Azure-Sentinel/Parsers/ASimFileEvent/ProductParsers/FileEventMicrosoftBlobStorage.yaml

Parser:
  Title: Microsoft Blob Storage - File Event Parser
  Version: '0.1'
  LastUpdated: July 15, 2021
Product:
  Name: Microsoft Azure Blob Storage
Normalization:
  Schema: FileEvent
  Version: '0.1.0'
References:
- Title: ASIM File Schema
  Link: https://aka.ms/AzSentinelFileEventDoc
- Title: ASIM
  Link: https://aka.ms/AzSentinelNormalization
- Title: Storage Analytics log format
  Link: https://docs.microsoft.comrest/api/storageservices/storage-analytics-log-format
Description: |
  This is a Query Parser that is used to map Azure Storage Analytics (StorageBlobLogs) to the Advanced SIEM Information Model FileEvent schema.  
ParserName: vimFileEventAzureBlobStorage
ParserQuery: |
  // https://docs.microsoft.comrest/api/storageservices/storage-analytics-logged-operations-and-status-messages
  let bloboperations=datatable(OperationName:string, EventType:string)[
      "PutBlock", "FileCreated",
      "PutBlob", "FileCreated",
      "PutPage", "FileCreated",
      "CreateContainer", "FolderCreated",
      "CopyBlob", "FileCopied",
      "QueryBlobContents", "FileAccessed",
      "GetBlob", "FileAccessed",
      "AppendBlock", "FileModified",
      "ClearPage",  "FileModified",
      "PutBlockFromURL", "FileModified",
      "DeleteBlob",  "FileDeleted",
      "DeleteContainer",  "FolderDeleted"
      ];
      StorageBlobLogs
      // **** relevant data filtering;
      | where OperationName in (bloboperations)
      //
      | lookup bloboperations on OperationName
      | project-rename 
          EventOriginalUid = CorrelationId
          , EventOriginalType=OperationName
          , HttpUserAgent=UserAgentHeader
          , TargetUrl=Uri
      | extend 
            EventCount=int(1)
          , EventStartTime=TimeGenerated
          , EventEndTime=TimeGenerated
      //	, EventType :string  ---> see lookup below
          , EventResult=iff(StatusText == 'Success', 'Success', 'Failure') 
          , EventProduct='Azure File Storage' 
          , EventVendor='Microsoft'
          , EventSchemaVersion='0.1.0'
        , TargetFilePath=tostring(split(TargetUrl,'?')[0]) 
        , TargetFilePathType='URL'
          ,  SrcIpAddr=tostring(split(CallerIpAddress,':')[0])
          ,  SrcPortNumber=tostring(split(CallerIpAddress,':')[1])
      | extend TargetFileName=tostring(split(TargetFilePath,'/')['-1'])
      // Aliases
      | extend 
         FilePath=TargetFilePath