59 KiB
59 KiB
ASIM parsers source table, destination schemas and filters mapping
This page provides a mapping of ASIM parsers to:
- Destination schema: the output ASIM schema the parser maps events to. This is also evident from the parser name, but is provided seperately for conenience.
- Source table or tables: the source table, or tables, from which the parser maps events.
- filter: the selection criteria applied to the source table or tables. Source tables may include events relevant to many ASIM schemas and the filter selected only the events that should be handled by the specific parser.
Note that this table is not maintained on an ongoing basis and there might be parsers that are not listed here.
| Parser | Destination Schema | Source tables | Filter | Notes |
|---|---|---|---|---|
| ASimAuditEventAzureActivity | AuditEvent | AzureActivity | CategoryValue == 'Administrative' | |
| ASimAuditEventMicrosoftExchangeAdmin365 | AuditEvent | OfficeActivity | RecordType in ('ExchangeAdmin') | |
| ASimAuditEventMicrosoftWindowsEvents | AuditEvent | WindowsEvent, SecurityEvent, Event | EventID == 1102 | Expected to include more Event IDs |
| ASimAuthenticationAADManagedIdentitySignInLogs | Authentication | AADManagedIdentitySignInLogs | - | |
| ASimAuthenticationAADNonInteractiveUserSignInLogs | Authentication | AADNonInteractiveUserSignInLogs | - | |
| ASimAuthenticationAADServicePrincipalSignInLogs | Authentication | AADServicePrincipalSignInLogs | - | |
| ASimAuthenticationSigninLogs | Authentication | SigninLogs | - | |
| ASimAuthenticationAWSCloudTrail | Authentication | AWSCloudTrail | EventName == 'ConsoleLogin' | |
| ASimAuthenticationM365Defender | Authentication | DeviceLogonEvents | - | |
| ASimAuthenticationMD4IoT | Authentication | SecurityIoTRawEvent | RawEventName == 'Login' | Deprecated |
| ASimAuthenticationMicrosoftWindowsEvent | Authentication | WindowsEvent, SecurityEvent | EventID in (4624,4625,4634,4647) | (Also, for WindowsEvent Provider == 'Microsoft-Windows-Security-Auditing') |
| ASimAuthenticationOktaSSO | Authentication | Okta_CL | eventType_s in ('user.session.start', 'user.session.end') | |
| ASimAuthenticationPostgreSQL | Authentication | PostgreSQL_CL | RawData has 'connection authorized' or RawData has 'authentication failed' or RawData has_all ('role', 'does', 'not', 'exist') or RawData has_all ('no', 'entry', 'user') or RawData has 'disconnection' |
|
| ASimAuthenticationSshd | Authentication | Syslog | ProcessName == 'sshd' and (SyslogMessage startswith 'Accepted' or SyslogMessage startswith 'Failed' or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed') or SyslogMessage startswith 'Timeout' or SyslogMessage startswith 'Invalid user' |
TBC |
| ASimAuthenticationSu | Authentication | Syslog | ProcessName == 'su' and (SyslogMessage startswith 'Successful su for' or SyslogMessage has_all ('pam_unix(su', 'session): session closed for user') |
|
| ASimAuthenticationSudo | Authentication | Syslog | Parser is incomplete | |
| ASimDnsAzureFirewall | Dns | AzureDiagnostics | Category in ('AzureFirewallDnsProxy','AzureFirewallDnsProxy') | |
| ASimDnsCiscoUmbrella | Dns | Cisco_Umbrella_dns_CL | - | |
| ASimDnsCorelightZeek | Dns | Corelight_CL | Message has '_path':'dns ' or Message has '_path':'dns_red ' |
|
| ASimDnsGcp | Dns | GCP_DNS_CL | resource_type_s == 'dns_query' | |
| ASimDnsInfobloxNIOS | Dns | Syslog | ProcessName == 'named' and (SyslogMessage has_all ('client', 'query:', 'response:') or SyslogMessage has_all ('client', 'query:') and SyslogMessage !has 'response:') |
|
| ASimDnsMicrosoftNXlog | Dns | NXLog_DNS_Server_CL | EventID_d < 281 | |
| ASimDnsMicrosoftOMS | Dns | DnsEvents | EventId < 500 | |
| ASimDnsMicrosoftSysmon | Dns | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID==22 |
Source is used for Event, Provider for WindowsEvent |
| ASimDnsNative | Dns | ASimDnsActivityLogs | - | |
| ASimDnsVectraAI | Dns | VectraStream_CL | metadata_type_s == 'metadata_dns' | Share the sample file with other VectraAI parsers |
| ASimDnsZscalerZIA | Dns | CommonSecurityLog | DeviceProduct == 'NSSDNSlog' | |
| ASimNetworkSessionAWSVPC | NetworkSession | AWSVPCFlow | LogStatus == 'OK' | |
| ASimNetworkSessionAppGateSDP | NetworkSession | Syslog | ProcessName in ('cz-sessiond', 'cz-vpnd') and (SyslogMessage has_all ('[AUDIT]','ip_access', 'rule_name ') and SyslogMessage has_any ( 'protocol':'UDP ', 'protocol':'TCP ') or (SyslogMessage has_all ('[AUDIT]','ip_access', 'drop-reason ') and SyslogMessage has_any ( 'protocol':'UDP ', 'protocol':'TCP ') or SyslogMessage has_all ('[AUDIT]','ip_access', 'protocol':'ICMP ') |
|
| ASimNetworkSessionAzureFirewall | NetworkSession | AzureDiagnostics | Category == 'AzureFirewallNetworkRule' or OperationName in ('AzureFirewallNetworkRuleLog','AzureFirewallThreatIntelLog') |
|
| ASimNetworkSessionAzureNSG | NetworkSession | AzureNetworkAnalytics_CL | isnotempty(FlowType_s) | |
| ASimNetworkSessionCheckPointFirewall | NetworkSession | CommonSecurityLog | DeviceVendor=='Check Point' and DeviceProduct=='VPN-1 & FireWall-1' |
|
| ASimNetworkSessionCiscoASA | NetworkSession | CommonSecurityLog | DeviceVendor == 'Cisco' and DeviceProduct == 'ASA' and DeviceEventClassID in ('106001','106006','106015','106016', '106021','106022','106010','106014', '106018','106023','302013','302015', '302014','302016','302020','302021', '710002','710003','710004','710005', '106007','106017','106100','106002', '106012','106013','106020') |
|
| ASimNetworkSessionCiscoMeraki | NetworkSession | CiscoMerakiNativePoller_CL | EventOriginalType == 'IDS Alert' | |
| ASimNetworkSessionCorelightZeek | NetworkSession | Corelight_CL | Message has '_path':'conn ' or Message has 'conn_red ' | |
| ASimNetworkSessionForcePointFirewall | NetworkSession | CommonSecurityLog | DeviceVendor=='FORCEPOINT' and DeviceProduct=='Firewall' and DeviceFacility in ('Inspection','Packet Filtering','File Filtering') and isnotempty(DeviceEventClassID) and DeviceEventClassID != '0' |
|
| ASimNetworkSessionFortinetFortiGate | NetworkSession | CommonSecurityLog | DeviceVendor == 'Fortinet' and DeviceProduct startswith 'FortiGate' and DeviceEventCategoryhas 'traffic' and DeviceAction != 'dns' and Activity !has 'dns' |
|
| ASimNetworkSessionMD4IoTAgent | NetworkSession | SecurityIoTRawEvent | RawEventName == 'NetworkActivity' | Deprecated |
| ASimNetworkSessionMD4IoTSensor | NetworkSession | DefenderIoTRawEvent | RawEventName == 'NetworkConnectionData' | |
| ASimNetworkSessionMicrosoft365Defender | NetworkSession | DeviceNetworkEvents | - | |
| ASimNetworkSessionLinuxSysmon | NetworkSession | Syslog | SyslogMessage has_all ('<Provider Name='Linux-Sysmon ', '3') | |
| ASimNetworkSessionMicrosoftSysmon | NetworkSession | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID == 3 |
Source is used for Event, Provider for WindowsEvent |
| ASimNetworkSessionMicrosoftWindowsEventFirewall | NetworkSession | SecurityEvent, WindowsEvent | EventID in (5151 .. 5159) | |
| ASimNetworkSessionNative | NetworkSession | ASimNetworkSessionLogs | - | |
| ASimNetworkSessionPaloAltoCEF | NetworkSession | CommonSecurityLog | DeviceVendor == 'Palo Alto Networks' and DeviceProduct == 'PAN-OS' and Activity == 'TRAFFIC' |
|
| ASimNetworkSessionVMConnection | NetworkSession | VMConnection | - | |
| ASimNetworkSessionVectraAI | NetworkSession | VectraStream_CL | metadata_type_s == 'metadata_isession' | Share the sample file with other VectraAI parsers |
| ASimNetworkSessionWatchGuardFirewareOS | NetworkSession | Syslog | SyslogMessage has_any('msg_id='3000-0148 ' , 'msg_id='3000-0149 ' , 'msg_id='3000-0150 ' , 'msg_id='3000-0151 ' , 'msg_id='3000-0173 ' ) and SyslogMessage !has 'msg='DNS Forwarding' ' |
|
| ASimNetworkSessionZscalerZIA | NetworkSession | CommonSecurityLog | DeviceVendor == 'Zscaler' and DeviceProduct == 'NSSFWlog' |
|
| ASimProcessCreateLinuxSysmon | ProcessEvent | Syslog | SyslogMessage has_all ('<Provider Name='Linux-Sysmon ', '1') | |
| ASimProcessCreateMicrosoftSecurityEvents | ProcessEvent | SecurityEvent | EventID == 4688 | |
| ASimProcessCreateMicrosoftSysmon | ProcessEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID==1 |
Source is used for Event, Provider for WindowsEvent |
| ASimProcessCreateMicrosoftWindowsEvents | ProcessEvent | WindowsEvent | EventID == 4688 | |
| ASimProcessEventMD4IoT | ProcessEvent | SecurityIoTRawEvent | RawEventName == 'Process' | Deprecated |
| ASimProcessEventMicrosoft365D | ProcessEvent | DeviceProcessEvents | - | |
| ASimProcessTerminateLinuxSysmon | ProcessEvent | Syslog | SyslogMessage has_all ('<Provider Name='Linux-Sysmon ', '5') | |
| ASimProcessTerminateMicrosoftSecurityEvents | ProcessEvent | SecurityEvent | EventID == 4689 | |
| ASimProcessTerminateMicrosoftSysmon | ProcessEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID==5 |
Source is used for Event, Provider for WindowsEvent |
| ASimProcessTerminateMicrosoftWindowsEvents | ProcessEvent | WindowsEvent | EventID == 4689 | |
| ASimWebSessionIIS | WebSession | W3CIISLog | - | |
| ASimWebSessionNative | WebSession | ASimWebSessionLogs | - | |
| ASimWebSessionPaloAltoCEF | WebSession | CommonSecurityLog | DeviceVendor == 'Palo Alto Networks' and DeviceProduct == 'PAN-OS' and Activity == 'THREAT' and DeviceEventClassID == 'url' |
|
| ASimWebSessionSquidProxy | WebSession | SquidProxy_CL | - | |
| ASimWebSessionVectraAI | WebSession | VectraStream_CL | metadata_type_s == 'metadata_httpsessioninfo' | Share the sample file with other VectraAI parsers |
| ASimWebSessionZscalerZIA | WebSession | CommonSecurityLog | DeviceVendor == 'Zscaler' and DeviceProduct == 'NSSWeblog' |
|
| vimFileEventAzureBlobStorage | FileEvent | StorageBlobLogs | OperationName in (...bloboperations...) | |
| vimFileEventAzureFileStorage | FileEvent | StorageFileLogs | OperationName in (...fileoperations...) | |
| vimFileEventAzureQueueStorage | FileEvent | StorageQueueLogs | OperationName in (...queueoperations...) | |
| vimFileEventAzureTableStorage | FileEvent | StorageTableLogs | OperationName in (...tableoperations...) | |
| vimFileEventLinuxSysmonFileCreated | FileEvent | Syslog | SyslogMessage has_all ('<Provider Name='Linux-Sysmon ', '11') | |
| vimFileEventLinuxSysmonFileDeleted | FileEvent | Syslog | SyslogMessage has ('<Provider Name='Linux-Sysmon ') and SyslogMessage has_any('23','26') |
|
| vimFileEventM365D | FileEvent | DeviceFileEvents | - | |
| vimFileEventMicrosoftSharePoint | FileEvent | OfficeActivity | RecordType == 'SharePointFileOperation' and Operation != 'FileMalwareDetected' |
|
| vimFileEventMicrosoftSysmon | FileEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID in (11,23,26) |
Source is used for Event, Provider for WindowsEvent |
| vimFileEventMicrosoftWindowsEvents | FileEvent | SecurityEvent, WindowsEvent | EventID == 4663 | |
| vimRegistryEventMicrosoft365D | RegisttryEvent | DeviceRegistryEvents | - | |
| vimRegistryEventMicrosoftSecurityEvents | RegisttryEvent | SecurityEvent | EventID == 4657 | |
| vimRegistryEventMicrosoftSysmon | RegisttryEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID in (12, 13, 14) |
Source is used for Event, Provider for WindowsEvent |
| vimRegistryEventMicrosoftWindowsEvent | RegisttryEvent | SecurityEvent, WindowsEvent | EventID == 4663 or EventID == 4657 |