[ASIM Parsers] Generate deployable ARM templates from KQL function YAML files.

Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftSecurityEvents/ASimFileEventMicrosoftSecurityEvents.json

@@ -35,7 +35,7 @@
             "displayName": "File Event ASIM parser for Microsoft Windows Events",
             "category": "ASIM",
             "FunctionAlias": "ASimFileEventMicrosoftSecurityEvents",
-            "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n    \"0x1\", \"ObjectAccessed\"\n    , \"0x10\", \"MetadataModified\"\n    , \"0x100\", \"MetadataModified\"\n    , \"0x10000\", \"ObjectDeleted\"\n    , \"0x2\", \"ObjectModified\"\n    , \"0x20000\", \"MetadataAccessed\"\n    , \"0x4\", \"ObjectModified\"\n    , \"0x40\", \"ObjectDeleted\"\n    , \"0x40000\", \"MetadataModified\"\n    , \"0x6\", \"ObjectModified\"\n    , \"0x8\", \"MetadataAccessed\"\n    , \"0x80\", \"MetadataAccessed\"\n    , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n  'User', 'Regular',\n  'Machine', 'Machine'\n];    \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n  'S-1-5-18', 'Local System', 'Simple',\n  'S-1-0-0', 'Nobody', 'Simple'\n];\nSecurityEvent\n| where not(disabled)\n| where EventID == 4663 \n  and ObjectType == \"File\"\n  and ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated, EventID, AccessMask, ProcessName, SubjectUserSid, AccountType, Computer, ObjectName, ProcessId, SubjectUserName, SubjectAccount, SubjectLogonId, HandleId,Type\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n  , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n  , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n  , EventStartTime = TimeGenerated\n  , EventEndTime = TimeGenerated\n  , TargetFilePath = ObjectName\n  , TargetFilePathFormat = \"Windows Local\"\n  , ActingProcessId = tostring(toint(ProcessId))\n  , EventOriginalType = tostring(EventID)\n  , ActorUserIdType=\"SID\"\n  , TargetFilePathType=\"Windows Local\"\n| project-away EventID, ProcessId, AccountType, username\n| project-rename ActorUserId = SubjectUserSid\n  , DvcHostname = Computer\n  , Process = ProcessName\n  , FilePath = ObjectName\n  , ActorSessionId = SubjectLogonId\n  , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n  , EventSchemaVersion = \"0.1.1\"\n  , EventResult = \"Success\"\n  , EventCount = int(1)\n  , EventVendor = 'Microsoft'\n  , EventProduct = 'Security Events'\n  , Dvc = DvcHostname\n  , ActorWindowsUsername = ActorUsername\n  , User = ActorUsername\n  , ActorUserSid = ActorUserId\n  | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat\n};\nParser (disabled = disabled)",
+            "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n    \"0x1\", \"ObjectAccessed\"\n    , \"0x10\", \"MetadataModified\"\n    , \"0x100\", \"MetadataModified\"\n    , \"0x10000\", \"ObjectDeleted\"\n    , \"0x2\", \"ObjectModified\"\n    , \"0x20000\", \"MetadataAccessed\"\n    , \"0x4\", \"ObjectModified\"\n    , \"0x40\", \"ObjectDeleted\"\n    , \"0x40000\", \"MetadataModified\"\n    , \"0x6\", \"ObjectModified\"\n    , \"0x8\", \"MetadataAccessed\"\n    , \"0x80\", \"MetadataAccessed\"\n    , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n  'User', 'Regular',\n  'Machine', 'Machine'\n];    \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n  'S-1-5-18', 'Local System', 'Simple',\n  'S-1-0-0', 'Nobody', 'Simple'\n];\nSecurityEvent\n| where not(disabled)\n| where EventID == 4663 \n  and ObjectType == \"File\"\n  and ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated, EventID, AccessMask, ProcessName, SubjectUserSid, AccountType, Computer, ObjectName, ProcessId, SubjectUserName, SubjectAccount, SubjectLogonId, HandleId,Type\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n  , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n  , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n  , EventStartTime = TimeGenerated\n  , EventEndTime = TimeGenerated\n  , TargetFilePath = ObjectName\n  , TargetFilePathFormat = \"Windows Local\"\n  , ActingProcessId = tostring(toint(ProcessId))\n  , EventOriginalType = tostring(EventID)\n  , ActorUserIdType=\"SID\"\n  , TargetFilePathType=\"Windows Local\"\n| project-away EventID, ProcessId, AccountType, username\n| project-rename ActorUserId = SubjectUserSid\n  , DvcHostname = Computer\n  , Process = ProcessName\n  , FilePath = ObjectName\n  , ActorSessionId = SubjectLogonId\n  , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n  , EventSchemaVersion = \"0.1.1\"\n  , EventResult = \"Success\"\n  , EventCount = int(1)\n  , EventVendor = 'Microsoft'\n  , EventProduct = 'Security Events'\n  , Dvc = DvcHostname\n  , ActorWindowsUsername = ActorUsername\n  , User = ActorUsername\n  , ActorUserSid = ActorUserId\n  | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (disabled = disabled)",
             "version": 1,
             "functionParameters": "disabled:bool=False"
           }

Parsers/ASimFileEvent/ARM/ASimFileEventMicrosoftWindowsEvents/ASimFileEventMicrosoftWindowsEvents.json

@@ -35,7 +35,7 @@
             "displayName": "File Event ASIM parser for Microsoft Windows Events",
             "category": "ASIM",
             "FunctionAlias": "ASimFileEventMicrosoftWindowsEvents",
-            "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n    \"0x1\", \"ObjectAccessed\"\n    , \"0x10\", \"MetadataModified\"\n    , \"0x100\", \"MetadataModified\"\n    , \"0x10000\", \"ObjectDeleted\"\n    , \"0x2\", \"ObjectModified\"\n    , \"0x20000\", \"MetadataAccessed\"\n    , \"0x4\", \"ObjectModified\"\n    , \"0x40\", \"ObjectDeleted\"\n    , \"0x40000\", \"MetadataModified\"\n    , \"0x6\", \"ObjectModified\"\n    , \"0x8\", \"MetadataAccessed\"\n    , \"0x80\", \"MetadataAccessed\"\n    , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n  'User', 'Regular',\n  'Machine', 'Machine'\n];    \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n  'S-1-5-18', 'Local System', 'Simple',\n  'S-1-0-0', 'Nobody', 'Simple'\n];\nWindowsEvent\n| where EventID == 4663 \n  and EventData.ObjectType == \"File\"\n  and EventData.ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated\n  , EventID, AccessMask = tostring(EventData.AccessMask)\n  , ProcessName = tostring(EventData.ProcessName)\n  , SubjectUserSid = tostring(EventData.SubjectUserSid)\n  , AccountType = tostring(EventData.AccountType)\n  , Computer = tostring(EventData.Computer)\n  , ObjectName = tostring(EventData.ObjectName)\n  , ProcessId = tostring(EventData.ProcessId)\n  , SubjectUserName = tostring(EventData.SubjectUserName)\n  , SubjectAccount = tostring(EventData.SubjectAccount)\n  , SubjectLogonId = tostring(EventData.SubjectLogonId)\n  , HandleId = tostring(EventData.HandleId)\n  , Type\n| extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n  , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n  , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n  , EventStartTime = TimeGenerated\n  , EventEndTime = TimeGenerated\n  , TargetFilePath = ObjectName\n  , TargetFilePathFormat = \"Windows Local\"\n  , ActingProcessId = tostring(toint(ProcessId))\n  , EventOriginalType = tostring(EventID)\n| project-away EventID, ProcessId, AccountType, type, username\n| project-rename ActorUserId = SubjectUserSid\n  , DvcHostname = Computer\n  , Process = ProcessName\n  , FilePath = ObjectName\n  , ActorSessionId = SubjectLogonId\n  , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n  , EventSchemaVersion = \"0.1.1\"\n  , EventResult = \"Success\"\n  , EventCount = int(1)\n  , EventVendor = 'Microsoft'\n  , EventProduct = 'Security Events'\n  , Dvc = DvcHostname\n  , ActorWindowsUsername = ActorUsername\n  , User = ActorUsername\n  , ActorUserSid = ActorUserId\n};\nParser (disabled = disabled)",
+            "query": "let Parser=(disabled:bool=false)\n{\nlet EventTypeLookup = datatable (AccessMask:string,EventType:string)\n[\n    \"0x1\", \"ObjectAccessed\"\n    , \"0x10\", \"MetadataModified\"\n    , \"0x100\", \"MetadataModified\"\n    , \"0x10000\", \"ObjectDeleted\"\n    , \"0x2\", \"ObjectModified\"\n    , \"0x20000\", \"MetadataAccessed\"\n    , \"0x4\", \"ObjectModified\"\n    , \"0x40\", \"ObjectDeleted\"\n    , \"0x40000\", \"MetadataModified\"\n    , \"0x6\", \"ObjectModified\"\n    , \"0x8\", \"MetadataAccessed\"\n    , \"0x80\", \"MetadataAccessed\"\n    , \"0x80000\", \"MetadataModified\"\n];\nlet UserTypeLookup = datatable (AccountType:string, ActorUserType:string)\n[\n  'User', 'Regular',\n  'Machine', 'Machine'\n];    \nlet KnownSIDs = datatable (sid:string, username:string, type:string)\n[\n  'S-1-5-18', 'Local System', 'Simple',\n  'S-1-0-0', 'Nobody', 'Simple'\n];\nWindowsEvent\n| where EventID == 4663 \n  and EventData.ObjectType == \"File\"\n  and EventData.ObjectName !startswith @\"\\Device\\\"\n| project TimeGenerated\n  , EventID, AccessMask = tostring(EventData.AccessMask)\n  , ProcessName = tostring(EventData.ProcessName)\n  , SubjectUserSid = tostring(EventData.SubjectUserSid)\n  , AccountType = tostring(EventData.AccountType)\n  , Computer = tostring(EventData.Computer)\n  , ObjectName = tostring(EventData.ObjectName)\n  , ProcessId = tostring(EventData.ProcessId)\n  , SubjectUserName = tostring(EventData.SubjectUserName)\n  , SubjectAccount = tostring(EventData.SubjectAccount)\n  , SubjectLogonId = tostring(EventData.SubjectLogonId)\n  , HandleId = tostring(EventData.HandleId)\n  , Type\n| extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n| lookup EventTypeLookup on AccessMask\n| lookup UserTypeLookup on AccountType\n| lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n| extend ActingProcessName = ProcessName\n  , ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n  , ActorUsernameType = iff(SubjectUserName == '-',type, 'Windows')\n  , EventStartTime = TimeGenerated\n  , EventEndTime = TimeGenerated\n  , TargetFilePath = ObjectName\n  , TargetFilePathFormat = \"Windows Local\"\n  , ActingProcessId = tostring(toint(ProcessId))\n  , EventOriginalType = tostring(EventID)\n| project-away EventID, ProcessId, AccountType, type, username\n| project-rename ActorUserId = SubjectUserSid\n  , DvcHostname = Computer\n  , Process = ProcessName\n  , FilePath = ObjectName\n  , ActorSessionId = SubjectLogonId\n  , FileSessionId = HandleId\n| extend EventSchema = \"FileEvent\"\n  , EventSchemaVersion = \"0.1.1\"\n  , EventResult = \"Success\"\n  , EventCount = int(1)\n  , EventVendor = 'Microsoft'\n  , EventProduct = 'Security Events'\n  , Dvc = DvcHostname\n  , ActorWindowsUsername = ActorUsername\n  , User = ActorUsername\n  , ActorUserSid = ActorUserId\n| project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat\n};\nParser (disabled = disabled)",
             "version": 1,
             "functionParameters": "disabled:bool=False"
           }

Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftSecurityEvents/vimFileEventMicrosoftSecurityEvents.json

@@ -35,7 +35,7 @@
             "displayName": "File Event ASIM filtering parser for Microsoft Windows Events",
             "category": "ASIM",
             "FunctionAlias": "vimFileEventMicrosoftSecurityEvents",
-            "query": "let Parser=(\n  starttime: datetime=datetime(null),\n  endtime: datetime=datetime(null),\n  eventtype_in: dynamic=dynamic([]),\n  srcipaddr_has_any_prefix: dynamic=dynamic([]),\n  actorusername_has_any: dynamic=dynamic([]),\n  targetfilepath_has_any: dynamic=dynamic([]),\n  srcfilepath_has_any: dynamic=dynamic([]),\n  hashes_has_any: dynamic=dynamic([]),\n  dvchostname_has_any: dynamic=dynamic([]),\n  disabled: bool=false\n  ) {\n  let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n      [\n  \"0x1\", \"ObjectAccessed\"\n      ,\n  \"0x10\", \"MetadataModified\"\n      ,\n  \"0x100\", \"MetadataModified\"\n      ,\n  \"0x10000\", \"ObjectDeleted\"\n      ,\n  \"0x2\", \"ObjectModified\"\n      ,\n  \"0x20000\", \"MetadataAccessed\"\n      ,\n  \"0x4\", \"ObjectModified\"\n      ,\n  \"0x40\", \"ObjectDeleted\"\n      ,\n  \"0x40000\", \"MetadataModified\"\n      ,\n  \"0x6\", \"ObjectModified\"\n      ,\n  \"0x8\", \"MetadataAccessed\"\n      ,\n  \"0x80\", \"MetadataAccessed\"\n      ,\n  \"0x80000\", \"MetadataModified\"\n];\n    let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n        [\n    'User', 'Regular',\n    'Machine', 'Machine'\n];    \n    let KnownSIDs = datatable (sid: string, username: string, type: string)\n        [\n    'S-1-5-18', 'Local System', 'Simple',\n    'S-1-0-0', 'Nobody', 'Simple'\n];\n    SecurityEvent\n        | where not(disabled)\n        | where (isnull(starttime) or TimeGenerated >= starttime) \n            and (isnull(endtime) or TimeGenerated <= endtime)\n        | where EventID == 4663 \n            and ObjectType == \"File\"\n            and ObjectName !startswith @\"\\Device\\\"\n        | where (array_length(srcipaddr_has_any_prefix) == 0) and \n            ((array_length(targetfilepath_has_any) == 0) or (ObjectName has_any (targetfilepath_has_any))) and \n            (array_length(srcfilepath_has_any) == 0) and\n            (array_length(hashes_has_any) == 0) and \n            (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n        | project\n            TimeGenerated,\n            EventID,\n            AccessMask,\n            ProcessName,\n            SubjectUserSid,\n            AccountType,\n            Computer,\n            ObjectName,\n            ProcessId,\n            SubjectUserName,\n            SubjectAccount,\n            SubjectLogonId,\n            HandleId,\n            Type\n    | lookup EventTypeLookup on AccessMask\n    | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n    | lookup UserTypeLookup on AccountType\n    | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n    | extend\n        ActingProcessName = ProcessName\n        ,\n        ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n        ,\n        ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n        ,\n        EventStartTime = TimeGenerated\n        ,\n        EventEndTime = TimeGenerated\n        ,\n        TargetFilePath = ObjectName\n        ,\n        TargetFilePathFormat = \"Windows Local\"\n        ,\n        ActingProcessId = tostring(toint(ProcessId))\n        ,\n        EventOriginalType = tostring(EventID)\n  | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n    | project-away EventID, ProcessId, AccountType, username\n    | project-rename\n        ActorUserId = SubjectUserSid\n        ,\n        DvcHostname = Computer\n        ,\n        Process = ProcessName\n        ,\n        FilePath = ObjectName\n        ,\n        ActorSessionId = SubjectLogonId\n        ,\n        FileSessionId = HandleId\n    | extend\n        EventSchema = \"FileEvent\"\n        ,\n        EventSchemaVersion = \"0.1.1\"\n        ,\n        EventResult = \"Success\"\n        ,\n        EventCount = int(1)\n        ,\n        EventVendor = 'Microsoft'\n        ,\n        EventProduct = 'Security Events'\n        ,\n        Dvc = DvcHostname\n        ,\n        ActorWindowsUsername = ActorUsername\n        ,\n        User = ActorUsername\n        ,\n        ActorUserSid = ActorUserId,\n        ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n        | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat\n};\nParser (\n    starttime=starttime, \n    endtime=endtime, \n    eventtype_in=eventtype_in,\n    srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n    actorusername_has_any=actorusername_has_any,\n    targetfilepath_has_any=targetfilepath_has_any,\n    srcfilepath_has_any=srcfilepath_has_any,\n    hashes_has_any=hashes_has_any,\n    dvchostname_has_any=dvchostname_has_any,\n    disabled=disabled\n)\n",
+            "query": "let Parser=(\n  starttime: datetime=datetime(null),\n  endtime: datetime=datetime(null),\n  eventtype_in: dynamic=dynamic([]),\n  srcipaddr_has_any_prefix: dynamic=dynamic([]),\n  actorusername_has_any: dynamic=dynamic([]),\n  targetfilepath_has_any: dynamic=dynamic([]),\n  srcfilepath_has_any: dynamic=dynamic([]),\n  hashes_has_any: dynamic=dynamic([]),\n  dvchostname_has_any: dynamic=dynamic([]),\n  disabled: bool=false\n  ) {\n  let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n      [\n  \"0x1\", \"ObjectAccessed\"\n      ,\n  \"0x10\", \"MetadataModified\"\n      ,\n  \"0x100\", \"MetadataModified\"\n      ,\n  \"0x10000\", \"ObjectDeleted\"\n      ,\n  \"0x2\", \"ObjectModified\"\n      ,\n  \"0x20000\", \"MetadataAccessed\"\n      ,\n  \"0x4\", \"ObjectModified\"\n      ,\n  \"0x40\", \"ObjectDeleted\"\n      ,\n  \"0x40000\", \"MetadataModified\"\n      ,\n  \"0x6\", \"ObjectModified\"\n      ,\n  \"0x8\", \"MetadataAccessed\"\n      ,\n  \"0x80\", \"MetadataAccessed\"\n      ,\n  \"0x80000\", \"MetadataModified\"\n];\n    let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n        [\n    'User', 'Regular',\n    'Machine', 'Machine'\n];    \n    let KnownSIDs = datatable (sid: string, username: string, type: string)\n        [\n    'S-1-5-18', 'Local System', 'Simple',\n    'S-1-0-0', 'Nobody', 'Simple'\n];\n    SecurityEvent\n        | where not(disabled)\n        | where (isnull(starttime) or TimeGenerated >= starttime) \n            and (isnull(endtime) or TimeGenerated <= endtime)\n        | where EventID == 4663 \n            and ObjectType == \"File\"\n            and ObjectName !startswith @\"\\Device\\\"\n        | where (array_length(srcipaddr_has_any_prefix) == 0) and \n            ((array_length(targetfilepath_has_any) == 0) or (ObjectName has_any (targetfilepath_has_any))) and \n            (array_length(srcfilepath_has_any) == 0) and\n            (array_length(hashes_has_any) == 0) and \n            (array_length(dvchostname_has_any) == 0 or Computer has_any (dvchostname_has_any))\n        | project\n            TimeGenerated,\n            EventID,\n            AccessMask,\n            ProcessName,\n            SubjectUserSid,\n            AccountType,\n            Computer,\n            ObjectName,\n            ProcessId,\n            SubjectUserName,\n            SubjectAccount,\n            SubjectLogonId,\n            HandleId,\n            Type\n    | lookup EventTypeLookup on AccessMask\n    | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n    | lookup UserTypeLookup on AccountType\n    | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n    | extend\n        ActingProcessName = ProcessName\n        ,\n        ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n        ,\n        ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n        ,\n        EventStartTime = TimeGenerated\n        ,\n        EventEndTime = TimeGenerated\n        ,\n        TargetFilePath = ObjectName\n        ,\n        TargetFilePathFormat = \"Windows Local\"\n        ,\n        ActingProcessId = tostring(toint(ProcessId))\n        ,\n        EventOriginalType = tostring(EventID)\n  | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n    | project-away EventID, ProcessId, AccountType, username\n    | project-rename\n        ActorUserId = SubjectUserSid\n        ,\n        DvcHostname = Computer\n        ,\n        Process = ProcessName\n        ,\n        FilePath = ObjectName\n        ,\n        ActorSessionId = SubjectLogonId\n        ,\n        FileSessionId = HandleId\n    | extend\n        EventSchema = \"FileEvent\"\n        ,\n        EventSchemaVersion = \"0.1.1\"\n        ,\n        EventResult = \"Success\"\n        ,\n        EventCount = int(1)\n        ,\n        EventVendor = 'Microsoft'\n        ,\n        EventProduct = 'Security Events'\n        ,\n        Dvc = DvcHostname\n        ,\n        ActorWindowsUsername = ActorUsername\n        ,\n        User = ActorUsername\n        ,\n        ActorUserSid = ActorUserId,\n        ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n        | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (\n    starttime=starttime, \n    endtime=endtime, \n    eventtype_in=eventtype_in,\n    srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n    actorusername_has_any=actorusername_has_any,\n    targetfilepath_has_any=targetfilepath_has_any,\n    srcfilepath_has_any=srcfilepath_has_any,\n    hashes_has_any=hashes_has_any,\n    dvchostname_has_any=dvchostname_has_any,\n    disabled=disabled\n)\n",
             "version": 1,
             "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False"
           }

Parsers/ASimFileEvent/ARM/vimFileEventMicrosoftWindowsEvents/vimFileEventMicrosoftWindowsEvents.json

@@ -35,7 +35,7 @@
             "displayName": "File Event ASIM filtering parser for Microsoft Windows Events",
             "category": "ASIM",
             "FunctionAlias": "vimFileEventMicrosoftWindowsEvents",
-            "query": "let Parser=(\n  starttime: datetime=datetime(null),\n  endtime: datetime=datetime(null),\n  eventtype_in: dynamic=dynamic([]),\n  srcipaddr_has_any_prefix: dynamic=dynamic([]),\n  actorusername_has_any: dynamic=dynamic([]),\n  targetfilepath_has_any: dynamic=dynamic([]),\n  srcfilepath_has_any: dynamic=dynamic([]),\n  hashes_has_any: dynamic=dynamic([]),\n  dvchostname_has_any: dynamic=dynamic([]),\n  disabled: bool=false\n  ) {\n  let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n      [\n  \"0x1\", \"ObjectAccessed\"\n      ,\n  \"0x10\", \"MetadataModified\"\n      ,\n  \"0x100\", \"MetadataModified\"\n      ,\n  \"0x10000\", \"ObjectDeleted\"\n      ,\n  \"0x2\", \"ObjectModified\"\n      ,\n  \"0x20000\", \"MetadataAccessed\"\n      ,\n  \"0x4\", \"ObjectModified\"\n      ,\n  \"0x40\", \"ObjectDeleted\"\n      ,\n  \"0x40000\", \"MetadataModified\"\n      ,\n  \"0x6\", \"ObjectModified\"\n      ,\n  \"0x8\", \"MetadataAccessed\"\n      ,\n  \"0x80\", \"MetadataAccessed\"\n      ,\n  \"0x80000\", \"MetadataModified\"\n];\n    let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n        [\n    'User', 'Regular',\n    'Machine', 'Machine'\n];    \n    let KnownSIDs = datatable (sid: string, username: string, type: string)\n        [\n    'S-1-5-18', 'Local System', 'Simple',\n    'S-1-0-0', 'Nobody', 'Simple'\n];\n    WindowsEvent\n        | where EventID == 4663 \n            and EventData.ObjectType == \"File\"\n            and EventData.ObjectName !startswith @\"\\Device\\\"\n        | extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n        | project\n            TimeGenerated\n            ,\n            EventID,\n            AccessMask = tostring(EventData.AccessMask)\n            ,\n            ProcessName = tostring(EventData.ProcessName)\n            ,\n            SubjectUserSid = tostring(EventData.SubjectUserSid)\n            ,\n            AccountType = tostring(EventData.AccountType)\n            ,\n            Computer = tostring(EventData.Computer)\n            ,\n            ObjectName = tostring(EventData.ObjectName)\n            ,\n            ProcessId = tostring(EventData.ProcessId)\n            ,\n            SubjectUserName = tostring(EventData.SubjectUserName)\n            ,\n            SubjectAccount = tostring(EventData.SubjectAccount)\n            ,\n            SubjectLogonId = tostring(EventData.SubjectLogonId)\n            ,\n            HandleId = tostring(EventData.HandleId)\n            ,\n            Type\n    | lookup EventTypeLookup on AccessMask\n    | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n    | lookup UserTypeLookup on AccountType\n    | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n    | extend\n        ActingProcessName = ProcessName\n        ,\n        ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n        ,\n        ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n        ,\n        EventStartTime = TimeGenerated\n        ,\n        EventEndTime = TimeGenerated\n        ,\n        TargetFilePath = ObjectName\n        ,\n        TargetFilePathFormat = \"Windows Local\"\n        ,\n        ActingProcessId = tostring(toint(ProcessId))\n        ,\n        EventOriginalType = tostring(EventID)\n  | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n    | project-away EventID, ProcessId, AccountType, username\n    | project-rename\n        ActorUserId = SubjectUserSid\n        ,\n        DvcHostname = Computer\n        ,\n        Process = ProcessName\n        ,\n        FilePath = ObjectName\n        ,\n        ActorSessionId = SubjectLogonId\n        ,\n        FileSessionId = HandleId\n    | extend\n        EventSchema = \"FileEvent\"\n        ,\n        EventSchemaVersion = \"0.1.1\"\n        ,\n        EventResult = \"Success\"\n        ,\n        EventCount = int(1)\n        ,\n        EventVendor = 'Microsoft'\n        ,\n        EventProduct = 'Security Events'\n        ,\n        Dvc = DvcHostname\n        ,\n        ActorWindowsUsername = ActorUsername\n        ,\n        User = ActorUsername\n        ,\n        ActorUserSid = ActorUserId\n        , ActorUserIdType=\"SID\"\n        , TargetFilePathType=\"Windows Local\"\n        | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat\n};\nParser (\n    starttime=starttime, \n    endtime=endtime, \n    eventtype_in=eventtype_in,\n    srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n    actorusername_has_any=actorusername_has_any,\n    targetfilepath_has_any=targetfilepath_has_any,\n    srcfilepath_has_any=srcfilepath_has_any,\n    hashes_has_any=hashes_has_any,\n    dvchostname_has_any=dvchostname_has_any,\n    disabled=disabled\n)",
+            "query": "let Parser=(\n  starttime: datetime=datetime(null),\n  endtime: datetime=datetime(null),\n  eventtype_in: dynamic=dynamic([]),\n  srcipaddr_has_any_prefix: dynamic=dynamic([]),\n  actorusername_has_any: dynamic=dynamic([]),\n  targetfilepath_has_any: dynamic=dynamic([]),\n  srcfilepath_has_any: dynamic=dynamic([]),\n  hashes_has_any: dynamic=dynamic([]),\n  dvchostname_has_any: dynamic=dynamic([]),\n  disabled: bool=false\n  ) {\n  let EventTypeLookup = datatable (AccessMask: string, EventType: string)\n      [\n  \"0x1\", \"ObjectAccessed\"\n      ,\n  \"0x10\", \"MetadataModified\"\n      ,\n  \"0x100\", \"MetadataModified\"\n      ,\n  \"0x10000\", \"ObjectDeleted\"\n      ,\n  \"0x2\", \"ObjectModified\"\n      ,\n  \"0x20000\", \"MetadataAccessed\"\n      ,\n  \"0x4\", \"ObjectModified\"\n      ,\n  \"0x40\", \"ObjectDeleted\"\n      ,\n  \"0x40000\", \"MetadataModified\"\n      ,\n  \"0x6\", \"ObjectModified\"\n      ,\n  \"0x8\", \"MetadataAccessed\"\n      ,\n  \"0x80\", \"MetadataAccessed\"\n      ,\n  \"0x80000\", \"MetadataModified\"\n];\n    let UserTypeLookup = datatable (AccountType: string, ActorUserType: string)\n        [\n    'User', 'Regular',\n    'Machine', 'Machine'\n];    \n    let KnownSIDs = datatable (sid: string, username: string, type: string)\n        [\n    'S-1-5-18', 'Local System', 'Simple',\n    'S-1-0-0', 'Nobody', 'Simple'\n];\n    WindowsEvent\n        | where EventID == 4663 \n            and EventData.ObjectType == \"File\"\n            and EventData.ObjectName !startswith @\"\\Device\\\"\n        | extend ActorUserIdType=\"SID\", TargetFilePathType=\"Windows Local\"\n        | project\n            TimeGenerated\n            ,\n            EventID,\n            AccessMask = tostring(EventData.AccessMask)\n            ,\n            ProcessName = tostring(EventData.ProcessName)\n            ,\n            SubjectUserSid = tostring(EventData.SubjectUserSid)\n            ,\n            AccountType = tostring(EventData.AccountType)\n            ,\n            Computer = tostring(EventData.Computer)\n            ,\n            ObjectName = tostring(EventData.ObjectName)\n            ,\n            ProcessId = tostring(EventData.ProcessId)\n            ,\n            SubjectUserName = tostring(EventData.SubjectUserName)\n            ,\n            SubjectAccount = tostring(EventData.SubjectAccount)\n            ,\n            SubjectLogonId = tostring(EventData.SubjectLogonId)\n            ,\n            HandleId = tostring(EventData.HandleId)\n            ,\n            Type\n    | lookup EventTypeLookup on AccessMask\n    | where ((array_length(eventtype_in) == 0 or EventType in~ (eventtype_in)))\n    | lookup UserTypeLookup on AccountType\n    | lookup KnownSIDs on $left.SubjectUserSid == $right.sid\n    | extend\n        ActingProcessName = ProcessName\n        ,\n        ActorUsername = iff (SubjectUserName == \"-\", username, SubjectAccount)\n        ,\n        ActorUsernameType = iff(SubjectUserName == '-', type, 'Windows')\n        ,\n        EventStartTime = TimeGenerated\n        ,\n        EventEndTime = TimeGenerated\n        ,\n        TargetFilePath = ObjectName\n        ,\n        TargetFilePathFormat = \"Windows Local\"\n        ,\n        ActingProcessId = tostring(toint(ProcessId))\n        ,\n        EventOriginalType = tostring(EventID)\n  | where (array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))\n    | project-away EventID, ProcessId, AccountType, username\n    | project-rename\n        ActorUserId = SubjectUserSid\n        ,\n        DvcHostname = Computer\n        ,\n        Process = ProcessName\n        ,\n        FilePath = ObjectName\n        ,\n        ActorSessionId = SubjectLogonId\n        ,\n        FileSessionId = HandleId\n    | extend\n        EventSchema = \"FileEvent\"\n        ,\n        EventSchemaVersion = \"0.1.1\"\n        ,\n        EventResult = \"Success\"\n        ,\n        EventCount = int(1)\n        ,\n        EventVendor = 'Microsoft'\n        ,\n        EventProduct = 'Security Events'\n        ,\n        Dvc = DvcHostname\n        ,\n        ActorWindowsUsername = ActorUsername\n        ,\n        User = ActorUsername\n        ,\n        ActorUserSid = ActorUserId\n        , ActorUserIdType=\"SID\"\n        , TargetFilePathType=\"Windows Local\"\n        | project-away AccessMask,ActorWindowsUsername,FileSessionId,SubjectAccount,SubjectUserName,TargetFilePathFormat,type\n};\nParser (\n    starttime=starttime, \n    endtime=endtime, \n    eventtype_in=eventtype_in,\n    srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n    actorusername_has_any=actorusername_has_any,\n    targetfilepath_has_any=targetfilepath_has_any,\n    srcfilepath_has_any=srcfilepath_has_any,\n    hashes_has_any=hashes_has_any,\n    dvchostname_has_any=dvchostname_has_any,\n    disabled=disabled\n)",
             "version": 1,
             "functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False"
           }