Fix:Comments

2023-10-10 16:42:17 +02:00 · 2023-10-10 16:42:17 +02:00 · 607ebaa2ef
--- a/ASIM/dev/ASimTester/ASimTester.csv
+++ b/ASIM/dev/ASimTester/ASimTester.csv
@ -353,7 +353,6 @@ DvcInterface,string,Optional,FileEvent,,,
 DvcInterface,string,Optional,NetworkSession,,,
 DvcInterface,string,Optional,ProcessEvent,,,
 DvcInterface,string,Optional,UserManagement,,,
-DvcIpAddr,IP address,Recommended,UserManagement,,,
 DvcIpAddr,string,Recommended,AuditEvent,IP Address,,
 DvcIpAddr,string,Recommended,Authentication,IP Address,,
 DvcIpAddr,string,Recommended,Common,IP Address,,
@ -363,6 +362,7 @@ DvcIpAddr,string,Recommended,FileEvent,IP Address,,
 DvcIpAddr,string,Recommended,NetworkSession,IP Address,,
 DvcIpAddr,string,Recommended,ProcessEvent,IP Address,,
 DvcIpAddr,string,Recommended,RegistryEvent,IP Address,,
+DvcIpAddr,string,Recommended,UserManagement,,,
 DvcIpAddr,string,Recommended,WebSession,IP Address,,
 DvcMacAddr,MAC address,Optional,UserManagement,,,
 DvcMacAddr,string,Optional,AuditEvent,MAC address,,
@ -638,7 +638,7 @@ EventSubType,string,Optional,Dns,Enumerated,request|response,
 EventSubType,string,Optional,FileEvent,Enumerated,Upload|Checkin|Download|Preview|Checkout|Extended|Recycle|Versions|Site,
 EventSubType,string,Optional,NetworkSession,Enumerated,Start|End|,
 EventSubType,string,Optional,ProcessEvent,,,
-EventSubType,string,Optional,UserManagement,Enumerated,UserRead|UserCreated|GroupCreated|UserModified|GroupModified,
+EventSubType,string,Optional,UserManagement,Enumerated,UserRead|UserCreated|GroupCreated|UserModified|GroupModified|password|shell|GID|expiration|UID,
 EventSubType,string,Optional,WebSession,,,
 EventType,string,Mandatory,AuditEvent,Enumerated,Set|Read|Create|Delete|Execute|Install|Clear|Enable|Disable|Initialize|Start|Stop|Terminate|Execute|Other,
 EventType,string,Mandatory,Authentication,Enumerated,Logon|Logoff|Elevate,
--- a/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
+++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagement.yaml
@ -1,7 +1,7 @@
 Parser:
  Title: User Management ASIM parser
  Version: '0.1.0'
-  LastUpdated: 16 Jul, 2023
+  LastUpdated: 15 Oct, 2023
 Product:
  Name: Source agnostic
 Normalization:
@ -18,6 +18,8 @@ ParserName: ASimUserManagement
 EquivalentBuiltInParser: _ASim_UserManagement
 Parsers:
  - _Im_UserManagement_Empty
+  - _ASim_UserManagement_CiscoISE 
+  - _ASim_UserManagement_LinuxAuthpriv
  - _ASim_UserManagement_MicrosoftSecurityEvent
  - _ASim_UserManagement_SentinelOne 
 ParserParams:
--- a/Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml
+++ b/Parsers/ASimUserManagement/Parsers/ASimUserManagementLinuxAuthpriv.yaml
@ -328,33 +328,33 @@ ParserQuery: |
      | invoke ItemParser()
  )
  | where not(disabled)
-  | invoke _ASIM_ResolveDvcFQDN ("Computer")
+  | invoke _ASIM_ResolveDvcFQDN ("HostName")
  | lookup SeverityLookup on SeverityLevel
  | project-rename 
-      ActiveAppName = ProcessName,
-      DvcId         = _ResourceId
+      ActingAppName = ProcessName,
+      DvcId         = _ResourceId,
+      DvcHostname   = HostName
  | extend
+      ActingAppId         = tostring(ProcessID),
+      ActingAppType       = "Process",
+      ActorUsernameType   = iif(isnotempty(ActorUsername), "Simple", ""),
+      DvcIdType           = iff (DvcId == "", "", "AzureResourceID"),
+      DvcOs               = "Linux",
      EventCount          = int(1),
      EventEndTime        = TimeGenerated,
      EventProduct        = "Authpriv",
      EventSchema         = "UserManagement",
      EventSchemaVersion  = "0.1.1",
-      EventSeverity       = "Informational",
      EventStartTime      = TimeGenerated,
-      EventVendor         = "Linux",
      EventUid            = _ItemId,
-      ActingAppType       = "Process",
-      Hostname            = DvcHostname,
-      DvcIdType           = iff (DvcId == "", "", "AzureResourceID"),
-      DvcIpAddr           = iif(HostIP == "Unknown IP","",HostIP),
-      DvcOs               = "Linux",
-      UpdatedPropertyName = EventSubType,
-      ActingAppId         = tostring(ProcessID),
-      TargetUserIdType    = iif(isnotempty(TargetUserId), "UID", ""),
-      TargetUsernameType  = iif(isnotempty(TargetUsername), "Simple", ""),
-      ActorUsernameType   = iif(isnotempty(ActorUsername), "Simple", ""),
+      EventVendor         = "Linux",
+      Hostname            = DvcHostname
      GroupIdType         = iif(isnotempty(GroupId), "UID", ""),
      GroupNameType       = iif(isnotempty(GroupName), "Simple", ""),
+      DvcIpAddr           = iif(HostIP == "Unknown IP","",HostIP),
+      TargetUserIdType    = iif(isnotempty(TargetUserId), "UID", ""),
+      TargetUsernameType  = iif(isnotempty(TargetUsername), "Simple", ""),
+      UpdatedPropertyName = EventSubType,
      User                = ActorUsername
  | extend
      Dvc = coalesce(DvcIpAddr, DvcHostname)
--- a/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
+++ b/Parsers/ASimUserManagement/Parsers/imUserManagement.yaml
@ -1,7 +1,7 @@
 Parser:
  Title: User Management ASIM filtering parser
  Version: '0.1.0'
-  LastUpdated: 16 Jul, 2023
+  LastUpdated: 15 Oct, 2023
 Product:
  Name: Source agnostic
 Normalization:
@ -18,6 +18,8 @@ ParserName: imUserManagement
 EquivalentBuiltInParser: _Im_UserManagement
 Parsers:
  - _Im_UserManagement_Empty
+  - _Im_UserManagement_CiscoISE 
+  - _Im_UserManagement_LinuxAuthpriv  
  - _Im_UserManagement_MicrosoftSecurityEvent
  - _Im_UserManagement_SentinelOne
 ParserParams:
--- a/Parsers/ASimUserManagement/Parsers/vimUserManagementLinuxAuthpriv.yaml
+++ b/Parsers/ASimUserManagement/Parsers/vimUserManagementLinuxAuthpriv.yaml
@ -75,8 +75,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "useradd"
          and  SyslogMessage startswith "new user: name="
      | parse SyslogMessage with "new user: name=" TargetUsername ", UID=" TargetUserId ", GID=" GroupId ", " *
@ -95,8 +95,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "useradd"
          and SyslogMessage startswith "failed adding user '"
      | parse SyslogMessage with "failed adding user '" TargetUsername "', exit code: " EventOriginalResultDetails
@ -115,8 +115,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "useradd"
          and SyslogMessage startswith "new group: name="
      | parse SyslogMessage with "new user: name=" GroupName ", GID=" GroupId
@ -133,8 +133,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "useradd"
          and SyslogMessage startswith "cannot open login definitions"
      | extend EventType     = "UserCreated", 
@ -150,8 +150,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName =="useradd" 
          and SyslogMessage startswith "add '"
      | parse SyslogMessage with "add '" TargetUsername "'" * "group '" GroupName "'" 
@ -169,8 +169,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserModified" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserModified" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "usermod"
          and SyslogMessage startswith "change user name '"
      | parse SyslogMessage with "change user name '" TargetUsername "'" *
@ -188,8 +188,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserAddedToGroup" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserAddedToGroup" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName =="usermod" 
          and SyslogMessage startswith "add '"
      | parse SyslogMessage with "add '" TargetUsername "'" * "group '" GroupName "'" 
@ -207,8 +207,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserDisabled" in (eventtype_in)) or ("UserEnabled" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserDisabled" in (eventtype_in)) or ("UserEnabled" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "usermod"
          and SyslogMessage startswith "change user '"
          and not (SyslogMessage endswith "' password")
@ -232,8 +232,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserCreated" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "usermod"
          and SyslogMessage startswith "cannot open login definitions"
      | extend 
@ -250,8 +250,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("PasswordChanged" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("PasswordChanged" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "usermod"
          and SyslogMessage startswith "change user '"
          and SyslogMessage endswith "password"
@ -270,8 +270,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserLocked" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserLocked" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "usermod"
          and SyslogMessage startswith "lock user '"
          and SyslogMessage endswith "' password"
@ -290,8 +290,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserDeleted" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserDeleted" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "userdel"
          and SyslogMessage startswith "delete '"
      | parse SyslogMessage with "delete '" TargetUsername "'" * "group '" GroupName "'" *
@ -309,8 +309,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserDeleted" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserDeleted" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "userdel"
          and SyslogMessage startswith "delete user '"
      | parse SyslogMessage with "delete user '" TargetUsername "'" *
@ -328,8 +328,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserDeleted" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserDeleted" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "userdel"
          and (SyslogMessage startswith "removed group '" 
          or SyslogMessage startswith "removed shadow group '")
@ -348,8 +348,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("GroupCreated" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("GroupCreated" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "groupadd"
          and SyslogMessage startswith "group added to "
          and SyslogMessage has "GID="
@ -367,8 +367,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("GroupCreated" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("GroupCreated" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "groupadd"
          and SyslogMessage startswith "group added to "
          and not(SyslogMessage has "GID=")
@ -386,8 +386,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("GroupCreated" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("GroupCreated" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "groupadd"
          and SyslogMessage startswith "new group: name="
      | parse SyslogMessage with "new group: name=" GroupName ", GID=" GroupId
@ -404,8 +404,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("GroupCreated" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("GroupCreated" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "groupadd"
          and SyslogMessage startswith "cannot open login definitions"
      | extend 
@ -422,8 +422,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("GroupModified" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("GroupModified" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "groupmod"
          and SyslogMessage startswith "group changed in "
      | parse SyslogMessage with "group changed in " * " (group " Temp_GroupName ", new name: " *
@ -446,8 +446,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("GroupModified" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("GroupModified" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "groupmod"
          and SyslogMessage startswith "failed to change "
      | parse SyslogMessage with "failed to change " * " (group " Temp_GroupName ", new name: " *
@ -469,8 +469,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(actorusername_has_any) == 0 and 
          array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("GroupDeleted" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("GroupDeleted" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "groupdel"
      | parse SyslogMessage with "group '" GroupName "' removed" *
      | extend 
@ -486,8 +486,8 @@ ParserQuery: |
      | where Facility == "authpriv"
      | where (array_length(targetusername_has_any) == 0 or (SyslogMessage has_any(targetusername_has_any))) and 
          (array_length(actorusername_has_any) == 0 or (SyslogMessage has_any(actorusername_has_any))) and 
-          (array_length(srcipaddr_has_any_prefix) == 0) and
-          (array_length(eventtype_in) == 0 or ("UserAddedToGroup" in (eventtype_in)) or ("UserRemovedFromGroup" in (eventtype_in)))
+          (array_length(eventtype_in) == 0 or ("UserAddedToGroup" in (eventtype_in)) or ("UserRemovedFromGroup" in (eventtype_in))) and
+          (array_length(srcipaddr_has_any_prefix) == 0 or has_any_ipv4_prefix(HostIP, srcipaddr_has_any_prefix))
      | where ProcessName == "gpasswd"
      | parse SyslogMessage with "user " TargetUsername " " Action " by " ActorUsername " " * " group " GroupName
      | where (array_length(targetusername_has_any) == 0 or (TargetUsername has_any(targetusername_has_any))) and
@ -500,44 +500,45 @@ ParserQuery: |
      | invoke ItemParser()
  )
  | where not(disabled)
-  | invoke _ASIM_ResolveDvcFQDN ("Computer")
+  | invoke _ASIM_ResolveDvcFQDN ("HostName")
  | lookup SeverityLookup on SeverityLevel
  | project-rename 
-      ActiveAppName = ProcessName,
-      DvcId         = _ResourceId
+      ActingAppName = ProcessName,
+      DvcId         = _ResourceId,
+      DvcHostname   = HostName
  | extend
+      ActingAppId         = tostring(ProcessID),
+      ActingAppType       = "Process",
+      ActorUsernameType   = iif(isnotempty(ActorUsername), "Simple", ""),
+      DvcIdType           = iff (DvcId == "", "", "AzureResourceID"),
+      DvcOs               = "Linux",
      EventCount          = int(1),
      EventEndTime        = TimeGenerated,
-      EventProduct        = 'authpriv',
+      EventProduct        = "Authpriv",
      EventSchema         = "UserManagement",
      EventSchemaVersion  = "0.1.1",
-      EventSeverity       = "Informational",
      EventStartTime      = TimeGenerated,
-      EventVendor         = "Linux",
      EventUid            = _ItemId,
-      ActingAppType       = "Process",
-      Hostname            = DvcHostname,
-      DvcIdType           = iff (DvcId == "", "", "AzureResourceID"),
-      DvcIpAddr           = iif(HostIP == "Unknown IP","",HostIP),
-      DvcOs               = "Linux",
-      UpdatedPropertyName = EventSubType,
-      ActingAppId         = tostring(ProcessID),
-      TargetUserIdType    = iif(isnotempty(TargetUserId), "UID", ""),
-      TargetUsernameType  = iif(isnotempty(TargetUsername), "Simple", ""),
-      ActorUsernameType   = iif(isnotempty(ActorUsername), "Simple", ""),
+      EventVendor         = "Linux",
      GroupIdType         = iif(isnotempty(GroupId), "UID", ""),
      GroupNameType       = iif(isnotempty(GroupName), "Simple", ""),
+      Hostname            = DvcHostname
+      SrcIpAddr           = iif(HostIP == "Unknown IP","",HostIP),
+      TargetUserIdType    = iif(isnotempty(TargetUserId), "UID", ""),
+      TargetUsernameType  = iif(isnotempty(TargetUsername), "Simple", ""),
+      UpdatedPropertyName = EventSubType,
      User                = ActorUsername
  | extend
-      Dvc = coalesce(DvcIpAddr, DvcHostname)
+      Src = SrcIpAddr,
+      IpAddr = SrcIpAddr
  | project-away Computer,HostIP,SeverityLevel,ProcessID
  };
  parser (
    starttime                = starttime,
    endtime                  = endtime,
    srcipaddr_has_any_prefix = srcipaddr_has_any_prefix,
-    targetusername_  = targetusername_has_any,
-    actorusername_   = actorusername_has_any,
+    targetusername_has_any   = targetusername_has_any,
+    actorusername_has_any   = actorusername_has_any,
    eventtype_in             = eventtype_in,
    disabled                 = disabled
  )