Merge remote-tracking branch 'origin/master' into redcanary_solution

.script/tests/KqlvalidationsTests/CustomTables/AIShield.json

@@ -0,0 +1,69 @@
+{
+    "Name": "AIShield",
+    "Properties": [
+        {
+            "Name": "TenantId",
+            "Type": "String"
+        },
+        {
+            "Name": "SourceSystem",
+            "Type": "String"
+        },
+        {
+            "Name": "MG",
+            "Type": "String"
+        },
+        {
+            "Name": "ManagementGroupName",
+            "Type": "String"
+        },
+        {
+            "Name": "TimeGenerated",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "Computer",
+            "Type": "String"
+        },
+        {
+            "Name": "RawData",
+            "Type": "String"
+        },
+        {
+            "Name": "Message",
+            "Type": "String"
+        },
+        {
+            "Name": "ServiceName",
+            "Type": "String"
+        },
+        {
+            "Name": "AssetId",
+            "Type": "String"
+        },
+        {
+            "Name": "SourceName",
+            "Type": "String"
+        },
+        {
+            "Name": "Severity",
+            "Type": "String"
+        },
+        {
+            "Name": "AttackName",
+            "Type": "String"
+        },
+        {
+            "Name": "EventTimestamp",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "Type",
+            "Type": "String"
+        },
+        {
+            "Name": "_ResourceId",
+            "Type": "String"
+        }
+    ]
+}

.script/tests/KqlvalidationsTests/CustomTables/JiraAudit.json

@@ -0,0 +1,77 @@
+{
+    "name": "JiraAudit",
+    "Properties": [
+        {
+            "Name": "TimeGenerated",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "EventVendor",
+            "Type": "String"
+        },
+        {
+            "Name": "EventProduct",
+            "Type": "String"
+        },
+        {
+            "Name": "EventId",
+            "Type": "Double"
+        },
+        {
+            "Name": "EventMessage",
+            "Type": "String"
+        },
+        {
+            "Name": "SrcIpAddr",
+            "Type": "String"
+        },
+        {
+            "Name": "UserName",
+            "Type": "String"
+        },
+        {
+            "Name": "UserSid",
+            "Type": "String"
+        },
+        {
+            "Name": "EventCreationTime",
+            "Type": "DateTime"
+        },
+        {
+            "Name": "EventSource",
+            "Type": "String"
+        },
+        {
+            "Name": "ObjectItemId",
+            "Type": "String"
+        },
+        {
+            "Name": "ObjectItemName",
+            "Type": "String"
+        },
+        {
+            "Name": "ObjectItemTypeName",
+            "Type": "String"
+        },
+        {
+            "Name": "ChangedValues",
+            "Type": "String"
+        },
+        {
+            "Name": "AssociatedItems",
+            "Type": "String"
+        },
+        {
+            "Name": "ObjectItemParentId",
+            "Type": "String"
+        },
+        {
+            "Name": "ObjectItemParentName",
+            "Type": "String"
+        },
+        {
+            "Name": "EventCategoryType",
+            "Type": "String"
+        }
+    ]
+}

.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json

@@ -28,6 +28,7 @@
   "BetterMTD",
   "BeyondSecuritybeSECURE",
   "BlackberryCylancePROTECT",
+  "BoschAIShield",
   "BoxDataConnector",
   "BroadcomSymantecDLP",
   "CEF",
@@ -73,6 +74,7 @@
   "InfobloxCloudDataConnector",
   "InfobloxNIOS",
   "IoT",
+  "JiraAuditAPI",
   "JuniperSRX",
   "LastPass",
   "LookoutAPI",

ASIM/dev/ASimSchemaTester/ASimSchemaTester.csv

@@ -1,248 +0,0 @@
-ColumnName,ColumnType,Class,Schema
-_ResourceId,string,Mandatory,NetworkSession
-Type,string,Mandatory,NetworkSession
-EventMessage,string,Optional,NetworkSession
-EventCount,int,Mandatory,NetworkSession
-EventStartTime,datetime,Mandatory,NetworkSession
-EventEndTime,datetime,Alias,NetworkSession
-EventType,string,Mandatory,NetworkSession
-EventSubType,string,Optional,NetworkSession
-EventResult,string,Mandatory,NetworkSession
-EventResultDetails,string,Optional,NetworkSession
-EventOriginalResultDetails,string,Optional,NetworkSession
-EventSeverity,string,Mandatory,NetworkSession
-EventOriginalSeverity,string,Optional,NetworkSession
-EventOriginalUid,string,Optional,NetworkSession
-EventOriginalType,string,Optional,NetworkSession
-EventProduct,string,Mandatory,NetworkSession
-EventProductVersion,string,Optional,NetworkSession
-EventVendor,string,Mandatory,NetworkSession
-EventSchema,string,Mandatory,NetworkSession
-EventSchemaVersion,string,Mandatory,NetworkSession
-EventReportUrl,string,Optional,NetworkSession
-Dvc,string,Alias,NetworkSession
-DvcIpAddr,string,Recommended,NetworkSession
-DvcHostname,string,Mandatory,NetworkSession
-DvcDomain,string,Recommended,NetworkSession
-DvcDomainType,string,Recommended,NetworkSession
-DvcFQDN,string,Optional,NetworkSession
-DvcId,string,Optional,NetworkSession
-DvcIdType,string,Optional,NetworkSession
-DstIpAddr,string,Recommended,NetworkSession
-DstPortNumber,int,Optional,NetworkSession
-DstHostname,string,Recommended,NetworkSession
-Hostname,string,Alias,NetworkSession
-DstDomain,string,Recommended,NetworkSession
-DstDomainType,string,Recommended,NetworkSession
-DstFQDN,string,Optional,NetworkSession
-DstDvcId,string,Optional,NetworkSession
-DstDvcIdType,string,Optional,NetworkSession
-DstDeviceType,string,Optional,NetworkSession
-DstUserId,string,Optional,NetworkSession
-DstUserIdType,string,Optional,NetworkSession
-DstUsername,string,Optional,NetworkSession
-User,string,Alias,NetworkSession
-DstUsernameType,string,Alias,NetworkSession
-DstUserType,string,Optional,NetworkSession
-DstOriginalUserType,string,Optional,NetworkSession
-DstUserDomain,string,Optional,NetworkSession
-DstAppName,string,Optional,NetworkSession
-DstAppId,string,Optional,NetworkSession
-DstAppType,string,Optional,NetworkSession
-DstZone,string,Optional,NetworkSession
-DstInterfaceName,string,Optional,NetworkSession
-DstInterfaceGuid,string,Optional,NetworkSession
-DstMacAddr,string,Optional,NetworkSession
-DstGeoCountry,string,Optional,NetworkSession
-DstGeoCity,string,Optional,NetworkSession
-DstGeoLatitude,real,Optional,NetworkSession
-DstGeoLongitude,real,Optional,NetworkSession
-SrcIpAddr,string,Recommended,NetworkSession
-SrcPortNumber,int,Optional,NetworkSession
-SrcHostname,string,Recommended,NetworkSession
-SrcDomain,string,Recommended,NetworkSession
-SrcDomainType,string,Recommended,NetworkSession
-SrcFQDN,string,Optional,NetworkSession
-SrcDvcId,string,Optional,NetworkSession
-SrcDvcIdType,string,Optional,NetworkSession
-SrcDeviceType,string,Optional,NetworkSession
-SrcUserId,string,Optional,NetworkSession
-SrcUserIdType,string,Optional,NetworkSession
-SrcUsername,string,Optional,NetworkSession
-SrcUsernameType,string,Alias,NetworkSession
-SrcUserType,string,Optional,NetworkSession
-SrcOriginalUserType,string,Optional,NetworkSession
-SrcUserDomain,string,Optional,NetworkSession
-SrcAppName,string,Optional,NetworkSession
-SrcAppId,string,Optional,NetworkSession
-IpAddr,string,Alias,NetworkSession
-SrcAppType,string,Optional,NetworkSession
-SrcZone,string,Optional,NetworkSession
-SrcInterfaceName,string,Optional,NetworkSession
-SrcInterfaceGuid,string,Optional,NetworkSession
-SrcMacAddr,string,Optional,NetworkSession
-SrcGeoCountry,string,Optional,NetworkSession
-SrcGeoCity,string,Optional,NetworkSession
-SrcGeoLatitude,real,Optional,NetworkSession
-SrcGeoLongitude,real,Optional,NetworkSession
-NetworkApplicationProtocol,string,Optional,NetworkSession
-NetworkProtocol,string,Optional,NetworkSession
-NetworkDirection,string,Optional,NetworkSession
-NetworkDuration,int,Optional,NetworkSession
-Duration,int,Alias,NetworkSession
-NetworkIcmpCode,int,Optional,NetworkSession
-NetworkIcmpType,string,Optional,NetworkSession
-DstBytes,int,Optional,NetworkSession
-SrcBytes,int,Optional,NetworkSession
-NetworkBytes,int,Optional,NetworkSession
-DstPackets,int,Optional,NetworkSession
-SrcPackets,int,Optional,NetworkSession
-NetworkPackets,int,Optional,NetworkSession
-NetworkSessionId,string,Optional,NetworkSession
-SessionId,string,Alias,NetworkSession
-DstNatIpAddr,string,Optional,NetworkSession
-DstNatPortNumber,int,Optional,NetworkSession
-SrcNatIpAddr,string,Optional,NetworkSession
-SrcNatPortNumber,int,Optional,NetworkSession
-DvcInboundInterface,string,Optional,NetworkSession
-DvcOutboundInterface,string,Optional,NetworkSession
-Url,string,Optional,NetworkSession
-UrlCategory,string,Optional,NetworkSession
-UrlOriginal,string,Optional,NetworkSession
-HttpVersion,string,Optional,NetworkSession
-HttpRequestMethod,string,Optional,NetworkSession
-HttpStatusCode,string,Alias,NetworkSession
-HttpContentType,string,Optional,NetworkSession
-HttpContentFormat,string,Optional,NetworkSession
-HttpReferrer,string,Optional,NetworkSession
-HttpUserAgent,string,Optional,NetworkSession
-UserAgent,string,Alias,NetworkSession
-HttpRequestXff,string,Optional,NetworkSession
-HttpRequestTime,int,Optional,NetworkSession
-HttpResponseTime,int,Optional,NetworkSession
-FileName,string,Optional,NetworkSession
-FileMD5,string,Optional,NetworkSession
-FileSHA1,string,Optional,NetworkSession
-FileSHA256,string,Optional,NetworkSession
-FileSHA512,string,Optional,NetworkSession
-FileSize,string,Optional,NetworkSession
-FileContentType,string,Optional,NetworkSession
-NetworkRuleName,string,Optional,NetworkSession
-NetworkRuleNumber,int,Optional,NetworkSession
-Rule,string,Optional,NetworkSession
-DvcAction,string,Optional,NetworkSession
-DvcOriginalAction,string,Optional,NetworkSession
-ThreatId,string,Optional,NetworkSession
-ThreatName,string,Optional,NetworkSession
-ThreatCategory,string,Optional,NetworkSession
-ThreatRiskLevel,int,Optional,NetworkSession
-ThreatRiskLevelOriginal,string,Optional,NetworkSession
-_ResourceId,string,Optional,Dns
-AdditionalFields,dynamic,Optional,Dns
-DnsFlags,string,Optional,Dns
-DnsFlagsAuthoritative,bool,Optional,Dns
-DnsFlagsCheckingDisabled,bool,Optional,Dns
-DnsFlagsRecursionAvailable,bool,Optional,Dns
-DnsFlagsRecursionDesired,bool,Optional,Dns
-DnsFlagsTruncates,bool,Optional,Dns
-DnsFlagsZ,bool,Optional,Dns
-DnsNetworkDuration,int,Optional,Dns
-DnsQuery,string,Recommended,Dns
-DnsQueryClass,int,Optional,Dns
-DnsQueryClassName,string,Recommended,Dns
-DnsQueryType,int,Optional,Dns
-DnsQueryTypeName,string,Optional,Dns
-DnsResponseCode,int,Optional,Dns
-DnsResponseCodeName,string,Mandatory,Dns
-DnsResponseName,string,Optional,Dns
-DnsSessionId,string,Optional,Dns
-Domain,string,Optional,Dns
-DomainCategory,string,Optional,Dns
-Dst,string,Alias,Dns
-DstDeviceType,string,Optional,Dns
-DstDomain,string,Optional,Dns
-DstDomainType,string,Optional,Dns
-DstDvcId,string,Optional,Dns
-DstDvcIdType,string,Optional,Dns
-DstFQDN,string,Optional,Dns
-DstGeoCity,string,Optional,Dns
-DstGeoCountry,string,Optional,Dns
-DstGeoLatitude,real,Optional,Dns
-DstGeoLongitude,real,Optional,Dns
-DstGeoRegion,string,Optional,Dns
-DstHostname,string,Optional,Dns
-DstIpAddr,string,Optional,Dns
-DstPortNumber,int,Optional,Dns
-DstRiskLevel,int,Optional,Dns
-Duration,int,Alias,Dns
-Dvc,string,Mandatory,Dns
-DvcAction,string,Optional,Dns
-DvcDomain,string,Recommended,Dns
-DvcDomainType,string,Recommended,Dns
-DvcHostname,string,Recommended,Dns
-DvcId,string,Optional,Dns
-DvcIpAddr,string,Recommended,Dns
-EventCount,int,Mandatory,Dns
-EventEndTime,datetime,Mandatory,Dns
-EventMessage,string,Optional,Dns
-EventOriginalType,string,Optional,Dns
-EventOriginalUid,string,Optional,Dns
-EventProduct,string,Mandatory,Dns
-EventProductVersion,string,Optional,Dns
-EventReportUrl,string,Optional,Dns
-EventResult,string,Mandatory,Dns
-EventResultDetails,string,Mandatory,Dns
-EventSchema,string,Mandatory,Dns
-EventSchemaVersion,string,Mandatory,Dns
-EventSeverity,string,Optional,Dns
-EventStartTime,datetime,Mandatory,Dns
-EventSubType,string,Optional,Dns
-EventType,string,Mandatory,Dns
-EventVendor,string,Mandatory,Dns
-Flags,string,Optional,Dns
-Hostname,string,Alias,Dns
-IpAddr,string,Alias,Dns
-NetworkProtocol,string,Optional,Dns
-Process,string,Alias,Dns
-Query,string,Optional,Dns
-QueryClass,int,Optional,Dns
-QueryClassName,string,Optional,Dns
-QueryType,int,Optional,Dns
-QueryTypeName,string,Optional,Dns
-ResponseCode,int,Optional,Dns
-ResponseCodeName,string,Optional,Dns
-ResponseName,string,Optional,Dns
-SessionId,string,Alias,Dns
-Src,string,Alias,Dns
-SrcDeviceType,string,Optional,Dns
-SrcDomain,string,Recommended,Dns
-SrcDomainType,string,Recommended,Dns
-SrcDvcId,string,Optional,Dns
-SrcDvcIdType,string,Optional,Dns
-SrcFQDN,string,Optional,Dns
-SrcGeoCity,string,Optional,Dns
-SrcGeoCountry,string,Optional,Dns
-SrcGeoLatitude,real,Optional,Dns
-SrcGeoLongitude,real,Optional,Dns
-SrcGeoRegion,string,Optional,Dns
-SrcHostname,string,Recommended,Dns
-SrcIpAddr,string,Mandatory,Dns
-SrcOriginalUserType,string,Optional,Dns
-SrcPortNumber,int,Optional,Dns
-SrcProcessGuid,string,Optional,Dns
-SrcProcessId,string,Optional,Dns
-SrcProcessName,string,Optional,Dns
-SrcRiskLevel,int,Optional,Dns
-SrcUserDomain,string,Optional,Dns
-SrcUserId,string,Optional,Dns
-SrcUserIdType,string,Optional,Dns
-SrcUsername,string,Optional,Dns
-SrcUsernameType,string,Optional,Dns
-SrcUserType,string,Optional,Dns
-TenantId,string,Optional,Dns
-ThreatCategory,string,Optional,Dns
-TimeGenerated,datetime,Optional,Dns
-TransactionIdHex,string,Recommended,Dns
-Type,string,Optional,Dns
-UrlCategory,string,Optional,Dns
-User,string,Alias,Dns

ASIM/dev/ASimSchemaTester/ASimSchemaTester.json

@@ -1,39 +0,0 @@
-{
-  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
-  "contentVersion": "1.0.0.0",
-  "parameters": {
-    "workspaceName": {
-      "type": "string"
-    },
-    "location": {
-      "type": "string"
-    }
-  },
-  "resources": [
-    {
-      "type": "Microsoft.OperationalInsights/workspaces",
-      "apiVersion": "2017-03-15-preview",
-      "name": "[parameters('workspaceName')]",
-      "location": "[parameters('location')]",
-      "resources": [
-        {
-          "type": "savedSearches",
-          "apiVersion": "2020-08-01",
-          "name": "ASimSchemaTester",
-          "dependsOn": [
-            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
-          ],
-          "properties": {
-            "etag": "*",
-            "displayName": "ASIM Schema tester",
-            "category": "Security",
-            "FunctionAlias": "ASimSchemaTester",
-            "query": "let ASimNetworkSessionFields = externaldata (ColumnName: string, ColumnType: string, Class: string, Schema: string)\r\n  [@\"https:\/\/raw.githubusercontent.com\/Azure\/Azure-Sentinel\/master\/ASIM\/dev\/ASimSchemaTester\/ASimSchemaTester.csv\"] with (format=\"csv\", IgnoreFirstRecord=true)\r\n  | where Schema =~ selected_schema;\r\n  T \r\n  | join kind=fullouter ASimNetworkSessionFields on ColumnName\r\n  | extend Result = case(\r\n      ColumnName == \"\" and Class == \"Mandatory\",  strcat (\"(0) Error: Missing mandatory field [\", ColumnName1, \"]\"),\r\n      ColumnName == \"\" and Class == \"Recommended\", strcat (\"(1) Warning: Missing recommended field [\", ColumnName1, \"]\"),\r\n      ColumnName == \"\" and Class == \"Alias\", strcat (\"(1) Warning: Missing alias [\", ColumnName1, \"]\"),\r\n      ColumnName == \"\" and Class == \"Optional\", strcat (\"(2) Info: Missing optional field [\", ColumnName1, \"]\"),\r\n      ColumnName1 == \"\", strcat (\"(2) Info: extra unnormalized column [\", ColumnName, \"]\"),\r\n      ColumnType != ColumnType1, strcat (\"(0) Error: type mismatch for column [\", ColumnName, \"]. It is currently \", ColumnType, \" and should be \", ColumnType1),\r\n      'None'\r\n    )\r\n  | where Result != \"None\" | sort by Result asc | project Result\r\n",
-            "version": 1,
-            "functionParameters": "T: (ColumnName: string, ColumnType:string), selected_schema:string"
-          }
-        }
-      ]
-    }
-  ]
-}

ASIM/dev/ASimSchemaTester/README.md

@@ -1,9 +0,0 @@
-# Deploy the ASIM schema tester
-
-This templates deploy the ASIM schema tester. For more information on using the tester refer to the document [Develop an ASIM parser]. To learn more about ASIM, refer to [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM).
-
-<br>
-
-
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimSchemaTester%2FASimSchemaTester.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimSchemaTester%2FASimSchemaTester.json)
-

ASIM/dev/ASimTester/ASimDataTester.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimDataTester",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM Data tester",
+            "category": "Security",
+            "FunctionAlias": "ASimDataTester",
+            "query": "let MACaddr_regex = @'^[a-fA-F0-9]{2}(:[a-fA-F0-9]{2}){5}$';\r\n  let FQDN_regex = @'^(?:([a-zA-Z0-9-]+)\\.)?([a-zA-Z0-9-]{1,61})\\.([a-zA-Z0-9]{2,7})$';\r\n  let Hostname_regex = @'^[a-zA-Z0-9-]{1,61}$';\r\n  let MD5_regex = @'[a-zA-Z0-0]{32}';\r\n  let SHA1_regex = @'[a-zA-Z0-0]{40}';\r\n  let SHA256_regex = @'[a-zA-Z0-0]{64}';\r\n  let SHA512_regex = @'[a-zA-Z0-0]{128}';\r\n  let DnsQueryTypeName = materialize (externaldata (value: string)\r\n    [@\"https:\/\/www.iana.org\/assignments\/dns-parameters\/dns-parameters-4.csv\"] with (format=\"csv\", IgnoreFirstRecord=true));\r\n  let DnsResponseCodeName = materialize (externaldata (code: string, value: string)\r\n    [@\"https:\/\/www.iana.org\/assignments\/dns-parameters\/dns-parameters-6.csv\"] with (format=\"csv\", IgnoreFirstRecord=true) | project value);\r\n  let DnsQueryClassName = materialize (externaldata (dec: string, dex: string, value: string)\r\n    [@\"https:\/\/www.iana.org\/assignments\/dns-parameters\/dns-parameters-2.csv\"] with (format=\"csv\", IgnoreFirstRecord=true) | project value);\r\n  let ASimFields = materialize (externaldata (ColumnName: string, ColumnType: string, Class: string, Schema: string, LogicalType:string, ListOfValues: string)\r\n    [@\"https:\/\/raw.githubusercontent.com\/Azure\/Azure-Sentinel\/master\/ASIM\/dev\/ASimTester\/ASimTester.csv\"] with (format=\"csv\", IgnoreFirstRecord=true)\r\n    | where Schema =~ selected_schema);\r\n  T \r\n  | extend f=pack_all() \r\n  | mv-expand f\r\n  | project f \r\n  | extend ColumnName = tostring(bag_keys(f)[0])\r\n  | extend value = f[ColumnName]\r\n  | extend type=gettype(value)\r\n  | distinct ColumnName, tostring(value), type\r\n  | lookup ASimFields on ColumnName\r\n  | extend Result = case(      \r\n      ColumnType != \"\" and type != \"null\" and ColumnType != type, strcat (\"(0) Error: type mismatch for column [\", ColumnName, \"]. It is currently [\", type, \"] and should be [\", ColumnType, \"]\"),\r\n      Class == \"Mandatory\" and value == \"\", strcat (\"(0) Error: Missing mandatory field [\", ColumnName, \"]\"),\r\n      Class == \"Recommended\" and value == \"\", strcat (\"(1) Warning: Missing recommended field [\", ColumnName, \"]\"),\r\n      Class == \"Alias\" and value == \"\", strcat (\"(1) Warning: Missing alias [\", ColumnName, \"]\"),\r\n      LogicalType == \"Enumerated\" and ListOfValues != \"\" and ListOfValues !has value, \"Invalid Value\",\r\n      (LogicalType == \"MAC Address\") and (value != \"\") and not (value matches regex MACaddr_regex), \"Invalid Value\", \r\n      (LogicalType == \"IP Address\") and (value != \"\") and not(ipv4_is_match(value, \"0.0.0.0\",0)) and not(ipv6_is_match(value, \"::1\",0)), \"Invalid Value\",\r\n      (LogicalType == \"FQDN\") and (value != \"\") and not (value matches regex FQDN_regex), \"Invalid Value\",\r\n      (LogicalType == \"GUID\") and (value != \"\") and isnull(toguid(value)), \"Invali  d Value\",\r\n      (LogicalType == \"Hostname\") and (value != \"\") and not (value matches regex Hostname_regex), \"Invalid Value\", \r\n      (LogicalType == \"RiskLevel\") and (value != \"\") and (toint(value) < 0 or toint(value) > 100), \"Invalid Value\",\r\n      (LogicalType == \"DnsQueryClassName\") and (value != \"\") and value !in (DnsQueryClassName), \"Invalid Value\",\r\n      (LogicalType == \"DnsResponseCodeName\") and (value != \"\") and value !in (DnsResponseCodeName), \"Invalid Value\",\r\n      (LogicalType == \"DnsQueryTypeName\") and (value != \"\") and value !in (DnsQueryTypeName), \"Invalid Value\",\r\n      (LogicalType == \"MD5\") and (value != \"\") and not (value matches regex MD5_regex), \"Invalid Value\", \r\n      (LogicalType == \"SHA1\") and (value != \"\") and not (value matches regex SHA1_regex), \"Invalid Value\", \r\n      (LogicalType == \"SHA256\") and (value != \"\") and not (value matches regex SHA256_regex), \"Invalid Value\", \r\n      (LogicalType == \"SHA512\") and (value != \"\") and not (value matches regex SHA512_regex), \"Invalid Value\", \r\n      'None'\r\n     )\r\n    | where Result != \"None\"\r\n    | summarize values = make_set(value, 10) by Result, ColumnName\r\n    | extend Result = iif (Result == \"Invalid Value\", strcat (\"(0) Error: Invalid value(s) (up to 10 listed) for field [\", ColumnName, \"]: \", tostring(values)), Result)\r\n    | distinct Result\r\n    | sort by Result asc\r\n",
+            "version": 1,
+            "functionParameters": "T:( TenantId:string ), selected_schema:string"
+          }
+        }
+      ]
+    }
+  ]
+}

ASIM/dev/ASimTester/ASimSchemaTester.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimSchemaTester",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "ASIM Schema tester",
+            "category": "Security",
+            "FunctionAlias": "ASimSchemaTester",
+            "query": "let ASimFields = externaldata (ColumnName: string, ColumnType: string, Class: string, Schema: string)\r\n  [@\"https:\/\/raw.githubusercontent.com\/Azure\/Azure-Sentinel\/master\/ASIM\/dev\/ASimTester\/ASimTester.csv\"] with (format=\"csv\", IgnoreFirstRecord=true)\r\n  | where Schema =~ selected_schema;\r\n  T \r\n  | join kind=fullouter ASimFields on ColumnName\r\n  | extend Result = case(\r\n      ColumnName == \"\" and Class == \"Mandatory\",  strcat (\"(0) Error: Missing mandatory field [\", ColumnName1, \"]\"),\r\n      ColumnName == \"\" and Class == \"Recommended\", strcat (\"(1) Warning: Missing recommended field [\", ColumnName1, \"]\"),\r\n      ColumnName == \"\" and Class == \"Alias\", strcat (\"(1) Warning: Missing alias [\", ColumnName1, \"]\"),\r\n      ColumnName == \"\" and Class == \"Optional\", strcat (\"(2) Info: Missing optional field [\", ColumnName1, \"]\"),\r\n      ColumnName1 == \"\", strcat (\"(2) Info: extra unnormalized column [\", ColumnName, \"]\"),\r\n      ColumnType != ColumnType1, strcat (\"(0) Error: type mismatch for column [\", ColumnName, \"]. It is currently \", ColumnType, \" and should be \", ColumnType1),\r\n      'None'\r\n    )\r\n  | where Result != \"None\" | sort by Result asc | project Result\r\n",
+            "version": 1,
+            "functionParameters": "T: (ColumnName: string, ColumnType:string), selected_schema:string"
+          }
+        }
+      ]
+    }
+  ]
+}

ASIM/dev/ASimTester/ASimTester.csv

@@ -0,0 +1,363 @@
+ColumnName,ColumnType,Class,Schema,LogicalType,ListOfValues
+_ResourceId,string,Mandatory,NetworkSession,,
+Type,string,Mandatory,NetworkSession,,
+EventMessage,string,Optional,NetworkSession,,
+EventCount,int,Mandatory,NetworkSession,,
+EventStartTime,datetime,Mandatory,NetworkSession,,
+EventEndTime,datetime,Alias,NetworkSession,,
+EventType,string,Mandatory,NetworkSession,Enumarated,NetworkSession
+EventSubType,string,Optional,NetworkSession,Enumarated,Start|End|
+EventResult,string,Mandatory,NetworkSession,Enumerated,Success|Partial|Failure|NA 
+EventResultDetails,string,Optional,NetworkSession,,
+EventOriginalResultDetails,string,Optional,NetworkSession,,
+EventSeverity,string,Mandatory,NetworkSession,Enumerated,Informational|Low|Medium|High
+EventOriginalSeverity,string,Optional,NetworkSession,,
+EventOriginalUid,string,Optional,NetworkSession,,
+EventOriginalType,string,Optional,NetworkSession,,
+EventProduct,string,Mandatory,NetworkSession,Enumerated,
+EventProductVersion,string,Optional,NetworkSession,,
+EventVendor,string,Mandatory,NetworkSession,Enumerated,
+EventSchema,string,Mandatory,NetworkSession,Enumarated,NetworkSession
+EventSchemaVersion,string,Mandatory,NetworkSession,SchemaVersion,
+EventReportUrl,string,Optional,NetworkSession,URL,
+Dvc,string,Alias,NetworkSession,,
+DvcIpAddr,string,Recommended,NetworkSession,IP Address,
+DvcHostname,string,Mandatory,NetworkSession,Hostname,
+DvcDomain,string,Recommended,NetworkSession,FQDN,
+DvcDomainType,string,Recommended,NetworkSession,Enumerated,Windows|FQDN
+DvcFQDN,string,Optional,NetworkSession,FQDN,
+DvcId,string,Optional,NetworkSession,,
+DvcIdType,string,Optional,NetworkSession,Enumerated,AzureResourceId|MDEid
+DstIpAddr,string,Recommended,NetworkSession,IP Address,
+DstPortNumber,int,Optional,NetworkSession,,
+DstHostname,string,Recommended,NetworkSession,Hostname,
+Hostname,string,Alias,NetworkSession,Hostname,
+DstDomain,string,Recommended,NetworkSession,FQDN,
+DstDomainType,string,Recommended,NetworkSession,Enumerated,Windows|FQDN
+DstFQDN,string,Optional,NetworkSession,FQDN,
+DstDvcId,string,Optional,NetworkSession,,
+DstDvcIdType,string,Optional,NetworkSession,Enumerated,AzureResourceId|MDEid
+DstDeviceType,string,Optional,NetworkSession,Enumerated,Computer|Mobile Device|IOT Device|Other
+DstUserId,string,Optional,NetworkSession,,
+DstUserIdType,string,Optional,NetworkSession,Enumerated, SID|UIS|AADID|OktaId|AWSId
+DstUsername,string,Optional,NetworkSession,Username,
+User,string,Alias,NetworkSession,Username,
+DstUsernameType,string,Alias,NetworkSession,Enumerated,UPN|Windows|DN|Simple
+DstUserType,string,Optional,NetworkSession,Enumerated,Regular|Machine|Admin|System|Application| Service Principal|Other
+DstOriginalUserType,string,Optional,NetworkSession,,
+DstUserDomain,string,Optional,NetworkSession,FQDN,
+DstAppName,string,Optional,NetworkSession,,
+DstAppId,string,Optional,NetworkSession,,
+DstAppType,string,Optional,NetworkSession,Enumerated,Process|Service|Resource|URL|SaaS application|Other
+DstZone,string,Optional,NetworkSession,,
+DstInterfaceName,string,Optional,NetworkSession,,
+DstInterfaceGuid,string,Optional,NetworkSession,GUID,
+DstMacAddr,string,Optional,NetworkSession,MAC address,
+DstGeoCountry,string,Optional,NetworkSession,Country,
+DstGeoRegion,string,Optional,NetworkSession,Region,
+DstGeoCity,string,Optional,NetworkSession,City,
+DstGeoLatitude,real,Optional,NetworkSession,,
+DstGeoLongitude,real,Optional,NetworkSession,,
+SrcIpAddr,string,Recommended,NetworkSession,IP Address,
+SrcPortNumber,int,Optional,NetworkSession,,
+SrcHostname,string,Recommended,NetworkSession,Hostname,
+SrcDomain,string,Recommended,NetworkSession,FQDN,
+SrcDomainType,string,Recommended,NetworkSession,Enumerated,Windows|FQDN
+SrcFQDN,string,Optional,NetworkSession,FQDN,
+SrcDvcId,string,Optional,NetworkSession,,
+SrcDvcIdType,string,Optional,NetworkSession,Enumerated,AzureResourceId|MDEid
+SrcDeviceType,string,Optional,NetworkSession,Enumerated,Computer|Mobile Device|IOT Device|Other
+SrcUserId,string,Optional,NetworkSession,,
+SrcUserIdType,string,Optional,NetworkSession,Enumerated, SID|UIS|AADID|OktaId|AWSId
+SrcUsername,string,Optional,NetworkSession,Username,
+SrcUsernameType,string,Alias,NetworkSession,Enumerated,UPN|Windows|DN|Simple
+SrcUserType,string,Optional,NetworkSession,Enumerated,Regular|Machine|Admin|System|Application| Service Principal|Other
+SrcOriginalUserType,string,Optional,NetworkSession,,
+SrcUserDomain,string,Optional,NetworkSession,FQDN,
+SrcAppName,string,Optional,NetworkSession,,
+SrcAppId,string,Optional,NetworkSession,,
+IpAddr,string,Alias,NetworkSession,IP Address,
+SrcAppType,string,Optional,NetworkSession,Enumerated,Process|Service|Resource|URL|SaaS application|Other
+SrcZone,string,Optional,NetworkSession,,
+SrcInterfaceName,string,Optional,NetworkSession,,
+SrcInterfaceGuid,string,Optional,NetworkSession,GUID,
+SrcMacAddr,string,Optional,NetworkSession,MAC address,
+SrcGeoCountry,string,Optional,NetworkSession,Country,
+SrcGeoCity,string,Optional,NetworkSession,City,
+SrcGeoLatitude,real,Optional,NetworkSession,,
+SrcGeoLongitude,real,Optional,NetworkSession,,
+NetworkApplicationProtocol,string,Optional,NetworkSession,Enumerated,
+NetworkProtocol,string,Optional,NetworkSession,Enumerated,
+NetworkDirection,string,Optional,NetworkSession,Enumerated,Inbound|Outbound|Listen
+NetworkDuration,int,Optional,NetworkSession,,
+Duration,int,Alias,NetworkSession,,
+NetworkIcmpCode,int,Optional,NetworkSession,,
+NetworkIcmpType,string,Optional,NetworkSession,Enumerated,
+DstBytes,int,Optional,NetworkSession,,
+SrcBytes,int,Optional,NetworkSession,,
+NetworkBytes,int,Optional,NetworkSession,,
+DstPackets,int,Optional,NetworkSession,,
+SrcPackets,int,Optional,NetworkSession,,
+NetworkPackets,int,Optional,NetworkSession,,
+NetworkSessionId,string,Optional,NetworkSession,,
+SessionId,string,Alias,NetworkSession,,
+DstNatIpAddr,string,Optional,NetworkSession,IP Address,
+DstNatPortNumber,int,Optional,NetworkSession,,
+SrcNatIpAddr,string,Optional,NetworkSession,IP Address,
+SrcNatPortNumber,int,Optional,NetworkSession,,
+DvcInboundInterface,string,Optional,NetworkSession,,
+DvcOutboundInterface,string,Optional,NetworkSession,,
+NetworkRuleName,string,Optional,NetworkSession,,
+NetworkRuleNumber,int,Optional,NetworkSession,,
+Rule,string,Optional,NetworkSession,,
+DvcAction,string,Optional,NetworkSession,Enumerated,Allow|Deny|Drop|Drop ICMP|Reset|Reset Source|Reset Destination|Encrypt| Decrypt|VPNroute
+DvcOriginalAction,string,Optional,NetworkSession,,
+ThreatId,string,Optional,NetworkSession,,
+ThreatName,string,Optional,NetworkSession,,
+ThreatCategory,string,Optional,NetworkSession,,
+ThreatRiskLevel,int,Optional,NetworkSession,RiskLevel,
+Src,string,Alias,NetworkSession,,
+Dst,string,Alias,NetworkSession,,
+ThreatRiskLevelOriginal,string,Optional,NetworkSession,,
+_ResourceId,string,Optional,Dns,,
+AdditionalFields,dynamic,Optional,Dns,,
+DnsFlags,string,Optional,Dns,,
+DnsFlagsAuthoritative,bool,Optional,Dns,,
+DnsFlagsCheckingDisabled,bool,Optional,Dns,,
+DnsFlagsRecursionAvailable,bool,Optional,Dns,,
+DnsFlagsRecursionDesired,bool,Optional,Dns,,
+DnsFlagsTruncates,bool,Optional,Dns,,
+DnsFlagsZ,bool,Optional,Dns,,
+DnsNetworkDuration,int,Optional,Dns,,
+DnsQuery,string,Recommended,Dns,FQDN,
+DnsQueryClass,int,Optional,Dns,,
+DnsQueryClassName,string,Recommended,Dns,DnsQueryClassName,
+DnsQueryType,int,Optional,Dns,,
+DnsQueryTypeName,string,Optional,Dns,DnsQueryTypeName,
+DnsResponseCode,int,Optional,Dns,,
+DnsResponseCodeName,string,Mandatory,Dns,DnsResponseCodeName,
+DnsResponseName,string,Optional,Dns,,
+DnsSessionId,string,Optional,Dns,,
+Domain,string,Optional,Dns,FQDN,
+DomainCategory,string,Optional,Dns,,
+Dst,string,Alias,Dns,,
+DstDeviceType,string,Optional,Dns,Enumerated,Computer|Mobile Device|IOT Device|Other
+DstDomain,string,Optional,Dns,FQDN,
+DstDomainType,string,Optional,Dns,Enumerated,Windows|FQDN
+DstDvcId,string,Optional,Dns,,
+DstDvcIdType,string,Optional,Dns,Enumerated,AzureResourceId|MDEid
+DstFQDN,string,Optional,Dns,,
+DstGeoCity,string,Optional,Dns,City,
+DstGeoCountry,string,Optional,Dns,Country,
+DstGeoLatitude,real,Optional,Dns,,
+DstGeoLongitude,real,Optional,Dns,,
+DstGeoRegion,string,Optional,Dns,Region,
+DstHostname,string,Optional,Dns,,
+DstIpAddr,string,Optional,Dns,IP Address,
+DstPortNumber,int,Optional,Dns,,
+DstRiskLevel,int,Optional,Dns,,
+Duration,int,Alias,Dns,,
+Dvc,string,Mandatory,Dns,,
+DvcAction,string,Optional,Dns,,
+DvcDomain,string,Recommended,Dns,FQDN,
+DvcDomainType,string,Recommended,Dns,Enumerated,Windows|FQDN
+DvcHostname,string,Recommended,Dns,Hostname,
+DvcId,string,Optional,Dns,,
+DvcIpAddr,string,Recommended,Dns,IP Address,
+EventCount,int,Mandatory,Dns,,
+EventEndTime,datetime,Mandatory,Dns,,
+EventMessage,string,Optional,Dns,,
+EventOriginalType,string,Optional,Dns,,
+EventOriginalUid,string,Optional,Dns,,
+EventProduct,string,Mandatory,Dns,Enumerated,
+EventProductVersion,string,Optional,Dns,,
+EventReportUrl,string,Optional,Dns,URL,
+EventResult,string,Mandatory,Dns,Enumerated,Success|Partial|Failure|NA 
+EventResultDetails,string,Mandatory,Dns,Enumerated,
+EventSchema,string,Mandatory,Dns,Enumerated,Dms
+EventSchemaVersion,string,Mandatory,Dns,SchemaVersion,
+EventSeverity,string,Optional,Dns,Enumerated,Informational|Low|Medium|High
+EventStartTime,datetime,Mandatory,Dns,,
+EventSubType,string,Optional,Dns,Enumerated,request|response
+EventType,string,Mandatory,Dns,Enumerated,Query|Status|Notify|Update|DNS Stateful Operations
+EventVendor,string,Mandatory,Dns,Enumerated,
+Flags,string,Optional,Dns,,
+Hostname,string,Alias,Dns,Hostname,
+IpAddr,string,Alias,Dns,IP Address,
+NetworkProtocol,string,Optional,Dns,Enumerated,TCP|UDP
+Process,string,Alias,Dns,,
+SessionId,string,Alias,Dns,,
+Src,string,Alias,Dns,,
+SrcDeviceType,string,Optional,Dns,Enumerated,Computer|Mobile Device|IOT Device|Other
+SrcDomain,string,Recommended,Dns,,
+SrcDomainType,string,Recommended,Dns,Enumerated,Windows|FQDN
+SrcDvcId,string,Optional,Dns,,
+SrcDvcIdType,string,Optional,Dns,Enumerated,AzureResourceId|MDEid
+SrcFQDN,string,Optional,Dns,FQDN,
+SrcGeoCity,string,Optional,Dns,,
+SrcGeoCountry,string,Optional,Dns,Country,
+SrcGeoLatitude,real,Optional,Dns,City,
+SrcGeoLongitude,real,Optional,Dns,,
+SrcGeoRegion,string,Optional,Dns,Region,
+SrcHostname,string,Recommended,Dns,Hostname,
+SrcIpAddr,string,Mandatory,Dns,IP Address,
+SrcOriginalUserType,string,Optional,Dns,,
+SrcPortNumber,int,Optional,Dns,,
+SrcProcessGuid,string,Optional,Dns,GUID,
+SrcProcessId,string,Optional,Dns,,
+SrcProcessName,string,Optional,Dns,,
+SrcRiskLevel,int,Optional,Dns,,
+SrcUserDomain,string,Optional,Dns,FQDN,
+SrcUserId,string,Optional,Dns,,
+SrcUserIdType,string,Optional,Dns,Enumerated, SID|UIS|AADID|OktaId|AWSId
+SrcUsername,string,Optional,Dns,Username,
+SrcUsernameType,string,Optional,Dns,Enumerated,UPN|Windows|DN|Simple
+SrcUserType,string,Optional,Dns,Enumerated,Regular|Machine|Admin|System|Application| Service Principal|Other
+TenantId,string,Optional,Dns,,
+ThreatCategory,string,Optional,Dns,,
+TimeGenerated,datetime,Optional,Dns,,
+TransactionIdHex,string,Recommended,Dns,Hexadecimal,
+Type,string,Optional,Dns,,
+UrlCategory,string,Optional,Dns,,
+User,string,Alias,Dns,Username,
+_ResourceId,string,Mandatory,WebSession,,
+Type,string,Mandatory,WebSession,,
+EventMessage,string,Optional,WebSession,,
+EventCount,int,Mandatory,WebSession,,
+EventStartTime,datetime,Mandatory,WebSession,,
+EventEndTime,datetime,Alias,WebSession,,
+EventType,string,Mandatory,WebSession,Enumarated,HTTPsession
+EventSubType,string,Optional,WebSession,,
+EventResult,string,Mandatory,WebSession,Enumerated,Success|Partial|Failure|NA 
+EventResultDetails,string,Optional,WebSession,Enumerated,
+EventOriginalResultDetails,string,Optional,WebSession,,
+EventSeverity,string,Mandatory,WebSession,Enumerated,Informational|Low|Medium|High
+EventOriginalSeverity,string,Optional,WebSession,,
+EventOriginalUid,string,Optional,WebSession,,
+EventOriginalType,string,Optional,WebSession,,
+EventProduct,string,Mandatory,WebSession,Enumerated,
+EventProductVersion,string,Optional,WebSession,,
+EventVendor,string,Mandatory,WebSession,Enumerated,
+EventSchema,string,Mandatory,WebSession,Enumarated,WebSession
+EventSchemaVersion,string,Mandatory,WebSession,SchemaVersion,
+EventReportUrl,string,Optional,WebSession,URL,
+Dvc,string,Alias,WebSession,,
+DvcIpAddr,string,Recommended,WebSession,IP Address,
+DvcHostname,string,Mandatory,WebSession,Hostname,
+DvcDomain,string,Recommended,WebSession,FQDN,
+DvcDomainType,string,Recommended,WebSession,Enumerated,Windows|FQDN
+DvcFQDN,string,Optional,WebSession,FQDN,
+DvcId,string,Optional,WebSession,,
+DvcIdType,string,Optional,WebSession,Enumerated,AzureResourceId|MDEid
+DstIpAddr,string,Recommended,WebSession,IP Address,
+DstPortNumber,int,Optional,WebSession,,
+DstHostname,string,Recommended,WebSession,Hostname,
+Hostname,string,Alias,WebSession,Hostname,
+DstDomain,string,Recommended,WebSession,FQDN,
+DstDomainType,string,Recommended,WebSession,Enumerated,Windows|FQDN
+DstFQDN,string,Optional,WebSession,FQDN,
+DstDvcId,string,Optional,WebSession,,
+DstDvcIdType,string,Optional,WebSession,Enumerated,AzureResourceId|MDEid
+DstDeviceType,string,Optional,WebSession,Enumerated,Computer|Mobile Device|IOT Device|Other
+DstUserId,string,Optional,WebSession,,
+DstUserIdType,string,Optional,WebSession,Enumerated, SID|UIS|AADID|OktaId|AWSId
+DstUsername,string,Optional,WebSession,Username,
+User,string,Alias,WebSession,Username,
+DstUsernameType,string,Alias,WebSession,Enumerated,UPN|Windows|DN|Simple
+DstUserType,string,Optional,WebSession,Enumerated,Regular|Machine|Admin|System|Application| Service Principal|Other
+DstOriginalUserType,string,Optional,WebSession,,
+DstUserDomain,string,Optional,WebSession,FQDN,
+DstAppName,string,Optional,WebSession,,
+DstAppId,string,Optional,WebSession,,
+DstAppType,string,Optional,WebSession,Enumerated,Process|Service|Resource|URL|SaaS application|Other
+DstZone,string,Optional,WebSession,,
+DstInterfaceName,string,Optional,WebSession,,
+DstInterfaceGuid,string,Optional,WebSession,GUID,
+DstMacAddr,string,Optional,WebSession,MAC address,
+DstGeoCountry,string,Optional,WebSession,Country,
+DstGeoRegion,string,Optional,WebSession,Region,
+DstGeoCity,string,Optional,WebSession,City,
+DstGeoLatitude,real,Optional,WebSession,,
+DstGeoLongitude,real,Optional,WebSession,,
+SrcIpAddr,string,Recommended,WebSession,IP Address,
+SrcPortNumber,int,Optional,WebSession,,
+SrcHostname,string,Recommended,WebSession,Hostname,
+SrcDomain,string,Recommended,WebSession,FQDN,
+SrcDomainType,string,Recommended,WebSession,Enumerated,Windows|FQDN
+SrcFQDN,string,Optional,WebSession,FQDN,
+SrcDvcId,string,Optional,WebSession,,
+SrcDvcIdType,string,Optional,WebSession,Enumerated,AzureResourceId|MDEid
+SrcDeviceType,string,Optional,WebSession,Enumerated,Computer|Mobile Device|IOT Device|Other
+SrcUserId,string,Optional,WebSession,,
+SrcUserIdType,string,Optional,WebSession,Enumerated, SID|UIS|AADID|OktaId|AWSId
+SrcUsername,string,Optional,WebSession,Username,
+SrcUsernameType,string,Alias,WebSession,Enumerated,UPN|Windows|DN|Simple
+SrcUserType,string,Optional,WebSession,Enumerated,Regular|Machine|Admin|System|Application| Service Principal|Other
+SrcOriginalUserType,string,Optional,WebSession,,
+SrcUserDomain,string,Optional,WebSession,FQDN,
+SrcAppName,string,Optional,WebSession,,
+SrcAppId,string,Optional,WebSession,,
+IpAddr,string,Alias,WebSession,IP Address,
+SrcAppType,string,Optional,WebSession,Enumerated,Process|Service|Resource|URL|SaaS application|Other
+SrcZone,string,Optional,WebSession,,
+SrcInterfaceName,string,Optional,WebSession,,
+SrcInterfaceGuid,string,Optional,WebSession,GUID,
+SrcMacAddr,string,Optional,WebSession,MAC address,
+SrcGeoCountry,string,Optional,WebSession,Country,
+SrcGeoCity,string,Optional,WebSession,City,
+SrcGeoLatitude,real,Optional,WebSession,,
+SrcGeoLongitude,real,Optional,WebSession,,
+NetworkApplicationProtocol,string,Optional,WebSession,Enumerated,
+NetworkProtocol,string,Optional,WebSession,Enumerated,
+NetworkDirection,string,Optional,WebSession,Enumerated,Inbound|Outbound|Listen
+NetworkDuration,int,Optional,WebSession,,
+Duration,int,Alias,WebSession,,
+NetworkIcmpCode,int,Optional,WebSession,,
+NetworkIcmpType,string,Optional,WebSession,Enumerated,
+DstBytes,int,Optional,WebSession,,
+SrcBytes,int,Optional,WebSession,,
+NetworkBytes,int,Optional,WebSession,,
+DstPackets,int,Optional,WebSession,,
+SrcPackets,int,Optional,WebSession,,
+NetworkPackets,int,Optional,WebSession,,
+NetworkSessionId,string,Optional,WebSession,,
+SessionId,string,Alias,WebSession,,
+DstNatIpAddr,string,Optional,WebSession,IP Address,
+DstNatPortNumber,int,Optional,WebSession,,
+SrcNatIpAddr,string,Optional,WebSession,IP Address,
+SrcNatPortNumber,int,Optional,WebSession,,
+DvcInboundInterface,string,Optional,WebSession,,
+DvcOutboundInterface,string,Optional,WebSession,,
+Url,string,Optional,WebSession,URL,
+UrlCategory,string,Optional,WebSession,,
+UrlOriginal,string,Optional,WebSession,URL,
+HttpVersion,string,Optional,WebSession,,
+HttpRequestMethod,string,Optional,WebSession,,
+HttpStatusCode,string,Alias,WebSession,Enumerated,
+HttpContentType,string,Optional,WebSession,,
+HttpContentFormat,string,Optional,WebSession,,
+HttpReferrer,string,Optional,WebSession,,
+HttpUserAgent,string,Optional,WebSession,Useragent,
+UserAgent,string,Alias,WebSession,,
+HttpRequestXff,string,Optional,WebSession,,
+HttpRequestTime,int,Optional,WebSession,,
+HttpResponseTime,int,Optional,WebSession,,
+FileName,string,Optional,WebSession,,
+FileMD5,string,Optional,WebSession,MD5,
+FileSHA1,string,Optional,WebSession,SHA1,
+FileSHA256,string,Optional,WebSession,SHA256,
+FileSHA512,string,Optional,WebSession,SHA512,
+FileSize,int,Optional,WebSession,,
+FileContentType,string,Optional,WebSession,Enumerated,
+NetworkRuleName,string,Optional,WebSession,,
+NetworkRuleNumber,int,Optional,WebSession,,
+Rule,string,Optional,WebSession,,
+DvcAction,string,Optional,WebSession,Enumerated,Allow|Deny|Drop|Drop ICMP|Reset|Reset Source|Reset Destination|Encrypt| Decrypt|VPNroute
+DvcOriginalAction,string,Optional,WebSession,,
+ThreatId,string,Optional,WebSession,,
+ThreatName,string,Optional,WebSession,,
+ThreatCategory,string,Optional,WebSession,,
+ThreatRiskLevel,int,Optional,WebSession,RiskLevel,
+ThreatRiskLevelOriginal,string,Optional,WebSession,,
+Src,string,Alias,WebSession,,
+Dst,string,Alias,WebSession,,

ASIM/dev/ASimTester/ASimTester.json

@@ -0,0 +1,63 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "workspaceName": {
+            "type": "string",
+			"metadata": {
+				"description": "Specifies the Log Analytics Workspace Name."
+			}
+        },
+        "location": {
+            "type": "string",
+			"metadata": {
+				"description": "Specifies the Log Analytics Workspace Location."
+			}
+        }
+    },
+    "variables": {},
+    "resources": [
+        {
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "linkedAuthentication",
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/ASIM/dev/ASimTestter/ASimDataTester.json",
+                    "contentVersion": "1.0.0.0"
+                },
+                "parameters": {
+                    "workspaceName": {
+                        "value": "[parameters('workspaceName')]"
+                    },
+                    "location": {
+                        "value": "[parameters('location')]"
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "linkedDns",
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/ASIM/dev/ASimTestter/ASimSchemaTester.json",
+                    "contentVersion": "1.0.0.0"
+                },
+                "parameters": {
+                    "workspaceName": {
+                        "value": "[parameters('workspaceName')]"
+                    },
+                    "location": {
+                        "value": "[parameters('location')]"
+                    }
+                }
+            }
+        }
+    ],
+    "outputs": {
+    }
+}

ASIM/dev/ASimTester/README.md

@@ -0,0 +1,12 @@
+# Deploy the ASIM tester
+
+This templates deploy the ASIM tester. For more information on using the tester refer to the document [Develop an ASIM parser]. To learn more about ASIM, refer to [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM).
+
+<br>
+
+| Tool | Azure | Azure Gov |
+| ---- | ----- | --------- |
+| All | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimTester.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimTester.json) |
+| Schema Tester | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimSchemaTester.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimSchemaTester.json) |
+| Data Tester | [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimDataTester.json) | [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FASIM%2Fdev%2FASimTester%2FASimDataTester.json) |
+

ASIM/dev/ASimYaml2ARM/ASimYaml2ARM.py

@@ -23,12 +23,19 @@ alias = parserYaml["ParserName"]
 query = parserYaml["ParserQuery"]
 product = parserYaml["Product"]["Name"]
 schema = parserYaml["Normalization"]["Schema"]
+params=parserYaml.get('ParserParams')
 
 data_section=arm_template['resources'][0]['resources'][0]
 data_section['name'] = alias
 data_section['properties']['query'] = query
 data_section['properties']['FunctionAlias'] = alias
 data_section['properties']['displayName'] = title
+for param in params:
+    if param['Type']=='string':
+        param['Default'] = f"\'{param['Default']}\'"
+    data_section['properties']['functionParameters'] =  \
+                    ', '.join([f'{param["Name"]}:{param["Type"]}={param["Default"]}' for param in params])
+
 
 with open(os.path.join(folder, f'{fname}'), 'w') as jf:
     json.dump(arm_template, jf, indent=2)

Detections/AuditLogs/AccountCreatedandDeletedinShortTimeframe.yaml

@@ -8,7 +8,7 @@ requiredDataConnectors:
   - connectorId: AzureActiveDirectory
     dataTypes:
       - SigninLogs
-queryFrequency: 1d
+queryFrequency: 1h
 queryPeriod: 1d
 triggerOperator: gt
 triggerThreshold: 0
@@ -19,17 +19,29 @@ relevantTechniques:
 tags:
   - AADSecOpsGuide
 query: |
+  let queryfrequency = 1h;
+  let queryperiod = 1d;
   AuditLogs
-  | where OperationName =~ "Add user"
-  | extend UPN = tostring(TargetResources[0].userPrincipalName)
-  | join kind=inner (AuditLogs
+  | where TimeGenerated > ago(queryfrequency)
   | where OperationName =~ "Delete user"
-  | extend UPN = tostring(TargetResources[0].userPrincipalName)
-  | extend IPAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) on UPN
-  | extend timedelta = TimeGenerated1 - TimeGenerated
-  | project-reorder TimeGenerated, TimeGenerated1, timedelta
-  | where timedelta < timespan(24h) and timedelta > timespan(0h)
-  | extend CustomAccountEntity = UPN, IPCustomEntity = IPAddress
+  //extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
+  | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResources[0].userPrincipalName))
+  | extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)
+  | extend DeletedByApp = tostring(InitiatedBy.app.displayName)
+  | project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources
+  | join kind=inner (
+      AuditLogs
+      | where TimeGenerated > ago(queryperiod)
+      | where OperationName =~ "Add user"
+      | extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
+      | project-rename Creation_TimeGenerated = TimeGenerated
+  ) on UserPrincipalName
+  | extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated
+  | where  TimeDelta between (time(0s) .. queryperiod)
+  | extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)
+  | extend CreatedByApp = tostring(InitiatedBy.app.displayName)
+  | project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources
+  | extend timestamp = Deletion_TimeGenerated, CustomAccountEntity = UserPrincipalName, IPCustomEntity = DeletedByIPAddress
 entityMappings:
   - entityType: Account
     fieldMappings:
@@ -39,5 +51,5 @@ entityMappings:
     fieldMappings:
       - identifier: Address
         columnName: IPCustomEntity
-version: 1.0.1
-kind: scheduled
+version: 1.0.2
+kind: Scheduled

Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "ASimNetworkSessionZscalerZIA",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Network Session ASIM parser for Zscaler ZIA",
+            "category": "Security",
+            "FunctionAlias": "ASimNetworkSessionZscalerZIA",
+            "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n  // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n  'Allow','Allow',\n  'Allow due to insufficient app data','Allow',\n  'Block/Drop','Drop',\n  'Block/ICMP','Drop ICMP',\n  'Block/Reset', 'Reset',\n  'IPS Drop', 'Drop',\n  'IPS Reset', 'Reset'\n];\nlet parser=(disabled:bool=false){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// Event fields\n| extend \n  EventCount=DeviceCustomNumber1, \n  EventStartTime=TimeGenerated, \n  EventVendor = \"Zscaler\", \n  EventProduct = \"ZIA\", \n  EventSchema = \"NetworkSession\", \n  EventSchemaVersion=\"0.2.1\", \n  EventType = 'NetworkSession', \n  EventEndTime=TimeGenerated \n| project-rename\n  DvcOriginalAction = DeviceAction, \n  DvcHostname = Computer, \n  EventProductVersion = DeviceVersion, \n  NetworkProtocol = Protocol, \n  DstIpAddr = DestinationIP, \n  DstPortNumber = DestinationPort, \n  DstNatIpAddr = DestinationTranslatedAddress, \n  DstNatPortNumber = DestinationTranslatedPort, \n  DstBytes = ReceivedBytes, \n  DstAppName = DeviceCustomString3, \n  NetworkApplicationProtocol = DeviceCustomString2, \n  SrcIpAddr = SourceIP, \n  SrcPortNumber = SourcePort, \n  SrcUsername = SourceUserName,\n  SrcNatIpAddr= SourceTranslatedAddress, \n  SrcNatPortNumber = SourceTranslatedPort, \n  SrcUserDepartment = DeviceCustomString1,  // Not in standard schema\n  SrcUserLocation = SourceUserPrivileges,  // Not in standard schema\n  SrcBytes = SentBytes, \n  NetworkDuration = DeviceCustomNumber1, \n  ThreatName = DeviceCustomString6, \n  ThreatCategory = DeviceCustomString5, \n  RuleName = Activity \n// -- Calculated fields\n| lookup ActionLookup on DvcOriginalAction \n| extend\n  ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n  SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername)\n// -- Enrichment\n| extend\n  EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\"),\n  DstAppType = \"Service\", \n  SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n  Dvc = DvcHostname,\n  User = SrcUsername,\n  IpAddr = SrcIpAddr\n| project-away \n  DeviceCustom*\n};\nparser (disabled)",
+            "version": 1,
+            "functionParameters": "disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/README.md

@@ -0,0 +1,16 @@
+# Zscaler ZIA ASIM NetworkSession Normalization Parser
+
+This template deploys the ASIM NetworkSession schema parser for Zscaler ZIA.
+
+The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FASimNetworkSessionzScalerZIA%2FASimNetworkSessionzScalerZIA.json)

Parsers/ASimNetworkSession/ARM/FullDeploymentNetworkSession.json

@@ -111,6 +111,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimNetworkSessionzScalerZIA",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/ASimNetworkSessionzScalerZIA/ASimNetworkSessionzScalerZIA.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -138,7 +158,7 @@
       "properties": {
         "mode": "Incremental",
         "templateLink": {
-          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
+           "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/vimNetworkSessionEmpty.json",
           "contentVersion": "1.0.0.0"
         },
         "parameters": {
@@ -230,7 +250,27 @@
           }
         }
       }
+    },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimNetworkSessionzScalerZIA",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "workspaceName": {
+            "value": "[parameters('workspaceName')]"
+          },
+          "location": {
+            "value": "[parameters('location')]"
+          }
+        }
+      }
     }
   ],
   "outputs": {}
-}
+}

Parsers/ASimNetworkSession/ARM/imNetworkSession/README.md

@@ -1,13 +1,14 @@
-# Source agnostic ASIM Network Sessions Normalization Parser
+# Source agnostic ASIM NetworkSession Normalization Parser
 
-This template deploys the ASIM NetworkSession schema parser for Source agnostic. The parser is a part of the Advanced SIEM Information Model.
+This template deploys the ASIM NetworkSession schema parser for Source agnostic.
 
 The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
 
 For more information, see:
 
-- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
-- [Microsoft Sentinel NetworkSession normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
 
 <br>
  

Parsers/ASimNetworkSession/ARM/imNetworkSession/imNetworkSession.json

@@ -28,9 +28,9 @@
             "displayName": "Source Agnostic Network Session parser",
             "category": "Security",
             "FunctionAlias": "imNetworkSession",
-            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n  vimNetworkSessionEmpty\n  , vimNetworkSessionLinuxSysmon                     (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n  , vimNetworkSessionMicrosoft365Defender            (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n  , vimNetworkSessionMD4IoT                          (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n  , vimNetworkSessionMicrosoftWindowsEventFirewall   (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)\n};\nNetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult)",
+            "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet NetworkSessionsGeneric=(starttime:datetime=datetime(null) , endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=false)\n{\nunion isfuzzy=true\n  vimNetworkSessionEmpty\n  , vimNetworkSessionLinuxSysmon                     (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ASimNetworkSessionLinuxSysmon'      in (DisabledParsers) ))\n  , vimNetworkSessionMicrosoft365Defender            (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ASimNetworkSessionMicrosoft365Defender'      in (DisabledParsers) ))\n  , vimNetworkSessionMD4IoT                          (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ASimNetworkSessionMD4IoT'      in (DisabledParsers) ))\n  , vimNetworkSessionMicrosoftWindowsEventFirewall   (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, ASimBuiltInDisabled or ('ASimNetworkSessionMicrosoftWindowsEventFirewall'      in (DisabledParsers) ))\n};\nNetworkSessionsGeneric(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult)",
             "version": 1,
-            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([])"
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*'"
           }
         }
       ]

Parsers/ASimNetworkSession/ARM/vimNetworkSessionEmpty/README.md

@@ -1,13 +1,14 @@
 # Microsoft ASIM NetworkSession Normalization Parser
 
-This template deploys the ASIM NetworkSession schema parser for Microsoft. The parser is a part of the Advanced SIEM Information Model.
+This template deploys the ASIM NetworkSession schema parser for Microsoft.
 
 The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
 
 For more information, see:
 
-- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
-- [Microsoft Sentinel NetworkSession normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
 
 <br>
  

Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoft365Defender/README.md

@@ -1,13 +1,14 @@
-# M365 Defender ASIM NetworkSessions Normalization Parser
+# M365 Defender ASIM NetworkSession Normalization Parser
 
-This template deploys the ASIM NetworkSessions schema parser for M365 Defender. The parser is a part of the Advanced SIEM Information Model.
+This template deploys the ASIM NetworkSession schema parser for M365 Defender.
 
 The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
 
 For more information, see:
 
-- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
-- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
 
 <br>
  

Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftLinuxSysmon/README.md

@@ -1,14 +1,16 @@
-# Sysmon for Linux ASIM NetworkSessions Normalization Parser
+# Sysmon for Linux ASIM NetworkSession Normalization Parser
 
-This template deploys the ASIM NetworkSessions schema parser for Sysmon for Linux. The parser is a part of the Advanced SIEM Information Model.
+This template deploys the ASIM NetworkSession schema parser for Sysmon for Linux.
 
 The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
 
 For more information, see:
 
-- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
-- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
 
 <br>
  
+
 [![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionMicrosoftLinuxSysmon%2FvimNetworkSessionMicrosoftLinuxSysmon.json)

Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftMD4IoT/README.md

@@ -1,13 +1,14 @@
-# Microsoft Defender for IoT - Endpoint ASIM NetworkSessions Normalization Parser
+# Microsoft Defender for IoT - Endpoint ASIM NetworkSession Normalization Parser
 
-This template deploys the ASIM NetworkSessions schema parser for Microsoft Defender for IoT - Endpoint. The parser is a part of the Advanced SIEM Information Model.
+This template deploys the ASIM NetworkSession schema parser for Microsoft Defender for IoT - Endpoint.
 
 The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
 
 For more information, see:
 
-- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
-- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
 
 <br>
  

Parsers/ASimNetworkSession/ARM/vimNetworkSessionMicrosoftWindowsEventFirewall/README.md

@@ -1,13 +1,14 @@
-# Windows Events Firewall ASIM NetworkSessions Normalization Parser
+# WindowsEventFirewall ASIM NetworkSession Normalization Parser
 
-This template deploys the ASIM NetworkSessions schema parser for Windows Events Firewall. The parser is a part of the Advanced SIEM Information Model.
+This template deploys the ASIM NetworkSession schema parser for WindowsEventFirewall.
 
 The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
 
 For more information, see:
 
-- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AzSentinelNormalization)
-- [Microsoft Sentinel NetworkSessions normalization schema reference](https://aka.ms/AzSentinelNetworkSessionDoc)
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
 
 <br>
  

Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/README.md

@@ -0,0 +1,16 @@
+# Zscaler ZIA ASIM NetworkSession Normalization Parser
+
+This template deploys the ASIM NetworkSession schema parser for Zscaler ZIA.
+
+The Advanced SIEM Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced SIEM Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM NetworkSession normalization schema reference](https://aka.ms/ASimNetworkSessionDoc)
+
+<br>
+ 
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimNetworkSession%2FARM%2FvimNetworkSessionzScalerZIA%2FvimNetworkSessionzScalerZIA.json)

Parsers/ASimNetworkSession/ARM/vimNetworkSessionzScalerZIA/vimNetworkSessionzScalerZIA.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "workspaceName": {
+      "type": "string"
+    },
+    "location": {
+      "type": "string"
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces",
+      "apiVersion": "2017-03-15-preview",
+      "name": "[parameters('workspaceName')]",
+      "location": "[parameters('location')]",
+      "resources": [
+        {
+          "type": "savedSearches",
+          "apiVersion": "2020-08-01",
+          "name": "vimNetworkSessionZscalerZIA",
+          "dependsOn": [
+            "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
+          ],
+          "properties": {
+            "etag": "*",
+            "displayName": "Network Session ASIM filtering parser for Zscaler ZIA",
+            "category": "Security",
+            "FunctionAlias": "vimNetworkSessionZscalerZIA",
+            "query": "let ActionLookup = datatable (DvcOriginalAction: string, DvcAction:string) [\n  // See https://help.zscaler.com/zia/firewall-insights-logs-filters\n  'Allow','Allow',\n  'Allow due to insufficient app data','Allow',\n  'Block/Drop','Drop',\n  'Block/ICMP','Drop ICMP',\n  'Block/Reset', 'Reset',\n  'IPS Drop', 'Drop',\n  'IPS Reset', 'Reset'\n];\nlet parser=  \n  (starttime:datetime=datetime(null)\n  , endtime:datetime=datetime(null)\n  , srcipaddr_has_any_prefix:dynamic=dynamic([])\n  , dstipaddr_has_any_prefix:dynamic=dynamic([])\n  , dstportnumber:int=int(null)\n  , hostname_has_any:dynamic=dynamic([])\n  , dvcaction:dynamic=dynamic([])\n  , eventresult:string='*'\n  , disabled:bool=false) {\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSFWlog\"\n// -- Pre-filtering\n|where\n  (array_length(hostname_has_any) == 0) // No host name information, so always filter out if hostname filter used. \n  and (isnull(starttime) or TimeGenerated >= starttime)\n  and  (isnull(endtime) or TimeGenerated <= endtime)\n  and  (isnull(dstportnumber) or dstportnumber == DestinationPort) \n  and  (array_length(srcipaddr_has_any_prefix)==0 or has_any_ipv4_prefix(SourceIP ,srcipaddr_has_any_prefix)) \n  and  (array_length(dstipaddr_has_any_prefix)==0 or has_any_ipv4_prefix(DestinationIP ,dstipaddr_has_any_prefix))\n| project-rename DvcOriginalAction = DeviceAction\n| lookup ActionLookup on DvcOriginalAction \n| where array_length(dvcaction) == 0 or DvcAction in (dvcaction)\n| extend EventResult = iff (DvcOriginalAction == \"Allow\", \"Success\", \"Failure\") \n| where (eventresult=='*' or EventResult == eventresult)\n// -- Event fields\n| extend \n  EventCount=DeviceCustomNumber1, \n  EventStartTime=TimeGenerated, \n  EventVendor = \"Zscaler\", \n  EventProduct = \"ZIA\", \n  EventSchema = \"NetworkSession\", \n  EventSchemaVersion=\"0.2.1\", \n  EventType = 'NetworkSession', \n  EventEndTime=TimeGenerated \n| project-rename\n  DvcHostname = Computer, \n  EventProductVersion = DeviceVersion, \n  NetworkProtocol = Protocol, \n  DstIpAddr = DestinationIP, \n  DstPortNumber = DestinationPort, \n  DstNatIpAddr = DestinationTranslatedAddress, \n  DstNatPortNumber = DestinationTranslatedPort, \n  DstBytes = ReceivedBytes, \n  DstAppName = DeviceCustomString3, \n  NetworkApplicationProtocol = DeviceCustomString2, \n  SrcIpAddr = SourceIP, \n  SrcPortNumber = SourcePort, \n  SrcUsername = SourceUserName,\n  SrcNatIpAddr= SourceTranslatedAddress, \n  SrcNatPortNumber = SourceTranslatedPort, \n  SrcUserDepartment = DeviceCustomString1,  // Not in standard schema\n  SrcUserLocation = SourceUserPrivileges,  // Not in standard schema\n  SrcBytes = SentBytes, \n  NetworkDuration = DeviceCustomNumber1, \n  ThreatName = DeviceCustomString6, \n  ThreatCategory = DeviceCustomString5, \n  RuleName = Activity \n// -- Calculated fields\n| extend\n  ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", ThreatCategory),\n  SrcUsername = iff (SrcUsername == SrcUserLocation, \"\", SrcUsername)\n// -- Enrichment\n| extend\n  DstAppType = \"Service\", \n  SrcUsernameType = \"UPN\" \n// -- Aliases\n| extend\n  Dvc = DvcHostname,\n  User = SrcUsername,\n  IpAddr = SrcIpAddr\n| project-away \n  DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)",
+            "version": 1,
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), dstipaddr_has_any_prefix:dynamic=dynamic([]), dstportnumber:int=int(null), hostname_has_any:dynamic=dynamic([]), dvcaction:dynamic=dynamic([]), eventresult:string='*', disabled:bool=False"
+          }
+        }
+      ]
+    }
+  ]
+}

Parsers/ASimNetworkSession/ProductParsers/ASimNetworkSession.yaml

@@ -15,6 +15,15 @@ References:
 Description: |
   ASIM Source Agnostic NetworkSession Parser
 ParserName: ASimNetworkSession
+EquivalentBuiltInParser: _ASim_NetworkSession 
+Parsers:
+  - _Im_NetworkSession_Empty
+  - _ASim_NetworSession_Microsoft365Defender
+  - _ASim_NetworkSession_LinuxSysmon
+  - _ASim_NetworkSession_MD4IoT
+  - _ASim_NetworkSession_MicrosoftWindowsEventFirewall     
+  - _ASim_NetworkSession_ZscalerZIA   
+
 ParserQuery: |
   let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);
   let ASimBuiltInDisabled=toscalar('ASimNetworkSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); 

Parsers/ASimNetworkSession/ProductParsers/ASimNetworkSessionMicrosoft365Defender.yaml

@@ -15,6 +15,7 @@ References:
 Description: |
   This Query Parser maps M365 Defender network events to the Advanced SIEM Information Model Network Session schema.
 ParserName: ASimNetworkSessionMicrosoft365Defender
+EquivalentBuiltInParser: _ASim_NetworSession_Microsoft365Defender
 ParserParams:
   - Name: disabled
     Type: bool

Parsers/ASimNetworkSession/ProductParsers/ASimNetworkSessionMicrosoftLinuxSysmon.yaml

@@ -15,6 +15,7 @@ References:
 Description: |
   ASIM Sysmon for Linux Network Session Parser
 ParserName: ASimNetworkSessionLinuxSysmon
+EquivalentBuiltInParser: _ASim_NetworkSession_LinuxSysmon
 ParserParams:
   - Name: disabled
     Type: bool

Parsers/ASimNetworkSession/ProductParsers/ASimNetworkSessionMicrosoftMD4IoT.yaml

@@ -15,6 +15,7 @@ References:
 Description: |
   ASIM Azure Defender for IoT Network Sessions Parser.
 ParserName: ASimNetworkSessionMD4IoT
+EquivalentBuiltInParser: _ASim_NetworkSession_MD4IoT
 ParserParams:
   - Name: disabled
     Type: bool

Parsers/ASimNetworkSession/ProductParsers/ASimNetworkSessionMicrosoftWindowsEventFirewall.yaml

@@ -16,6 +16,7 @@ Description: |
         This Query Parser maps Microsoft Windows Firewall Events (WindowsEvent and SecurityEvent tables) to the Advanced SIEM Information Model Network Session schema.
         Event IDs which are parsed as part of this parser: 5150, 5151, 5152, 5153, 5154, 5155, 5156, 5167, 5158, 5159
 ParserName: ASimNetworkSessionMicrosoftWindowsEventFirewall
+EquivalentBuiltInParser: _ASim_NetworkSession_MicrosoftWindowsEventFirewall
 ParserParams:
   - Name: disabled
     Type: bool

Parsers/ASimNetworkSession/ProductParsers/ASimNetworkSessionzScalerZIA.yaml

@@ -19,6 +19,7 @@ References:
 Description: |
   This ASIM parser supports normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Network Session normalized schema. The parser supports squid native log format.
 ParserName: ASimNetworkSessionZscalerZIA
+EquivalentBuiltInParser: _ASim_NetworkSession_ZscalerZIA
 ParserParams:
   - Name: disabled
     Type: bool

Parsers/ASimNetworkSession/ProductParsers/imNetworkSession.yaml

@@ -15,6 +15,14 @@ References:
 Description: |
   ASIM Source Agnostic NetworkSession Parser
 ParserName: imNetworkSession
+EquivalentBuiltInParser: _Im_NetworkSession
+Parsers:
+  - _Im_NetworkSession_Empty
+  - _Im_NetworkSession_Microsoft365Defender
+  - _Im_NetworkSession_LinuxSysmon
+  - _Im_NetworkSession_MD4IoT
+  - _Im_NetworkSession_MicrosoftWindowsEventFirewall     
+  - _Im_NetworkSession_ZscalerZIA  
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -45,7 +53,7 @@ ParserParams:
     Default: dynamic([])
   - Name: eventresult
     Type: string
-    Default: "'*'"
+    Default: '*'
 
 ParserQuery: |
   let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ASimNetworkSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));

Parsers/ASimNetworkSession/ProductParsers/vimNetworkSessionEmpty.yaml

@@ -15,6 +15,8 @@ References:
 Description: |
   The purpose of this function is to generate and guarantee the schema columns
 ParserName: vimNetworkSessionEmpty
+EquivalentBuiltInParser: _Im_NetworkSession_Empty
+
 ParserQuery: | 
  let parser=datatable(
     TimeGenerated:datetime

Parsers/ASimNetworkSession/ProductParsers/vimNetworkSessionMicrosoft365Defender.yaml

@@ -15,6 +15,7 @@ References:
 Description: |
   This Query Parser maps M365 Defender network events to the Advanced SIEM Information Model Network Session schema.
 ParserName: vimNetworkSessionMicrosoft365Defender
+EquivalentBuiltInParser: _Im_NetworkSession_Microsoft365Defender
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -45,7 +46,7 @@ ParserParams:
     Default: dynamic([])
   - Name: eventresult
     Type: string
-    Default: "'*'"
+    Default: '*'
   - Name: disabled
     Type: bool
     Default: false
@@ -250,4 +251,4 @@ ParserQuery: |
      Src = SrcIpAddr,
      Dst = DstIpAddr 
   };
-  M365Defender(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)
+  M365Defender(starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)

Parsers/ASimNetworkSession/ProductParsers/vimNetworkSessionMicrosoftLinuxSysmon.yaml

@@ -15,6 +15,7 @@ References:
 Description: |
   ASIM Sysmon for Linux Network Session Parser
 ParserName: vimNetworkSessionLinuxSysmon
+EquivalentBuiltInParser: _Im_NetworkSession_LinuxSysmon
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -45,7 +46,7 @@ ParserParams:
     Default: dynamic([])
   - Name: eventresult
     Type: string
-    Default: "'*'"
+    Default: '*'
   - Name: disabled
     Type: bool
     Default: false

Parsers/ASimNetworkSession/ProductParsers/vimNetworkSessionMicrosoftMD4IoT.yaml

@@ -15,6 +15,7 @@ References:
 Description: |
   ASIM Azure Defender for IoT Network Sessions Parser.
 ParserName: vimNetworkSessionMD4IoT
+EquivalentBuiltInParser: _Im_NetworkSession_MD4IoT
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -45,7 +46,7 @@ ParserParams:
     Default: dynamic([])
   - Name: eventresult
     Type: string
-    Default: "'*'"
+    Default: '*'
   - Name: disabled
     Type: bool
     Default: false

Parsers/ASimNetworkSession/ProductParsers/vimNetworkSessionMicrosoftWindowsEventFirewall.yaml

@@ -16,6 +16,7 @@ Description: |
         This Query Parser maps Microsoft Windows Firewall Events (WindowsEvent and SecurityEvent tables) to the Advanced SIEM Information Model Network Session schema.
         Event IDs which are parsed as part of this parser: 5150, 5151, 5152, 5153, 5154, 5155, 5156, 5167, 5158, 5159
 ParserName: vimNetworkSessionMicrosoftWindowsEventFirewall
+EquivalentBuiltInParser: _Im_NetworkSession_MicrosoftWindowsEventFirewall
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -46,7 +47,7 @@ ParserParams:
     Default: dynamic([])
   - Name: eventresult
     Type: string
-    Default: "'*'"
+    Default: '*'
   - Name: disabled
     Type: bool
     Default: false
@@ -297,8 +298,8 @@ ParserQuery: |
         };
   // Main query -> outputs both schemas as one normalized table
   union isfuzzy=true
-    WindowsFirewall_SecurityEvent  (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)
-    , WindowsFirewall_WindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, disabled)
+    WindowsFirewall_SecurityEvent  (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)
+    , WindowsFirewall_WindowsEvent (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, url_has_any, httpuseragent_has_any, hostname_has_any, dvcaction, eventresult, disabled)
       | extend 
               DvcAction = iff(EventID in (5154, 5156, 5158), "Allow", "Deny"),
               DvcOs = 'Windows',

Parsers/ASimNetworkSession/ProductParsers/vimNetworkSessionzScalerZIA.yaml

@@ -19,6 +19,7 @@ References:
 Description: |
   This ASIM parser supports filtering and normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Network Session normalized schema. The parser supports squid native log format.
 ParserName: vimNetworkSessionZscalerZIA
+EquivalentBuiltInParser: _Im_NetworkSession_ZscalerZIA
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -43,7 +44,7 @@ ParserParams:
     Default: dynamic([])
   - Name: eventresult
     Type: string
-    Default: "'*'"
+    Default: '*'
   - Name: disabled
     Type: bool
     Default: false
@@ -133,4 +134,4 @@ ParserQuery: |
   | project-away 
     DeviceCustom*
   };
-  parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, disabled)
+  parser (starttime, endtime, srcipaddr_has_any_prefix, dstipaddr_has_any_prefix, dstportnumber, hostname_has_any, dvcaction, eventresult, disabled)

Parsers/ASimWebSession/ARM/imWebSession/imWebSession.json

@@ -30,7 +30,7 @@
             "FunctionAlias": "ASimWebSession",
             "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'vimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('vimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n  starttime:datetime=datetime(null), \n  endtime:datetime=datetime(null),\n  srcipaddr_has_any_prefix:dynamic=dynamic([]),\n  url_has_any:dynamic=dynamic([]), \n  httpuseragent_has_any:dynamic=dynamic([]), \n  eventresultdetails_in:dynamic=dynamic([]),\n  eventresult:string='*')\n{\nunion isfuzzy=true\n  vimWebSessionEmpty,\n  vimWebSessionSquidProxy (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, vimBuiltInDisabled or ('vimWebSessionSquidProxy' in (DisabledParsers))),\n  vimWebSessionZscalerZIA (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, vimBuiltInDisabled or ('vimWebSessionZscalerZIA' in (DisabledParsers)))\n};\nparser (starttime, endtime, srcipaddr_has_any, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult)\n",
             "version": 1,
-            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetails_has_any:dynamic=dynamic([]), disabled:bool=False"
           }
         }
       ]

Parsers/ASimWebSession/ARM/vimWebSessionSquidProxy/vimWebSessionSquidProxy.json

@@ -30,7 +30,7 @@
             "FunctionAlias": "vimWebSessionSquidProxy",
             "query": "let parser = (\n  starttime:datetime=datetime(null), \n  endtime:datetime=datetime(null),\n  srcipaddr_has_any_prefix:dynamic=dynamic([]), \n  url_has_any:dynamic=dynamic([]),\n  httpuseragent_has_any:dynamic=dynamic([]),\n  eventresultdetails_in:dynamic=dynamic([]),\n  eventresult:string='*',\n  disabled:bool=false\n ){\nSquidProxy_CL | where not(disabled)\n  // -- Pre filtering\n  | where  \n    (isnull(starttime) or TimeGenerated >= starttime) \n    and (isnull(endtime) or TimeGenerated <= endtime) \n    and ((array_length(url_has_any) == 0) or (RawData has_any (url_has_any)))\n    and ((array_length(httpuseragent_has_any) == 0) or (RawData has_any (httpuseragent_has_any)))\n    and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(RawData, srcipaddr_has_any_prefix))\n    and ((array_length(eventresultdetails_in) == 0) or (RawData has_any (eventresultdetails_in)))\n  // -- Parse\n  | extend AccessRawLog = extract_all(@\"^(\\d+\\.\\d+)\\s+(\\d+)\\s(\\S+)\\s([A-Z_]+)\\/(\\d+)\\s(\\d+)\\s([A-Z]+)\\s(\\S+)\\s(\\S+)\\s([A-Z_]+)\\/(\\S+)\\s(\\S+)\",dynamic([1,2,3,4,5,6,7,8,9,10,11,12]),RawData)[0]\n  // -- Post filtering\n  | extend EventResultDetails = toint(AccessRawLog[4])\n  | where array_length(eventresultdetails_in) == 0 or eventresult in (eventresultdetails_in)\n  | extend EventOriginalResultDetails = strcat (tostring(AccessRawLog[3]), \";\", PeerStatus = tostring(AccessRawLog[9]))\n  | extend EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, \"Failure\", \"Success\")\n  | where eventresult == \"*\" or eventresult == EventResultDetails\n  // -- Map\n  | extend\n    EventEndTime = unixtime_milliseconds_todatetime(todouble(tostring(AccessRawLog[0]))*1000), \n    NetworkDuration = toint(AccessRawLog[1]), \n    SrcIpAddr = tostring(AccessRawLog[2]), \n    DstBytes = toint(AccessRawLog[5]), \n    HttpRequestMethod = tostring(AccessRawLog[6]), \n    Url = tostring(AccessRawLog[7]), \n    SrcUsername = tostring(AccessRawLog[8]), \n    DstIpAddr = tostring(AccessRawLog[10]), \n    HttpContentType = tostring(AccessRawLog[11]) \n  // -- Constant fields\n  | extend \n    EventCount = int(1), \n    EventProduct = 'Squid Proxy', \n    EventVendor = 'Apache', \n    EventSchema = 'WebSession', \n    EventSchemaVersion = '0.1.0', \n    EventType = 'HTTPsession' \n  // -- Value normalization\n  | extend\n    UsernameType = \"Unknown\",\n    SrcUsername = iff (SrcUsername == \"-\", \"\", SrcUsername), \n    HttpContentType = iff (HttpContentType in (\":\", \"-\"), \"\", HttpContentType), \n    EventResult = iff (EventResultOriginalDetails has_any ('DENIED', 'INVALID', 'FAIL', 'ABORTED','TIMEOUT') or EventResultDetails >= 400, \"Failure\", \"Success\")\n  // -- aliases\n  | extend \n    EventStartTime = EventEndTime,\n    Duration = NetworkDuration,\n    HttpStatusCode = EventResultDetails,\n    User = SrcUsername,\n    IpAddr = SrcIpAddr\n  | project-away AccessRawLog, RawData\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)",
             "version": 1,
-            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetails_has_any:dynamic=dynamic([]), disabled:bool=False"
           }
         }
       ]

Parsers/ASimWebSession/ARM/vimWebSessionzScalerZIA/vimWebSessionzScalerZIA.json

@@ -30,7 +30,7 @@
             "FunctionAlias": "vimWebSessionZscalerZIA",
             "query": "let remove_protocol_from_list = (list:dynamic) \n{\n    print list \n    | mv-apply l = print_0 to typeof(string) on\n    ( extend l = replace_regex (tostring(l), \"^(?i:.*?)://\", \"\") ) \n    | project l\n};\nlet parser = (\nstarttime:datetime=datetime(null), \nendtime:datetime=datetime(null),\nsrcipaddr_has_any_prefix:dynamic=dynamic([]), \nurl_has_any:dynamic=dynamic([]),\nhttpuseragent_has_any:dynamic=dynamic([]),\neventresultdetails_in:dynamic=dynamic([]),\neventresult:string='*',\ndisabled:bool=false\n){\nCommonSecurityLog | where not(disabled)\n| where DeviceVendor == \"Zscaler\"\n| where DeviceProduct == \"NSSWeblog\"\n  // -- Pre filtering\n| where  \n  (isnull(starttime) or TimeGenerated >= starttime) \n  and (isnull(endtime) or TimeGenerated <= endtime) \n  and ((array_length(httpuseragent_has_any) == 0) or (RequestClientApplication has_any (httpuseragent_has_any)))\n  and ((array_length(srcipaddr_has_any_prefix) == 0) or has_any_ipv4_prefix(SourceIP, srcipaddr_has_any_prefix))\n  and ((array_length(eventresultdetails_in) == 0) or (AdditionalExtensions has_any (eventresultdetails_in)))\n  and ((array_length(url_has_any) == 0) or (RequestURL has_any (remove_protocol_from_list(url_has_any))))\n// -- Parse\n| parse AdditionalExtensions with \n    \"reason=\" EventResultOriginalDetails:string \";\"\n    \"outcome=\" EventResultDetails:string \";\"\n    \"cat=\" * \";\"\n    \"rulelabel=\" RuleName:string \";\"\n    \"ruletype=\" ruletype:string \";\"\n    \"urlclass=\" urlclass:string \";\"\n    \"devicemodel=\" * \n// -- Post filtering\n| where\n  ((array_length(eventresultdetails_in) == 0) or (EventResultDetails in (eventresultdetails_in)))\n// -- Event fields\n| extend \n  EventCount=int(1), \n  EventStartTime=TimeGenerated,  \n  EventVendor = \"Zscaler\", \n  EventProduct = \"ZIA\", \n  EventSchema = \"WebSession\", \n  EventSchemaVersion=\"0.1.0\", \n  EventType = 'HTTPsession',\n  EventEndTime=TimeGenerated\n// -- Field mapping\n| project-rename\n  DvcAction = DeviceAction,\n  DvcHostname = Computer,\n  EventProductVersion = DeviceVersion,\n  NetworkApplicationProtocol = ApplicationProtocol,\n  HttpContentType = FileType,\n  HttpUserAgent = RequestClientApplication,\n  HttpRequestMethod = RequestMethod,\n  DstAppName = DestinationServiceName,\n  DstIpAddr = DestinationIP,\n  DstFQDN = DestinationHostName,\n  DstBytes = ReceivedBytes,\n  SrcIpAddr = SourceIP,\n  SrcUsername = SourceUserName,\n  SrcNatIpAddr= SourceTranslatedAddress,\n  SrcUserDepartment = SourceUserPrivileges, // Not part of the standard schema\n  SrcBytes = SentBytes,\n  ThreatRiskLevel = DeviceCustomNumber1,\n  UrlCategory = DeviceCustomString2,\n  ThreatName = DeviceCustomString5,\n  FileMD5 = DeviceCustomString6\n// -- Calculated fields\n| extend\n  Url = iff (RequestURL == \"\", \"\", strcat (tolower(NetworkApplicationProtocol), \"://\", url_decode(RequestURL))),\n  UrlCategory = strcat (urlclass, \"/\", UrlCategory),\n  ThreatCategory = iff(DeviceCustomString4 == \"None\", \"\", strcat (DeviceCustomString3, \"/\", DeviceCustomString4)),\n  RuleName = iff (RuleName == \"None\", \"\", strcat (ruletype, \"/\", RuleName)),\n  FileMD5 = iff (FileMD5 == \"None\", \"\", FileMD5),\n  HttpReferrer = iff (RequestContext == \"None\", \"\", url_decode(RequestContext)),\n  DstAppName = iff (DstAppName == \"General Browsing\", \"\", DstAppName),\n  DstFQDNparts = split (DstFQDN, \".\")\n| extend\n  DstHostname = DstFQDNparts[0],\n  DstDomain = strcat_array(array_slice(DstFQDNparts,1,-1),\".\")\n// -- Enrichment\n| extend\n  EventResult = iff (EventResultDetails == \"NA\" or toint(EventResultDetails) >= 400, \"Failure\", \"Success\"),\n  DstAppType = \"SaaS application\",\n  DstFQDN = \"FQDN\",\n  SrcUsernameType = \"UPN\"\n// -- Aliases\n| extend\n  Dvc = DvcHostname,\n  UserAgent = HttpUserAgent,\n  User = SrcUsername,\n  HttpStatusCode = EventResultDetails,\n  IpAddr = SrcNatIpAddr,\n  Hash = FileMD5,\n  FileHashType = iff(FileMD5 == \"\", \"\", \"MD5\")\n| project-away \n  DstFQDNparts, AdditionalExtensions, DeviceCustom*\n};\nparser (starttime, endtime, srcipaddr_has_any_prefix, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult, disabled)",
             "version": 1,
-            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetils_has_any:dyanmic=dynamic([]), disabled:bool=False"
+            "functionParameters": "starttime:datetime=datetime(null), endtime:datetime=datetime(null), srcipaddr_has_any_prefix:dynamic=dynamic([]), url_has_any:dynamic=dynamic([]), httpuseragent_has_any:dynamic=dynamic([]), eventresultdetails_in:dynamic=dynamic([]), eventresult:string='*', eventresultdetails_has_any:dynamic=dynamic([]), disabled:bool=False"
           }
         }
       ]

Parsers/ASimWebSession/Parsers/ASimWebSession.yaml

@@ -14,7 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
   This ASIM parser supports normalizing Web Session logs from all supported sources to the ASIM DNS activity normalized schema.
-ParserName: ASimWebSessions
+ParserName: ASimWebSession
+EquivalentBuiltInParser: _ASim_WebSession
 ParserQuery: |
   let DisabledParsers=materialize(_GetWatchlist('ASimWebParsers') | where SearchKey in ('Any', 'ASimWebSession') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));
   let ASimBuiltInDisabled=toscalar('ASimWebSession' in (DisabledParsers) or 'Any' in (DisabledParsers)); 
@@ -27,6 +28,6 @@ ParserQuery: |
   parser
 
 Parsers:
-  - vimWebSessionEmpty
-  - ASimWebSessionSquidProxy
-  - ASimWebSessionZscalerZIA
+  - _Im_WebSession_Empty
+  - _ASim_WebSession_SquidProxy
+  - _ASim_WebSession_ZscalerZIA

Parsers/ASimWebSession/Parsers/ASimWebSessionSquidProxy.yaml

@@ -19,6 +19,7 @@ References:
 Description: |
   This ASIM parser supports normalizing Squid Proxy logs produced by the Microsoft Sentinel Squid Connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
 ParserName: ASimWebSessionSquidProxy
+EquivalentBuiltInParser: _ASim_WebSession_SquidProxy
 ParserParams:
   - Name: disabled
     Type: bool

Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml

@@ -19,6 +19,7 @@ References:
 Description: |
   This ASIM parser supports normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
 ParserName: ASimWebSessionZscalerZIA
+EquivalentBuiltInParser: _ASim_WebSession_ZscalerZIA
 ParserParams:
   - Name: disabled
     Type: bool

Parsers/ASimWebSession/Parsers/imWebSession.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Web Session ASIM filtering parser
-  Version: '0.1'
+  Version: '0.2'
   LastUpdated: Nov 30, 2021
 Product:
   Name: Source agnostic
@@ -14,7 +14,8 @@ References:
   Link: https://aka.ms/AboutASIM
 Description: |
     This ASIM parser supports filtering and normalizing Web Session logs from all supported sources to the ASIM DNS activity normalized schema.
-ParserName: ASimWebSession
+ParserName: vimWebSession
+EquivalentBuiltInParser: _Im_WebSession
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -37,8 +38,8 @@ ParserParams:
   - Name: eventresult
     Type: string
     Default: '*'
-  - Name: eventresultdetils_has_any
-    Type: dyanmic
+  - Name: eventresultdetails_has_any
+    Type: dynamic
     Default: dynamic([])
   - Name: disabled
     Type: bool
@@ -63,6 +64,6 @@ ParserQuery: |
   parser (starttime, endtime, srcipaddr_has_any, url_has_any, httpuseragent_has_any, eventresultdetails_in, eventresult)
 
 Parsers:
-  - vimWebSesssionEmpty
-  - vimWebSessionSquidProxy
-  - vimWebSessionZscalerZIA
+  - _Im_WebSesssion_Empty
+  - _Im_WebSession_SquidProxy
+  - _Im_WebSession_ZscalerZIA

Parsers/ASimWebSession/Parsers/vimWebSessionEmpty.yaml

@@ -15,6 +15,7 @@ References:
 Description: |
   This function returns an empty ASIM Web Session schema
 ParserName: vimWebSessionEmpty
+EquivalentBuiltInParser: _Im_WebSession_Empty
 ParserQuery: | 
  let parser=datatable(
     TimeGenerated:datetime

Parsers/ASimWebSession/Parsers/vimWebSessionSquidProxy.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Web Session ASIM filtering parser for Squid Proxy
-  Version: '0.1'
+  Version: '0.2'
   LastUpdated: Dec 6, 2021
 Product:
   Name: Squid Proxy
@@ -19,6 +19,7 @@ References:
 Description: |
   This ASIM parser supports filtering and normalizing Squid Proxy logs produced by the Microsoftusu Sentinel Squid Connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
 ParserName: vimWebSessionSquidProxy
+EquivalentBuiltInParser: _Im_WebSession_SquidProxy
 ParserParams:
   - Name: starttime
     Type: datetime
@@ -41,8 +42,8 @@ ParserParams:
   - Name: eventresult
     Type: string
     Default: '*'
-  - Name: eventresultdetils_has_any
-    Type: dyanmic
+  - Name: eventresultdetails_has_any
+    Type: dynamic
     Default: dynamic([])
   - Name: disabled
     Type: bool

Parsers/ASimWebSession/Parsers/vimWebSessionzScalerZIA.yaml

@@ -1,6 +1,6 @@
 Parser:
   Title: Web Session ASIM filtering parser for Zscaler ZIA
-  Version: '0.1'
+  Version: '0.2'
   LastUpdated: Dec 7, 2021
 Product:
   Name: Zscaler ZIA
@@ -19,6 +19,7 @@ References:
 Description: |
   This ASIM parser supports filtering and normalizing Zscaler ZIA proxy logs produced by the Microsoft Sentinel Zscaler connector to the ASIM Web Session normalized schema. The parser supports squid native log format.
 ParserName: vimWebSessionZscalerZIA
+EquivalentBuiltInParser: _Im_WebSession_ZscalerZIA
 
 ParserParams:
   - Name: starttime
@@ -42,8 +43,8 @@ ParserParams:
   - Name: eventresult
     Type: string
     Default: '*'
-  - Name: eventresultdetils_has_any
-    Type: dyanmic
+  - Name: eventresultdetails_has_any
+    Type: dynamic
     Default: dynamic([])
   - Name: disabled
     Type: bool

Sample Data/Custom/AIShield_CL.json

@@ -0,0 +1,182 @@
+[
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated [UTC]": "12/3/2021, 9:01:25.926 AM",
+    "Computer": "",
+    "RawData": "",
+    "RawMessage": "Potential Model attack identified",
+    "service_name": "image_classification_defense_engine",
+    "asset_id": "model-01",
+    "source_name": "NA",
+    "probablity": 0.9,
+    "attack_name": "model_attack",
+    "timestamp": "2021-12-03T00:50:23Z",
+    "Type": "AIShield_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated [UTC]": "12/3/2021, 9:02:17.564 AM",
+    "Computer": "",
+    "RawData": "",
+    "RawMessage": "Potential Model attack identified",
+    "service_name": "image_classification_defense_engine",
+    "asset_id": "model-02",
+    "source_name": "NA",
+    "probablity": 0.75,
+    "attack_name": "model_attack",
+    "timestamp": "2021-12-03T00:50:23Z",
+    "Type": "AIShield_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated [UTC]": "12/3/2021, 9:02:25.396 AM",
+    "Computer": "",
+    "RawData": "",
+    "RawMessage": "Potential Model attack identified",
+    "service_name": "image_classification_defense_engine",
+    "asset_id": "model-01",
+    "source_name": "NA",
+    "probablity": 0.85,
+    "attack_name": "model_attack",
+    "timestamp": "2021-12-03T00:50:23Z",
+    "Type": "AIShield_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated [UTC]": "12/3/2021, 9:02:43.475 AM",
+    "Computer": "",
+    "RawData": "",
+    "RawMessage": "Potential Model attack identified",
+    "service_name": "image_classification_defense_engine",
+    "asset_id": "model-02",
+    "source_name": "NA",
+    "probablity": 0.95,
+    "attack_name": "model_attack",
+    "timestamp": "2021-12-03T00:50:23Z",
+    "Type": "AIShield_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated [UTC]": "12/3/2021, 9:00:19.692 AM",
+    "Computer": "",
+    "RawData": "",
+    "RawMessage": "Potential Model attack identified",
+    "service_name": "image_classification_defense_engine",
+    "asset_id": "model-01",
+    "source_name": "NA",
+    "probablity": 0.6,
+    "attack_name": "model_attack",
+    "timestamp": "2021-12-03T00:50:23Z",
+    "Type": "AIShield_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated [UTC]": "12/3/2021, 9:00:28.848 AM",
+    "Computer": "",
+    "RawData": "",
+    "RawMessage": "Potential Model attack identified",
+    "service_name": "image_classification_defense_engine",
+    "asset_id": "model-01",
+    "source_name": "NA",
+    "probablity": 0.7,
+    "attack_name": "model_attack",
+    "timestamp": "2021-12-03T00:50:23Z",
+    "Type": "AIShield_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated [UTC]": "12/3/2021, 9:00:49.065 AM",
+    "Computer": "",
+    "RawData": "",
+    "RawMessage": "Potential Model attack identified",
+    "service_name": "image_classification_defense_engine",
+    "asset_id": "model-01",
+    "source_name": "NA",
+    "probablity": 0.8,
+    "attack_name": "model_attack",
+    "timestamp": "2021-12-03T00:50:23Z",
+    "Type": "AIShield_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated [UTC]": "12/3/2021, 9:00:45.092 AM",
+    "Computer": "",
+    "RawData": "",
+    "RawMessage": "Potential Model attack identified",
+    "service_name": "image_classification_defense_engine",
+    "asset_id": "model-02",
+    "source_name": "NA",
+    "probablity": 0.55,
+    "attack_name": "model_attack",
+    "timestamp": "2021-12-03T00:50:23Z",
+    "Type": "AIShield_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated [UTC]": "12/3/2021, 9:00:45.064 AM",
+    "Computer": "",
+    "RawData": "",
+    "RawMessage": "Potential Model attack identified",
+    "service_name": "image_classification_defense_engine",
+    "asset_id": "model-01",
+    "source_name": "NA",
+    "probablity": 0.65,
+    "attack_name": "model_attack",
+    "timestamp": "2021-12-03T00:50:23Z",
+    "Type": "AIShield_CL",
+    "_ResourceId": ""
+  },
+  {
+    "TenantId": "00000000-0000-0000-0000-000000000000",
+    "SourceSystem": "RestAPI",
+    "MG": "",
+    "ManagementGroupName": "",
+    "TimeGenerated [UTC]": "12/3/2021, 9:01:19.781 AM",
+    "Computer": "",
+    "RawData": "",
+    "RawMessage": "Potential Model attack identified",
+    "service_name": "image_classification_defense_engine",
+    "asset_id": "model-02",
+    "source_name": "NA",
+    "probablity": 0.9,
+    "attack_name": "model_attack",
+    "timestamp": "2021-12-03T00:50:23Z",
+    "Type": "AIShield_CL",
+    "_ResourceId": ""
+  }
+]

Solutions/AtlassianJiraAudit/Analytic Rules/JiraGlobalPermissionAdded.yaml

@@ -0,0 +1,33 @@
+id: 5b0cec45-4a91-4f08-bb1b-392427e8f440
+name: Jira - Global permission added
+description: |
+  'Detects when global permission added.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1078
+query: |
+  JiraAudit
+  | where EventMessage =~ 'Global permission added'
+  | project EventCreationTime, ObjectItemName, UserName, SrcIpAddr, ChangedValues
+  | extend AccountCustomEntity = UserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewPrivilegedUser.yaml

@@ -0,0 +1,31 @@
+id: b894593a-2b4c-4573-bc47-78715224a6f5
+name: Jira - New site admin user
+description: |
+  'Detects new site admin user.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Persistence
+  - PrivilegeEscalation
+relevantTechniques:
+  - T1078
+query: |
+  JiraAudit
+  | where EventMessage =~ 'User added to group'
+  | where ObjectItemName =~ 'site-admins'
+  | extend user = todynamic(AssociatedItems)[0]['name']
+  | extend AccountCustomEntity = user
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/AtlassianJiraAudit/Analytic Rules/JiraNewUser.yaml

@@ -0,0 +1,30 @@
+id: 8c90f30f-c612-407c-91a0-c6a6b41ac199
+name: Jira - New user created
+description: |
+  'Detects when new user was created.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Persistence
+relevantTechniques:
+  - T1078
+query: |
+  JiraAudit
+  | where EventMessage =~ 'User created'
+  | where ObjectItemTypeName =~ 'USER'
+  | project EventCreationTime, UserName, SrcIpAddr, ObjectItemName, AssociatedItems
+  | extend AccountCustomEntity = ObjectItemName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/AtlassianJiraAudit/Analytic Rules/JiraPermissionSchemeUpdated.yaml

@@ -0,0 +1,33 @@
+id: 72592618-fa57-45e1-9f01-ca8706a5e3f5
+name: Jira - Permission scheme updated
+description: |
+  'Detects when permission scheme was updated.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1531
+query: |
+  JiraAudit
+  | where EventMessage =~ 'Permission scheme updated'
+  | project EventCreationTime, ObjectItemName, UserName, SrcIpAddr, ChangedValues
+  | extend AccountCustomEntity = UserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/AtlassianJiraAudit/Analytic Rules/JiraPrivilegedUserPasswordChanged.yaml

@@ -0,0 +1,35 @@
+id: 6bf42891-b54d-4b4e-8533-babc5b3ea4c5
+name: Jira - New site admin user
+description: |
+  'Detects new site admin user.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+queryFrequency: 1h
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  let priv_users = JiraAudit
+  | where EventMessage =~ 'User added to group'
+  | where ObjectItemName =~ 'site-admins'
+  | extend user = todynamic(AssociatedItems)[0]['name']
+  | summarize makeset(user);
+  JiraAudit
+  | where EventMessage =~ "User's password changed"
+  | extend user = todynamic(AssociatedItems)[0]['name']
+  | where user in (priv_users)
+  | extend AccountCustomEntity = user
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/AtlassianJiraAudit/Analytic Rules/JiraProjectRolesChanged.yaml

@@ -0,0 +1,33 @@
+id: fb6a8001-fe87-4177-a8f3-df2302215c4f
+name: Jira - Project roles changed
+description: |
+  'Detects when project roles were changed.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1531
+query: |
+  JiraAudit
+  | where EventMessage =~ 'Project roles changed'
+  | project EventCreationTime, ObjectItemName, UserName, SrcIpAddr, AssociatedItems
+  | extend AccountCustomEntity = UserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/AtlassianJiraAudit/Analytic Rules/JiraUserPasswordChange.yaml

@@ -0,0 +1,33 @@
+id: 943176e8-b979-45c0-8ad3-58ba6cfd41f0
+name: Jira - User's password changed
+description: |
+  'Detects when user's password was changed.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Persistence
+relevantTechniques:
+  - T1078
+query: |
+  JiraAudit
+  | where EventMessage =~ "User's password changed"
+  | extend user = todynamic(AssociatedItems)[0]['name']
+  | extend AccountCustomEntity = user, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/AtlassianJiraAudit/Analytic Rules/JiraUserRemovedFromGroup.yaml

@@ -0,0 +1,30 @@
+id: c13ecb19-4317-4d87-9a1c-52660dd44a7d
+name: Jira - User removed from group
+description: |
+  'Detects when a user was removed from group.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1531
+query: |
+  JiraAudit
+  | where EventMessage =~ 'User removed from group'
+  | extend user = todynamic(AssociatedItems)[0]['name']
+  | project EventCreationTime, ObjectItemName, user
+  | extend AccountCustomEntity = user
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/AtlassianJiraAudit/Analytic Rules/JiraUserRemovedFromProject.yaml

@@ -0,0 +1,30 @@
+id: 5d3af0aa-833e-48ed-a29a-8cfd2705c953
+name: Jira - User removed from project
+description: |
+  'Detects when a user was removed from project.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Impact
+relevantTechniques:
+  - T1531
+query: |
+  JiraAudit
+  | where EventMessage =~ 'User removed from project'
+  | extend user = todynamic(AssociatedItems)[0]['name']
+  | project EventCreationTime, ObjectItemName, user
+  | extend AccountCustomEntity = user
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/AtlassianJiraAudit/Analytic Rules/JiraWorkflowSchemeCopied.yaml

@@ -0,0 +1,34 @@
+id: 398aa0ca-45a2-4f79-bc21-ee583bbb63bc
+name: Jira - Workflow scheme copied
+description: |
+  'Detects when workflow scheme was copied.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - Collection
+relevantTechniques:
+  - T1213
+query: |
+  JiraAudit
+  | where EventMessage =~ 'Workflow scheme copied'
+  | extend workflow = todynamic(AssociatedItems)[0]['name']
+  | project EventCreationTime, ObjectItemName, UserName, SrcIpAddr, workflow
+  | extend AccountCustomEntity = UserName, IPCustomEntity = SrcIpAddr
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
+kind: Scheduled

Solutions/AtlassianJiraAudit/Hunting Queries/JiraBlockedTasks.yaml

@@ -0,0 +1,25 @@
+id: 3fdc31f0-a166-4a4d-b861-f3cd262fd4a1
+name: Jira - Blocked tasks
+description: |
+  'Query searches for blocked tasks.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+tactics:
+  - Impact
+relevantTechniques:
+  - T1499
+query: |
+  JiraAudit
+  | where TimeGenerated > ago(24h)
+  | where EventMessage in ('Status updated', 'Status created')
+  | where ObjectItemTypeName =~ 'STATUS'
+  | where ObjectItemName =~ 'Blocked'
+  | extend ProcessCustomEntity = ObjectItemName
+entityMappings:
+  - entityType: Process
+    fieldMappings:
+      - identifier: ProcessId
+        columnName: ProcessCustomEntity

Solutions/AtlassianJiraAudit/Hunting Queries/JiraNewUsers.yaml

@@ -0,0 +1,25 @@
+id: aadc0945-a399-47ba-b285-c0c09ee06375
+name: Jira - New users
+description: |
+  'Query searches for new users created.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+tactics:
+  - Persistence
+relevantTechniques:
+  - T1078
+query: |
+  JiraAudit
+  | where TimeGenerated > ago(24h)
+  | where EventMessage =~ 'User created'
+  | where ObjectItemTypeName =~ 'USER'
+  | project EventCreationTime, UserName, SrcIpAddr, ObjectItemName, AssociatedItems
+  | extend AccountCustomEntity = ObjectItemName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/AtlassianJiraAudit/Hunting Queries/JiraProjectVersionsReleased.yaml

@@ -0,0 +1,24 @@
+id: 103ccb8d-f910-4978-aba7-1ad598db822b
+name: Jira - Project versions released
+description: |
+  'Query searches for project versions released.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+tactics:
+  - Impact
+relevantTechniques:
+  - T1565
+query: |
+  JiraAudit
+  | where TimeGenerated > ago(24h)
+  | where EventMessage =~ 'Project version released'
+  | project EventCreationTime, UserName, ObjectItemName, AssociatedItems
+  | extend AccountCustomEntity = UserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/AtlassianJiraAudit/Hunting Queries/JiraUpdatedProjectVersions.yaml

@@ -0,0 +1,24 @@
+id: e78cb74b-576b-4e35-a46c-8d328b2d4040
+name: Jira - Project versions
+description: |
+  'Query searches for project versions.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+tactics:
+  - Impact
+relevantTechniques:
+  - T1565
+query: |
+  JiraAudit
+  | where TimeGenerated > ago(24h)
+  | where EventMessage =~ 'Project version created'
+  | project EventCreationTime, UserName, SrcIpAddr, ObjectItemName, ChangedValues, AssociatedItems
+  | extend AccountCustomEntity = UserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/AtlassianJiraAudit/Hunting Queries/JiraUpdatedProjects.yaml

@@ -0,0 +1,24 @@
+id: eb409b8b-0267-4e95-b3a9-ee1a72c32409
+name: Jira - Updated projects
+description: |
+  'Query searches for updated projects.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+tactics:
+  - Impact
+relevantTechniques:
+  - T1565
+query: |
+  JiraAudit
+  | where TimeGenerated > ago(24h)
+  | where EventMessage =~ 'Project updated'
+  | project EventCreationTime, UserName, SrcIpAddr, ObjectItemName, ChangedValues, AssociatedItems
+  | extend AccountCustomEntity = UserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/AtlassianJiraAudit/Hunting Queries/JiraUpdatedUsers.yaml

@@ -0,0 +1,26 @@
+id: d208b406-1509-455c-8c7d-7ffe2f893f24
+name: Jira - Updated users
+description: |
+  'Query searches for updated users.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+tactics:
+  - PrivilegeEscalation
+  - Impact
+relevantTechniques:
+  - T1531
+  - T1078
+query: |
+  JiraAudit
+  | where TimeGenerated > ago(24h)
+  | where EventMessage =~ 'User updated'
+  | project EventCreationTime, ObjectItemName, ChangedValues, AssociatedItems
+  | extend AccountCustomEntity = ObjectItemName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/AtlassianJiraAudit/Hunting Queries/JiraUpdatedWorkflowSchemes.yaml

@@ -0,0 +1,24 @@
+id: 3e6ff26d-05dc-4921-9a60-444a0e28cd45
+name: Jira - Updated workflow schemes
+description: |
+  'Query searches for updated workflow schemes.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+tactics:
+  - Impact
+relevantTechniques:
+  - T1565
+query: |
+  JiraAudit
+  | where TimeGenerated > ago(24h)
+  | where EventMessage =~ 'Workflow scheme updated'
+  | project EventCreationTime, UserName, SrcIpAddr, ObjectItemName
+  | extend AccountCustomEntity = UserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/AtlassianJiraAudit/Hunting Queries/JiraUpdatedWorkflows.yaml

@@ -0,0 +1,24 @@
+id: d4dd32bb-84a4-4fdc-9118-3039cbabb4f8
+name: Jira - Updated workflows
+description: |
+  'Query searches for updated workflows.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+tactics:
+  - Impact
+relevantTechniques:
+  - T1565
+query: |
+  JiraAudit
+  | where TimeGenerated > ago(24h)
+  | where EventMessage =~ 'Workflow updated'
+  | project EventCreationTime, UserName, SrcIpAddr, ObjectItemName, ChangedValues
+  | extend AccountCustomEntity = UserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/AtlassianJiraAudit/Hunting Queries/JiraUserIPs.yaml

@@ -0,0 +1,25 @@
+id: 2265bbd2-7e97-4d69-bdfc-eeb646730d8f
+name: Jira - Users' IP addresses
+description: |
+  'Query searches for users' IP addresses.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+tactics:
+  - Persistence
+relevantTechniques:
+  - T1078
+query: |
+  JiraAudit
+  | where TimeGenerated > ago(24h)
+  | where isnotempty(SrcIpAddr)
+  | where isnotempty(USerName)
+  | summarize ip_list = makeset(SrcIpAddr) by UserName
+  | extend AccountCustomEntity = UserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/AtlassianJiraAudit/Hunting Queries/JiraWorkflowAddedToProject.yaml

@@ -0,0 +1,24 @@
+id: 2f875fa8-ced3-4059-b453-616dbc6eb276
+name: Jira - Workflow schemes added to projects
+description: |
+  'Query searches for workflow schemes added to projects.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: JiraAuditAPI
+    dataTypes:
+      - JiraAudit
+tactics:
+  - Impact
+relevantTechniques:
+  - T1565
+query: |
+  JiraAudit
+  | where TimeGenerated > ago(24h)
+  | where EventMessage =~ 'Workflow scheme added to project'
+  | project EventCreationTime, UserName, ObjectItemName, AssociatedItems
+  | extend AccountCustomEntity = UserName
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: Name
+        columnName: AccountCustomEntity

Solutions/AtlassianJiraAudit/Workbooks/AtlassianJiraAudit.json

@@ -0,0 +1,419 @@
+{
+  "version": "Notebook/1.0",
+  "items": [
+    {
+      "type": 1,
+      "content": {
+        "json": "**NOTE**: This data connector depends on a parser based on Kusto Function **JiraAudit** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-jiraauditapi-parser)"
+      },
+      "name": "text - 8"
+    },
+    {
+      "type": 9,
+      "content": {
+        "version": "KqlParameterItem/1.0",
+        "parameters": [
+          {
+            "id": "cd8447d9-b096-4673-92d8-2a1e8291a125",
+            "version": "KqlParameterItem/1.0",
+            "name": "TimeRange",
+            "type": 4,
+            "description": "Sets the time name for analysis",
+            "value": {
+              "durationMs": 2592000000
+            },
+            "typeSettings": {
+              "selectableValues": [
+                {
+                  "durationMs": 900000
+                },
+                {
+                  "durationMs": 3600000
+                },
+                {
+                  "durationMs": 86400000
+                },
+                {
+                  "durationMs": 604800000
+                },
+                {
+                  "durationMs": 2592000000
+                },
+                {
+                  "durationMs": 7776000000
+                }
+              ]
+            },
+            "timeContext": {
+              "durationMs": 86400000
+            }
+          }
+        ],
+        "style": "pills",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces"
+      },
+      "name": "parameters - 11"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "JiraAudit\r\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};",
+        "size": 0,
+        "title": "Events Over Time",
+        "timeContext": {
+          "durationMs": 7776000000
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "timechart",
+        "graphSettings": {
+          "type": 0
+        }
+      },
+      "customWidth": "55",
+      "name": "query - 12",
+      "styleSettings": {
+        "maxWidth": "55"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "JiraAudit\r\n| where isnotempty(EventCategoryType) \r\n| summarize count() by EventCategoryType\r\n| join kind = inner (JiraAudit \r\n                    | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventCategoryType) on EventCategoryType\r\n| project-away EventCategoryType1, TimeGenerated\r\n| project count_, EventCategory = case(EventCategoryType =~ 'user management', 'User Management',\r\n                                EventCategoryType =~ 'projects', 'Projects Management',\r\n                                EventCategoryType =~ 'group management', 'Group Management',\r\n                                EventCategoryType =~ 'workflows', 'Workflow Management',\r\n                                EventCategoryType =~ 'permissions', 'Permissions Management',\r\n                                EventCategoryType =~ 'status', 'Task Status',\r\n                                'Other'), Trend\r\n",
+        "size": 3,
+        "title": "Event Categories",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "tiles",
+        "tileSettings": {
+          "titleContent": {
+            "columnMatch": "EventCategory",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "count_",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "style": "decimal",
+                "maximumFractionDigits": 2,
+                "maximumSignificantDigits": 3
+              }
+            }
+          },
+          "secondaryContent": {
+            "columnMatch": "Trend",
+            "formatter": 21,
+            "formatOptions": {
+              "palette": "blue"
+            }
+          },
+          "showBorder": false
+        }
+      },
+      "customWidth": "30",
+      "name": "query - 0",
+      "styleSettings": {
+        "maxWidth": "30"
+      }
+    },
+    {
+      "type": 12,
+      "content": {
+        "version": "NotebookGroup/1.0",
+        "groupType": "editable",
+        "items": [
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "JiraAudit\r\n| where EventCategoryType =~ 'projects'\r\n| where ObjectItemTypeName =~ 'PROJECT'\r\n| summarize dcount(ObjectItemName)",
+              "size": 3,
+              "title": "Projects",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "card",
+              "tileSettings": {
+                "showBorder": false
+              },
+              "graphSettings": {
+                "type": 0
+              },
+              "mapSettings": {
+                "locInfo": "LatLong",
+                "sizeSettings": "DstPortNumber",
+                "sizeAggregation": "Sum",
+                "legendMetric": "DstPortNumber",
+                "legendAggregation": "Sum",
+                "itemColorSettings": {
+                  "type": "heatmap",
+                  "colorAggregation": "Sum",
+                  "nodeColorField": "DstPortNumber",
+                  "heatmapPalette": "greenRed"
+                }
+              },
+              "textSettings": {
+                "style": "bignumber"
+              }
+            },
+            "name": "query - 14"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "JiraAudit\r\n| where EventCategoryType =~ 'workflows'\r\n| where ObjectItemTypeName =~ 'WORKFLOW'\r\n| summarize dcount(ObjectItemName)\r\n",
+              "size": 3,
+              "title": "Workflows",
+              "timeContext": {
+                "durationMs": 0
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "card",
+              "textSettings": {
+                "style": "bignumber"
+              }
+            },
+            "name": "query - 12"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "JiraAudit\n| where isnotempty(UserName)\n| summarize dcount(UserName)",
+              "size": 3,
+              "title": "Users",
+              "timeContext": {
+                "durationMs": 0
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "card",
+              "textSettings": {
+                "style": "bignumber"
+              }
+            },
+            "name": "query - 2"
+          },
+          {
+            "type": 3,
+            "content": {
+              "version": "KqlItem/1.0",
+              "query": "JiraAudit\n| count",
+              "size": 3,
+              "title": "Operations",
+              "timeContext": {
+                "durationMs": 0
+              },
+              "timeContextFromParameter": "TimeRange",
+              "queryType": 0,
+              "resourceType": "microsoft.operationalinsights/workspaces",
+              "visualization": "card",
+              "textSettings": {
+                "style": "bignumber"
+              }
+            },
+            "name": "query - 3"
+          }
+        ]
+      },
+      "customWidth": "15",
+      "name": "group - 13"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "JiraAudit\r\n| where isnotempty(EventMessage) \r\n| summarize count() by EventMessage\r\n",
+        "size": 3,
+        "title": "Event types",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart",
+        "tileSettings": {
+          "showBorder": false,
+          "titleContent": {
+            "columnMatch": "EventMessage",
+            "formatter": 1
+          },
+          "leftContent": {
+            "columnMatch": "count_",
+            "formatter": 12,
+            "formatOptions": {
+              "palette": "auto"
+            },
+            "numberFormat": {
+              "unit": 17,
+              "options": {
+                "maximumSignificantDigits": 3,
+                "maximumFractionDigits": 2
+              }
+            }
+          }
+        }
+      },
+      "customWidth": "27",
+      "name": "query - 3",
+      "styleSettings": {
+        "margin": "10",
+        "padding": "10"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "  JiraAudit\r\n  | where isnotempty(SrcIpAddr) \r\n  | summarize count() by SrcIpAddr\r\n  | top 10 by SrcIpAddr",
+        "size": 3,
+        "title": "Top sources",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart"
+      },
+      "customWidth": "27",
+      "name": "query - 9"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "JiraAudit\r\n| where isnotempty(UserName) \r\n| summarize count() by UserName, EventMessage\r\n| project User=UserName, Operation=EventMessage, EventCount=count_\r\n",
+        "size": 0,
+        "title": "User activity",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table"
+      },
+      "customWidth": "46",
+      "name": "query - 15",
+      "styleSettings": {
+        "maxWidth": "30"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "JiraAudit\r\n| where isnotempty(UserName)\r\n| where isnotempty(SrcIpAddr) \r\n| summarize IPAddresses = makeset(SrcIpAddr) by UserName\r\n",
+        "size": 0,
+        "title": "Document types",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table"
+      },
+      "customWidth": "35",
+      "name": "query - 10",
+      "styleSettings": {
+        "maxWidth": "30"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "JiraAudit\r\n| where EventCategoryType =~ 'projects'\r\n| where ObjectItemTypeName =~ 'PROJECT'\r\n| summarize count() by ObjectItemName",
+        "size": 0,
+        "title": "Top projects",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "barchart"
+      },
+      "customWidth": "55",
+      "name": "query - 13",
+      "styleSettings": {
+        "maxWidth": "50"
+      }
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "JiraAudit\r\n| where EventCategoryType =~ 'workflows'\r\n| where ObjectItemTypeName =~ 'WORKFLOW'\r\n| summarize count() by ObjectItemName\r\n",
+        "size": 3,
+        "title": "Workflows by activity",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart",
+        "gridSettings": {
+          "rowLimit": 100,
+          "filter": true
+        }
+      },
+      "customWidth": "30",
+      "name": "query - 12"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "JiraAudit\n| where isnotempty(UserName) \n| summarize count() by UserName",
+        "size": 3,
+        "title": "Users' activity",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "piechart"
+      },
+      "customWidth": "30",
+      "name": "query - 11"
+    },
+    {
+      "type": 3,
+      "content": {
+        "version": "KqlItem/1.0",
+        "query": "JiraAudit\n| where isnotempty(UserName) \n| summarize count() by UserName\n| order by count_\n| project User=UserName, EventCount=count_",
+        "size": 0,
+        "title": "Events by user",
+        "timeContext": {
+          "durationMs": 0
+        },
+        "timeContextFromParameter": "TimeRange",
+        "queryType": 0,
+        "resourceType": "microsoft.operationalinsights/workspaces",
+        "visualization": "table"
+      },
+      "customWidth": "40",
+      "name": "query - 12"
+    }
+  ],
+  "fromTemplateId": "sentinel-AtlasianJiraAuditWorkbook",
+  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
+}

Solutions/BoschAIShield/Analytic Rules/ImageClassficationModelTheftVulnDetection.yaml

@@ -0,0 +1,29 @@
+id: 910b7d93-f1a0-4b76-9e32-593004c0fe85
+name: Bosch AIShield - Image classification model theft vulnerability detection
+description: |
+  'This alert creates an incident when Image classification model theft vulnerability detected from the Bosch AIShield.'
+severity: High
+requiredDataConnectors:
+  - connectorId: BoschAIShield
+    dataTypes:
+      - AIShield
+queryFrequency: 1h
+queryPeriod: 1h
+triggerOperator: gt
+triggerThreshold: 0
+tactics: []
+relevantTechniques: []
+query: |
+  AIShield
+  | where ServiceName has 'image_classification'
+  | where Severity =~ 'High'
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+alertDetailsOverride:
+  alertDisplayNameFormat: Bosch {{EventProduct}}  - Image classification model theft vulnerability detected.
+  alertDescriptionFormat: |
+    This query detects Image classification model theft vulnerability alert from Bosch {{EventProduct}} generated at {{TimeGenerated}}\n\nPlease check the source for more information and investigate further.
+  alertTacticsColumnName: null
+  alertSeverityColumnName: Severity
+version: 1.0.0
+kind: Scheduled

Solutions/BoschAIShield/Data Connectors/AIShieldConnector.json

@@ -0,0 +1,122 @@
+{
+    "id": "BoschAIShield",
+    "title": "Bosch AIShield",
+    "publisher": "Bosch",
+    "descriptionMarkdown": "The [Bosch AIShield](http://www.boschaishield.com/) connector allows users to connect with AIShield custom defense mechanism logs with Microsoft Sentinel, allowing the creation of dynamic Dashboards, Workbooks, Notebooks and tailored Alerts to improve investigation and thwart attacks on AI systems. It gives users more insight into their organization's AI assets security posturing and improves their AI systems security operation capabilities.",
+    "additionalRequirementBanner": "This data connector depends on a parser based on Kusto Function to work as expected [**AIShield**](https://aka.ms/sentinel-boschaishield-parser) which is deployed with the Azure Sentinel Solution.",
+    "graphQueries": [
+        {
+            "metricName": "Total data received",
+            "legend": "AIShield_CL",
+            "baseQuery": "AIShield_CL"  
+        }
+    ],
+    "sampleQueries": [
+        {
+            "description" : "Get all incidents order by time",
+            "query": "AIShield\n            | order by TimeGenerated desc "
+        },
+        {
+            "description" : "Get high risk incidents",
+            "query": "AIShield\n            |  where Severity =~ 'High'"
+        }
+    ],
+    "dataTypes": [
+        {
+            "name": "AIShield_CL",
+            "lastDataReceivedQuery": "AIShield_CL\n            | summarize Time = max(TimeGenerated)\n| where isnotempty(Time)"
+        }
+    ],
+    
+    "connectivityCriterias": [
+        {
+            "type": "IsConnectedQuery",
+            "value": [
+                "AIShield_CL\n            | summarize LastLogReceived = max(TimeGenerated)\n            | project IsConnected = LastLogReceived > ago(30d)"
+            ]
+        }
+    ],
+    "availability": {
+        "status": 1,
+        "isPreview": true
+        },
+    "permissions": {
+        "resourceProvider": [
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces",
+                "permissionsDisplayText": "read and write permissions are required.",
+                "providerDisplayName": "Workspace",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "write": true,
+                    "read": true,
+                    "delete": true
+                }
+            },
+            {
+                "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+                "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+                "providerDisplayName": "Keys",
+                "scope": "Workspace",
+                "requiredPermissions": {
+                    "action": true
+                }
+            }
+        ],
+        "customs": [
+            {
+                "name": "Note",
+                "description": "Users should have utilized Bosch AIShield SaaS offering to conduct vulnerability analysis and deployed custom defense mechanisms generated along with their AI asset. [**Click here**](https://azuremarketplace.microsoft.com/marketplace/apps/bosch.rbei_aishield) to know more or get in touch."
+            }
+        ]
+       },
+    "instructionSteps": [
+        { 
+            "title": "", 
+            "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**AIShield**](https://aka.ms/sentinel-boschaishield-parser) which is deployed with the Azure Sentinel Solution.",
+            "instructions": [ 
+            ]    
+        },   
+        {
+            "title": "",
+            "description": "\n>**IMPORTANT:** Before deploying the Bosch AIShield Connector, have the Workspace ID and Workspace Primary Key (can be copied from the following).", 
+            "instructions": [
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "WorkspaceId"
+                        ],
+                        "label": "Workspace ID"
+                    },
+                    "type": "CopyableLabel"
+                },
+                {
+                    "parameters": {
+                        "fillWith": [
+                            "PrimaryKey"
+                        ],
+                        "label": "Primary Key"
+                    },
+                    "type": "CopyableLabel"
+                }
+            ]
+        }
+    ],
+    "metadata" : {
+		"id": "cb950e71-d52e-4333-8637-96e3a5aaf70d",
+        "version": "1.0.0",
+        "kind": "dataConnector",
+        "source": {
+            "kind": "solution",
+            "name": "Bosch"
+        },
+        "author": {
+            "name": "Bosch"
+        },
+        "support": {
+            "name": "Bosch",
+            "link": "mailto:AIShield.Contact@bosch.com",
+            "tier": "developer"
+        }
+	}
+}

Solutions/BoschAIShield/Data Connectors/Logo/Bosch_Logo.svg

@@ -0,0 +1,15 @@
+<svg id="95a639b5-7c06-4edd-b6ab-5830fbefa47b"  xmlns="http://www.w3.org/2000/svg" width="200" height="97" viewBox="0 0 433 97">
+  <g>
+    <g id="be4b3fdf-4813-4917-8ae3-209fe19e9d81">
+      <path id="1ebe4c05-823f-4d16-8b9f-cb08ae70f182" d="M185.2,46.88a13.77,13.77,0,0,0,8.8-13c0-11.7-8.3-17.5-19.7-17.5H144.4V80h32.5c10,0,19.8-7,19.8-17.7C196.7,49.58,185.2,47,185.2,46.88ZM160,29.58h11.6a5.66,5.66,0,0,1,6,5.31q0,.34,0,.69a5.93,5.93,0,0,1-6,5.81H159.9Zm11.7,37.1H160.1V54.18h11.3c5.7,0,8.4,2.5,8.4,6.2C179.8,65,176.4,66.68,171.7,66.68Z" fill="#ed0007"/>
+      <path id="d6fca39c-1b0a-484c-b4a3-cc37a43b3df0" d="M231.1,14.78c-18.4,0-29.2,14.7-29.2,33.3s10.8,33.3,29.2,33.3,29.2-14.6,29.2-33.3S249.6,14.78,231.1,14.78Zm0,51.4c-9,0-13.5-8.1-13.5-18.1s4.5-18,13.5-18,13.6,8.1,13.6,18C244.7,58.18,240.1,66.18,231.1,66.18Z" fill="#ed0007"/>
+      <path id="5a51f65f-8a87-4ac2-87a1-59fb1d89a664" d="M294.2,41.38l-2.2-.5c-5.4-1.1-9.7-2.5-9.7-6.4,0-4.2,4.1-5.9,7.7-5.9a17.86,17.86,0,0,1,13,5.9l9.9-9.8c-4.5-5.1-11.8-10-23.2-10-13.4,0-23.6,7.5-23.6,20,0,11.4,8.2,17,18.2,19.1l2.2.5c8.3,1.7,11.4,3,11.4,7,0,3.8-3.4,6.3-8.6,6.3-6.2,0-11.8-2.7-16.1-8.2l-10.1,10c5.6,6.7,12.7,11.9,26.4,11.9,11.9,0,24.6-6.8,24.6-20.7C314.3,46.08,303.3,43.28,294.2,41.38Z" fill="#ed0007"/>
+      <path id="b2309c01-6254-4599-b734-06a2007dae15" d="M349.7,66.18c-7,0-14.3-5.8-14.3-18.5,0-11.3,6.8-17.6,13.9-17.6,5.6,0,8.9,2.6,11.5,7.1l12.8-8.5c-6.4-9.7-14-13.8-24.5-13.8-19.2,0-29.6,14.9-29.6,32.9,0,18.9,11.5,33.7,29.4,33.7,12.6,0,18.6-4.4,25.1-13.8L361.1,59C358.5,63.18,355.7,66.18,349.7,66.18Z" fill="#ed0007"/>
+      <polygon id="115300d7-5299-4248-9da0-5d72849a44a1" points="416.3 16.38 416.3 39.78 397 39.78 397 16.38 380.3 16.38 380.3 79.98 397 79.98 397 54.88 416.3 54.88 416.3 79.98 433 79.98 433 16.38 416.3 16.38" fill="#ed0007"/>
+    </g>
+    <g id="2d477aa6-fb01-461a-ae28-3c049cb8bb72">
+      <path d="M48.2.18a48.2,48.2,0,1,0,48.2,48.2A48.2,48.2,0,0,0,48.2.18Zm0,91.9a43.7,43.7,0,1,1,43.7-43.7,43.71,43.71,0,0,1-43.7,43.7Z"/>
+      <path d="M68.1,18.28H64.8v16.5H31.7V18.28H28.3a36.06,36.06,0,0,0,0,60.2h3.4V62H64.8v16.5h3.3a36.05,36.05,0,0,0,0-60.2ZM27.1,72A31.59,31.59,0,0,1,24.47,27.4a32.51,32.51,0,0,1,2.63-2.62Zm37.7-14.6H31.7V39.28H64.8Zm4.5,14.5v-10h0V34.78h0v-10a31.65,31.65,0,0,1,2.39,44.71A33.68,33.68,0,0,1,69.3,71.88Z"/>
+    </g>
+  </g>
+</svg>

Solutions/BoschAIShield/Parser/AIShield.txt

@@ -0,0 +1,27 @@
+// Title:           Bosch AIShield Parser
+// Author:          Bosch
+// Version:         1.0
+// Last Updated:    17/12/2021
+// Comment:         Inital Release
+//
+// DESCRIPTION:
+// This parser takes raw logs form Bosch AIShield and parses the data into a normalized schema.
+//
+// Usage Instruction :
+// Paste below query in log analytics, click on Save button and select as Function from drop down by specifying function name and alias as AIShield.
+// Function usually takes 10-15 minutes to activate. You can then use function alias from any other queries (e.g. AIShield | take 10).
+// Reference : Using functions in Azure monitor log queries : https://docs.microsoft.com/azure/azure-monitor/log-query/functions
+
+AIShield_CL
+| extend EventVendor = 'Bosch'
+| extend EventProduct = 'AIShield'
+| extend Severity = iff(probablity_d between (0.85..1.0),"High",iff(probablity_d between
+  (0.7..0.84), "Medium", iff(probablity_d < (0.7),"Low","Unknown")))
+| project-rename
+    AttackName = attack_name_s,
+    Message = RawMessage_s,
+    ServiceName = service_name_s,
+    AssetId = asset_id_s,
+    EventTimestamp = timestamp_t,
+    SourceName = source_name_s
+| project-away probablity_d

Solutions/known_issues.md

@@ -38,6 +38,7 @@ Few Microsoft Sentinel solutions are selectively enabled for CSP Program (Cloud
 6. Palo Alto Prisma
 7. Imperva WAF Cloud
 8. Cybersecurity Maturity Model Certification CMMC
+9. Sophos Endpoint Protection
 
 * If you try to install (Create) a Microsoft Sentinel solution in a CSP subscription for those solutions not yet enabled for CSP Program (not from the list above), you'll encounter the error message 'This offer is not available for subscriptions from Microsoft Azure Cloud Solution Providers'.