled)
+      | extend TimeGenerated = todatetime(tostring(split(timestamp_s, '.', 0)[0]))
+      //  -- Pre filtering
+      | where 
+          (isnull(starttime) or TimeGenerated >= starttime) 
+          and (isnull(endtime) or TimeGenerated <= endtime)
+          and (targetusername_has == '*' or (user_name_s has targetusername_has))
+          and event_type_s in~ (SalesforceEventType)
+      //  -- end pre-filtering
+      | extend LoginType_s = login_type_s, LoginSubType_s = login_sub_type_s
+      | lookup EventResultLookup on login_status_s
+      | lookup EventTypeLookup on event_type_s
+      | lookup LogonMethodLookup on LoginType_s
+      | lookup LogonProtocolLookup on LoginSubType_s
+      | lookup TempEventResultLookup on request_status_s
+      | lookup DvcOsLookup on platform_type_s
+      | lookup UserTypeLookup on user_type_s
+      | project-rename
+          EventProductVersion = api_version_s,
+          EventOriginalResultDetails = login_status_s,
+          TargetUserId = user_id_s,
+          SrcIpAddr = source_ip_s,
+          EventOriginalUid = request_id_s,
+          TlsCipher = cipher_suite_s,
+          TlsVersion = tls_protocol_s,
+          HttpUserAgent= browser_type_s,
+          TargetUserScopeId = organization_id_s,
+          TargetUrl = uri_s,
+          TargetOriginalUserType = user_type_s,
+          ActorUsername = delegated_user_name_s,
+          ActorUserId = delegated_user_id_s,
+          TargetUsername = user_name_s
+      | extend
+          EventVendor = 'Salesforce',
+          EventProduct='Service Cloud',
+          EventCount = int(1),
+          EventSchema = 'Authentication',
+          EventSchemaVersion = '0.1.3',
+          TargetAppName = "Salesforce Dot Com(SFDC)",
+          TargetAppType = "SaaS application",
+          EventUid = _ItemId,
+          EventOriginalType=event_type_s,
+          SrcIpAddr = coalesce(SrcIpAddr, client_ip_s)
+      | extend
+          TargetSessionId = coalesce(session_key_s, login_key_s),
+          TargetUserScope = "Salesforce Organization",
+          TargetUserIdType = iff(isnotempty(TargetUserId), "SaleforceId", ""),
+          ActorUserIdType = iff(isnotempty(ActorUserId), "SaleforceId", ""),
+          TargetUsernameType = iff(isnotempty(TargetUsername), "UPN", ""),
+          ActorUsernameType = iff(isnotempty(ActorUsername), "UPN", ""),
+          User = coalesce(TargetUsername, TargetUserId),
+          Src = SrcIpAddr,
+          IpAddr = SrcIpAddr,
+          Dvc = EventProduct,
+          EventResult = coalesce(EventResult, TempEventResult),
+          Application = TargetAppName,
+          EventStartTime = TimeGenerated,
+          EventEndTime = TimeGenerated
+      | project-away
+          *_s,
+          *_t,
+          *_g,
+          TenantId,
+          SourceSystem,
+          Computer,
+          MG,
+          ManagementGroupName,
+          Message,
+          RawData,
+          TempEventResult,
+          _ItemId
+  };
+  parser (starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)

Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_DataTest.csv

@@ -0,0 +1,22 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [ActorUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [IpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [SrcIpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 450 records (100.0%) for field [TargetUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)"
+"(1) Warning: Empty value in 300 records (66.67%)  in mandatory field [EventResult] (Schema:Authentication)"
+"(2) Info: Empty value in 150 records (33.33%)  in optional field [HttpUserAgent] (Schema:Authentication)"
+"(2) Info: Empty value in 150 records (33.33%)  in optional field [TargetUrl] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [ActorUserId] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [ActorUsername] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [DvcOsVersion] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [DvcOs] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [EventOriginalResultDetails] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [EventProductVersion] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [TargetOriginalUserType] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in recommended field [DvcAction] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in recommended field [EventSeverity] (Schema:Authentication)"
+"(2) Info: Empty value in 450 records (100.0%)  in optional field [LogonMethod] (Schema:Authentication)"
+"(2) Info: Empty value in 450 records (100.0%)  in optional field [LogonProtocol] (Schema:Authentication)"
+"(2) Info: Empty value in 450 records (100.0%)  in optional field [TargetUserType] (Schema:Authentication)"
+"(2) Info: Empty value in 450 records (100.0%)  in optional field [TargetUsername] (Schema:Authentication)"
+"(2) Info: Empty value in 450 records (100.0%)  in recommended field [EventResultDetails] (Schema:Authentication)"

Parsers/ASimAuthentication/Tests/Salesforce_ASimAuthentication_SchemaTest.csv

@@ -0,0 +1,87 @@
+Result
+"(1) Warning: Missing recommended field [Dst]"
+"(1) Warning: Missing recommended field [DvcDomain]"
+"(1) Warning: Missing recommended field [DvcHostname]"
+"(1) Warning: Missing recommended field [DvcIpAddr]"
+"(1) Warning: Missing recommended field [TargetDomain]"
+"(1) Warning: Missing recommended field [TargetHostname]"
+"(2) Info: Missing optional field [ActingAppId]"
+"(2) Info: Missing optional field [ActingAppName]"
+"(2) Info: Missing optional field [ActingAppType]"
+"(2) Info: Missing optional field [ActorOriginalUserType]"
+"(2) Info: Missing optional field [ActorScopeId]"
+"(2) Info: Missing optional field [ActorScope]"
+"(2) Info: Missing optional field [ActorSessionId]"
+"(2) Info: Missing optional field [ActorUserType]"
+"(2) Info: Missing optional field [AdditionalFields]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcFQDN]"
+"(2) Info: Missing optional field [DvcId]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcOriginalAction]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcScope]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventMessage]"
+"(2) Info: Missing optional field [EventOriginalSeverity]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventOwner]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [LogonTarget]"
+"(2) Info: Missing optional field [RuleName]"
+"(2) Info: Missing optional field [RuleNumber]"
+"(2) Info: Missing optional field [Rule]"
+"(2) Info: Missing optional field [SrcDescription]"
+"(2) Info: Missing optional field [SrcDeviceType]"
+"(2) Info: Missing optional field [SrcDomain]"
+"(2) Info: Missing optional field [SrcDvcId]"
+"(2) Info: Missing optional field [SrcDvcOs]"
+"(2) Info: Missing optional field [SrcDvcScopeId]"
+"(2) Info: Missing optional field [SrcDvcScope]"
+"(2) Info: Missing optional field [SrcFQDN]"
+"(2) Info: Missing optional field [SrcGeoCity]"
+"(2) Info: Missing optional field [SrcGeoCountry]"
+"(2) Info: Missing optional field [SrcGeoLatitude]"
+"(2) Info: Missing optional field [SrcGeoLongitude]"
+"(2) Info: Missing optional field [SrcGeoRegion]"
+"(2) Info: Missing optional field [SrcHostname]"
+"(2) Info: Missing optional field [SrcIsp]"
+"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
+"(2) Info: Missing optional field [SrcPortNumber]"
+"(2) Info: Missing optional field [SrcRiskLevel]"
+"(2) Info: Missing optional field [TargetAppId]"
+"(2) Info: Missing optional field [TargetDescription]"
+"(2) Info: Missing optional field [TargetDeviceType]"
+"(2) Info: Missing optional field [TargetDvcId]"
+"(2) Info: Missing optional field [TargetDvcOs]"
+"(2) Info: Missing optional field [TargetDvcScopeId]"
+"(2) Info: Missing optional field [TargetDvcScope]"
+"(2) Info: Missing optional field [TargetFQDN]"
+"(2) Info: Missing optional field [TargetGeoCity]"
+"(2) Info: Missing optional field [TargetGeoCountry]"
+"(2) Info: Missing optional field [TargetGeoLatitude]"
+"(2) Info: Missing optional field [TargetGeoLongitude]"
+"(2) Info: Missing optional field [TargetGeoRegion]"
+"(2) Info: Missing optional field [TargetIpAddr]"
+"(2) Info: Missing optional field [TargetOriginalRiskLevel]"
+"(2) Info: Missing optional field [TargetPortNumber]"
+"(2) Info: Missing optional field [TargetRiskLevel]"
+"(2) Info: Missing optional field [ThreatCategory]"
+"(2) Info: Missing optional field [ThreatConfidence]"
+"(2) Info: Missing optional field [ThreatField]"
+"(2) Info: Missing optional field [ThreatFirstReportedTime]"
+"(2) Info: Missing optional field [ThreatId]"
+"(2) Info: Missing optional field [ThreatIpAddr]"
+"(2) Info: Missing optional field [ThreatIsActive]"
+"(2) Info: Missing optional field [ThreatLastReportedTime]"
+"(2) Info: Missing optional field [ThreatName]"
+"(2) Info: Missing optional field [ThreatOriginalConfidence]"
+"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
+"(2) Info: Missing optional field [ThreatRiskLevel]"
+"(2) Info: extra unnormalized column [LogonMethodOriginal]"
+"(2) Info: extra unnormalized column [LogonProtocolOriginal]"
+"(2) Info: extra unnormalized column [TlsCipher]"
+"(2) Info: extra unnormalized column [TlsVersion]"
+"(2) Info: extra unnormalized column [_ResourceId]"

Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_DataTest.csv

@@ -0,0 +1,22 @@
+Result
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [ActorUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [IpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 150 records (33.33%) for field [SrcIpAddr] of type [IP Address]: [""Salesforce.com IP""] (Schema:Authentication)"
+"(0) Error: 1 invalid value(s) (up to 10 listed) in 450 records (100.0%) for field [TargetUserIdType] of type [Enumerated]: [""SaleforceId""] (Schema:Authentication)"
+"(1) Warning: Empty value in 300 records (66.67%)  in mandatory field [EventResult] (Schema:Authentication)"
+"(2) Info: Empty value in 150 records (33.33%)  in optional field [HttpUserAgent] (Schema:Authentication)"
+"(2) Info: Empty value in 150 records (33.33%)  in optional field [TargetUrl] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [ActorUserId] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [ActorUsername] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [DvcOsVersion] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [DvcOs] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [EventOriginalResultDetails] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [EventProductVersion] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in optional field [TargetOriginalUserType] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in recommended field [DvcAction] (Schema:Authentication)"
+"(2) Info: Empty value in 300 records (66.67%)  in recommended field [EventSeverity] (Schema:Authentication)"
+"(2) Info: Empty value in 450 records (100.0%)  in optional field [LogonMethod] (Schema:Authentication)"
+"(2) Info: Empty value in 450 records (100.0%)  in optional field [LogonProtocol] (Schema:Authentication)"
+"(2) Info: Empty value in 450 records (100.0%)  in optional field [TargetUserType] (Schema:Authentication)"
+"(2) Info: Empty value in 450 records (100.0%)  in optional field [TargetUsername] (Schema:Authentication)"
+"(2) Info: Empty value in 450 records (100.0%)  in recommended field [EventResultDetails] (Schema:Authentication)"

Parsers/ASimAuthentication/Tests/Salesforce_vimAuthentication_SchemaTest.csv

@@ -0,0 +1,87 @@
+Result
+"(1) Warning: Missing recommended field [Dst]"
+"(1) Warning: Missing recommended field [DvcDomain]"
+"(1) Warning: Missing recommended field [DvcHostname]"
+"(1) Warning: Missing recommended field [DvcIpAddr]"
+"(1) Warning: Missing recommended field [TargetDomain]"
+"(1) Warning: Missing recommended field [TargetHostname]"
+"(2) Info: Missing optional field [ActingAppId]"
+"(2) Info: Missing optional field [ActingAppName]"
+"(2) Info: Missing optional field [ActingAppType]"
+"(2) Info: Missing optional field [ActorOriginalUserType]"
+"(2) Info: Missing optional field [ActorScopeId]"
+"(2) Info: Missing optional field [ActorScope]"
+"(2) Info: Missing optional field [ActorSessionId]"
+"(2) Info: Missing optional field [ActorUserType]"
+"(2) Info: Missing optional field [AdditionalFields]"
+"(2) Info: Missing optional field [DvcDescription]"
+"(2) Info: Missing optional field [DvcFQDN]"
+"(2) Info: Missing optional field [DvcId]"
+"(2) Info: Missing optional field [DvcInterface]"
+"(2) Info: Missing optional field [DvcMacAddr]"
+"(2) Info: Missing optional field [DvcOriginalAction]"
+"(2) Info: Missing optional field [DvcScopeId]"
+"(2) Info: Missing optional field [DvcScope]"
+"(2) Info: Missing optional field [DvcZone]"
+"(2) Info: Missing optional field [EventMessage]"
+"(2) Info: Missing optional field [EventOriginalSeverity]"
+"(2) Info: Missing optional field [EventOriginalSubType]"
+"(2) Info: Missing optional field [EventOwner]"
+"(2) Info: Missing optional field [EventReportUrl]"
+"(2) Info: Missing optional field [EventSubType]"
+"(2) Info: Missing optional field [LogonTarget]"
+"(2) Info: Missing optional field [RuleName]"
+"(2) Info: Missing optional field [RuleNumber]"
+"(2) Info: Missing optional field [Rule]"
+"(2) Info: Missing optional field [SrcDescription]"
+"(2) Info: Missing optional field [SrcDeviceType]"
+"(2) Info: Missing optional field [SrcDomain]"
+"(2) Info: Missing optional field [SrcDvcId]"
+"(2) Info: Missing optional field [SrcDvcOs]"
+"(2) Info: Missing optional field [SrcDvcScopeId]"
+"(2) Info: Missing optional field [SrcDvcScope]"
+"(2) Info: Missing optional field [SrcFQDN]"
+"(2) Info: Missing optional field [SrcGeoCity]"
+"(2) Info: Missing optional field [SrcGeoCountry]"
+"(2) Info: Missing optional field [SrcGeoLatitude]"
+"(2) Info: Missing optional field [SrcGeoLongitude]"
+"(2) Info: Missing optional field [SrcGeoRegion]"
+"(2) Info: Missing optional field [SrcHostname]"
+"(2) Info: Missing optional field [SrcIsp]"
+"(2) Info: Missing optional field [SrcOriginalRiskLevel]"
+"(2) Info: Missing optional field [SrcPortNumber]"
+"(2) Info: Missing optional field [SrcRiskLevel]"
+"(2) Info: Missing optional field [TargetAppId]"
+"(2) Info: Missing optional field [TargetDescription]"
+"(2) Info: Missing optional field [TargetDeviceType]"
+"(2) Info: Missing optional field [TargetDvcId]"
+"(2) Info: Missing optional field [TargetDvcOs]"
+"(2) Info: Missing optional field [TargetDvcScopeId]"
+"(2) Info: Missing optional field [TargetDvcScope]"
+"(2) Info: Missing optional field [TargetFQDN]"
+"(2) Info: Missing optional field [TargetGeoCity]"
+"(2) Info: Missing optional field [TargetGeoCountry]"
+"(2) Info: Missing optional field [TargetGeoLatitude]"
+"(2) Info: Missing optional field [TargetGeoLongitude]"
+"(2) Info: Missing optional field [TargetGeoRegion]"
+"(2) Info: Missing optional field [TargetIpAddr]"
+"(2) Info: Missing optional field [TargetOriginalRiskLevel]"
+"(2) Info: Missing optional field [TargetPortNumber]"
+"(2) Info: Missing optional field [TargetRiskLevel]"
+"(2) Info: Missing optional field [ThreatCategory]"
+"(2) Info: Missing optional field [ThreatConfidence]"
+"(2) Info: Missing optional field [ThreatField]"
+"(2) Info: Missing optional field [ThreatFirstReportedTime]"
+"(2) Info: Missing optional field [ThreatId]"
+"(2) Info: Missing optional field [ThreatIpAddr]"
+"(2) Info: Missing optional field [ThreatIsActive]"
+"(2) Info: Missing optional field [ThreatLastReportedTime]"
+"(2) Info: Missing optional field [ThreatName]"
+"(2) Info: Missing optional field [ThreatOriginalConfidence]"
+"(2) Info: Missing optional field [ThreatOriginalRiskLevel]"
+"(2) Info: Missing optional field [ThreatRiskLevel]"
+"(2) Info: extra unnormalized column [LogonMethodOriginal]"
+"(2) Info: extra unnormalized column [LogonProtocolOriginal]"
+"(2) Info: extra unnormalized column [TlsCipher]"
+"(2) Info: extra unnormalized column [TlsVersion]"
+"(2) Info: extra unnormalized column [_ResourceId]"