Update BeyondTrustAuditParser query in savedSearches

The query for the BeyondTrustAuditParser function in the Microsoft.OperationalInsights/workspaces/savedSearches resource has been updated. The parse statement for AdditionalData.who has been removed. Two new extend statements have been added to extract ActorUsername and Object from AdditionalData.who and AdditionalData.old_username, respectively. The project statement at the end of the query has been updated to include ActorUsername in the list of projected fields.
FrodeHus · Dec 18, 2024 · 3b270c6 · 3b270c6
1 parent bb2bde9
commit 3b270c6
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/modules/asimparsers.bicep b/modules/asimparsers.bicep
@@ -24,6 +24,6 @@ resource vimBeyondTrustAudit  'Microsoft.OperationalInsights/workspaces/savedSea
         displayName: 'BeyondTrust - Audit'
         functionAlias: 'vimAuditBeyondTrust'
         functionParameters: 'starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic(null), eventtype_in:string = \'*\', operation_has_any:dynamic = dynamic(null), object_has_any:dynamic = dynamic(null), newvalue_has_any:dynamic = dynamic(null), disabled:bool = False, eventresult:string = \'*\''
-        query: 'let BeyondTrustAuditParser = (\r\n    starttime: datetime=datetime(null),\r\n    endtime: datetime=datetime(null),\r\n    srcipaddr_has_any_prefix: dynamic=dynamic(null),\r\n    eventtype_in: string = \'*\',\r\n    eventresult: string = \'*\',\r\n    actorusername_has_any: dynamic = dynamic(null),\r\n    operation_has_any: dynamic = dynamic(null),\r\n    object_has_any: dynamic = dynamic(null),\r\n    newvalue_has_any: dynamic = dynamic(null),\r\n    disabled: bool=False\r\n) {\r\nBeyondTrustEvents_CL\r\n| where EventType == \'user_changed\'\r\n| parse AdditionalData.who with * \'(\' Object \')\'\r\n| where (isnull(starttime) or TimeGenerated >= starttime)\r\n        and (isnull(endtime) or TimeGenerated <= endtime)\r\n        and (isnull(object_has_any) or (Object has_any (object_has_any)))        \r\n| extend\r\n        EventType = iif(EventType == \'user_changed\', \'Set\', \'Other\'),\r\n        EventSchemaVersion = \'0.1\',\r\n        EventSchema = \'AuditEvent\',\r\n        EventProduct = \'Privileged Remote Access\',\r\n        EventVendor = \'BeyondTrust\',\r\n        EventCount = toint(1),\r\n        EventStartTime = TimeGenerated,\r\n        EventEndTime = TimeGenerated,\r\n        EventResult = \'Success\',\r\n        Dvc = tostring(AdditionalData.site),\r\n        Operation = \'UserChanged\',\r\n        TargetAppType = \'SaaS application\',\r\n        TargetAppName = \'BeyondTrust PRA\',\r\n        SrcIpAddress = iff(AdditionalData.who_ip != \'\', AdditionalData.who_ip, \'\'),\r\n        ObjectType = \'Other\'\r\n| mv-apply key=bag_keys(AdditionalData) on (\r\n    where key startswith \'old_\'\r\n    | summarize OldValue=make_list(pack(\'Name\',substring(key,4), \'Value\',tostring(AdditionalData[tostring(key)])), 100)\r\n    )\r\n| mv-apply key=bag_keys(AdditionalData) on (\r\n    where key startswith \'new_\'\r\n    | summarize NewValue=make_list(pack(\'Name\',substring(key,4), \'Value\',tostring(AdditionalData[tostring(key)])), 100)\r\n    )\r\n| where (isnull(operation_has_any) or (Operation has_any (object_has_any)))\r\n    and (isnull(newvalue_has_any) or (NewValue  has_any (newvalue_has_any)))\r\n    and (isnull(srcipaddr_has_any_prefix) or (SrcIpAddress  has_any (srcipaddr_has_any_prefix)))\r\n    and (eventresult == \'*\' or EventResult == eventresult)\r\n    and (eventtype_in == \'*\' or EventType in (eventtype_in))\r\n| project-away AdditionalData, CorrelationId, SiteId, Hostname\r\n| project TimeGenerated, EventType, EventSchemaVersion, EventSchema, EventProduct, EventVendor, EventCount, EventStartTime, EventEndTime, EventResult, Dvc, Object, ObjectType, TargetAppName, TargetAppType, OldValue, NewValue,SrcIpAddress\r\n};\r\nBeyondTrustAuditParser(starttime=starttime, endtime=endtime,srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, newvalue_has_any=newvalue_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=disabled)'
+        query: 'let BeyondTrustAuditParser = (\r\n    starttime: datetime=datetime(null),\r\n    endtime: datetime=datetime(null),\r\n    srcipaddr_has_any_prefix: dynamic=dynamic(null),\r\n    eventtype_in: string = \'*\',\r\n    eventresult: string = \'*\',\r\n    actorusername_has_any: dynamic = dynamic(null),\r\n    operation_has_any: dynamic = dynamic(null),\r\n    object_has_any: dynamic = dynamic(null),\r\n    newvalue_has_any: dynamic = dynamic(null),\r\n    disabled: bool=False\r\n) {\r\nBeyondTrustEvents_CL\r\n| where EventType == \'user_changed\'\r\n| extend ActorUsername = iif(AdditionalData.who != \'\', AdditionalData.who, \'\')\r\n| extend Object = iif(AdditionalData.old_username != \'\', AdditionalData.old_username, \'\')\r\n| where (isnull(starttime) or TimeGenerated >= starttime)\r\n        and (isnull(endtime) or TimeGenerated <= endtime)\r\n        and (isnull(object_has_any) or (Object has_any (object_has_any)))        \r\n| extend\r\n        EventType = iif(EventType == \'user_changed\', \'Set\', \'Other\'),\r\n        EventSchemaVersion = \'0.1\',\r\n        EventSchema = \'AuditEvent\',\r\n        EventProduct = \'Privileged Remote Access\',\r\n        EventVendor = \'BeyondTrust\',\r\n        EventCount = toint(1),\r\n        EventStartTime = TimeGenerated,\r\n        EventEndTime = TimeGenerated,\r\n        EventResult = \'Success\',\r\n        Dvc = tostring(AdditionalData.site),\r\n        Operation = \'UserChanged\',\r\n        TargetAppType = \'SaaS application\',\r\n        TargetAppName = \'BeyondTrust PRA\',\r\n        SrcIpAddress = iff(AdditionalData.who_ip != \'\', AdditionalData.who_ip, \'\'),\r\n   ObjectType = \'Other\'\r\n| mv-apply key=bag_keys(AdditionalData) on (\r\n    where key startswith \'old_\'\r\n    | summarize OldValue=make_list(pack(\'Name\',substring(key,4), \'Value\',tostring(AdditionalData[tostring(key)])), 100)\r\n    )\r\n| mv-apply key=bag_keys(AdditionalData) on (\r\n    where key startswith \'new_\'\r\n    | summarize NewValue=make_list(pack(\'Name\',substring(key,4), \'Value\',tostring(AdditionalData[tostring(key)])), 100)\r\n    )\r\n| where (isnull(operation_has_any) or (Operation has_any (object_has_any)))\r\n    and (isnull(newvalue_has_any) or (NewValue  has_any (newvalue_has_any)))\r\n    and (isnull(srcipaddr_has_any_prefix) or (SrcIpAddress  has_any (srcipaddr_has_any_prefix)))\r\n    and (eventresult == \'*\' or EventResult == eventresult)\r\n    and (eventtype_in == \'*\' or EventType in (eventtype_in))\r\n| project-away AdditionalData, CorrelationId, SiteId, Hostname\r\n| project TimeGenerated, EventType, EventSchemaVersion, EventSchema, EventProduct, EventVendor, EventCount, EventStartTime, EventEndTime, EventResult, Dvc, ActorUsername, Object, ObjectType, TargetAppName, TargetAppType, OldValue, NewValue,SrcIpAddress\r\n};\r\nBeyondTrustAuditParser(starttime=starttime, endtime=endtime,srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, newvalue_has_any=newvalue_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=disabled)'
     }
 }