Skip to content

ASIMAuthUpdate#8511

Closed
sparkmark wants to merge 4 commits into
Azure:masterfrom
sparkmark:ASIMAuthUpdate
Closed

ASIMAuthUpdate#8511
sparkmark wants to merge 4 commits into
Azure:masterfrom
sparkmark:ASIMAuthUpdate

Conversation

@sparkmark
Copy link
Copy Markdown

@sparkmark sparkmark commented Jul 12, 2023

Required items, please complete

Change(s):

  • Updated Parser To Include Event ID 4768

Reason for Change(s):

  • Update to parser

Version Updated:

  • n/a

Testing Completed:

  • Tested in our lab

Checked that the validations are passing and have addressed any issues that are present:

  • Completed

@sparkmark sparkmark requested review from a team as code owners July 12, 2023 13:24
@v-atulyadav v-atulyadav self-assigned this Jul 13, 2023
@devikamehra devikamehra assigned vakohl and unassigned devikamehra Jul 17, 2023
@vakohl
Copy link
Copy Markdown
Contributor

vakohl commented Jul 18, 2023
edited
Loading

@sparkmark thankyou for your contribution. Every ASim parser has two files : ASim and vim (filter parser). Please update this parser's vim file with the same changes. https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml

Also, please run ASIM tester function and attach the results in this PR for both ASim and vim parser. https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#test-parsers

@v-atulyadav
Copy link
Copy Markdown
Collaborator

v-atulyadav commented Jul 20, 2023

Hi @sparkmark, please act on @vakohl's comments. Thanks

@sparkmark
Copy link
Copy Markdown
Author

sparkmark commented Jul 20, 2023
edited
Loading

@sparkmark thankyou for your contribution. Every ASim parser has two files : ASim and vim (filter parser). Please update this parser's vim file with the same changes. https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml

Also, please run ASIM tester function and attach the results in this PR for both ASim and vim parser. https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#test-parsers

Hey @vakohl @v-atulyadav ... so I'm running into some issues:

  1. The existing parser (i.e. one created by MS) has errors and warnings itself.
  2. If I run the existing ASimAuthenticationMicrosoftWindowsEvent parser I get an error "SecEventLogon"() argument add cscript summary hunting query #1 could not be parsed. However in the tester it's ok. But if I run mine using the tester I get the same error ?

So I'm a little bit stuck here.

@vakohl
Copy link
Copy Markdown
Contributor

vakohl commented Jul 21, 2023
edited
Loading

@sparkmark thankyou for your contribution. Every ASim parser has two files : ASim and vim (filter parser). Please update this parser's vim file with the same changes. https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml
Also, please run ASIM tester function and attach the results in this PR for both ASim and vim parser. https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#test-parsers

Hey @vakohl @v-atulyadav ... so I'm running into some issues:

  1. The existing parser (i.e. one created by MS) has errors and warnings itself.
  2. If I run the existing ASimAuthenticationMicrosoftWindowsEvent parser I get an error "SecEventLogon"() argument add cscript summary hunting query #1 could not be parsed. However in the tester it's ok. But if I run mine using the tester I get the same error ?

So I'm a little bit stuck here.

@sparkmark for the error you are facing. when you are running parser code, please update the disabled paramter to false. see below screenshot.
image

Also, when running vim parser, please update last line as below:
image

@sparkmark
Copy link
Copy Markdown
Author

sparkmark commented Jul 25, 2023

@sparkmark thankyou for your contribution. Every ASim parser has two files : ASim and vim (filter parser). Please update this parser's vim file with the same changes. https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/vimAuthenticationMicrosoftWindowsEvent.yaml
Also, please run ASIM tester function and attach the results in this PR for both ASim and vim parser. https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#test-parsers

Hey @vakohl @v-atulyadav ... so I'm running into some issues:

  1. The existing parser (i.e. one created by MS) has errors and warnings itself.
  2. If I run the existing ASimAuthenticationMicrosoftWindowsEvent parser I get an error "SecEventLogon"() argument add cscript summary hunting query #1 could not be parsed. However in the tester it's ok. But if I run mine using the tester I get the same error ?

So I'm a little bit stuck here.

@sparkmark for the error you are facing. when you are running parser code, please update the disabled paramter to false. see below screenshot. image

Also, when running vim parser, please update last line as below: image

Thanks ... ran the tests .... these are the errors I get:

@sparkmark sparkmark closed this Jul 25, 2023
@sparkmark
Copy link
Copy Markdown
Author

sparkmark commented Jul 25, 2023

Hey guys ... going to close this PR ... have opened 8580 with both files required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@vakohl vakohl

@v-atulyadav v-atulyadav

Labels

ASIM

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sparkmark @vakohl @v-atulyadav @devikamehra