Skip to content

Commit

Permalink
Merge pull request #7 from FrodeHus/asim-audit
Browse files Browse the repository at this point in the history
Add vimBeyondTrustAudit resource to savedSearches
  • Loading branch information
FrodeHus authored Dec 18, 2024
2 parents bc9242b + a634ebb commit 6273d96
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions modules/asimparsers.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -15,3 +15,15 @@ resource vimBeyondTrustAuthentication 'Microsoft.OperationalInsights/workspaces
query: 'let BeyondTrustAuthParser=(\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n targetusername_has: string=\'*\',\r\n disabled: bool=False\r\n ) {\r\n BeyondTrustEvents_CL\r\n | where EventType in (\'login\', \'logout\')\r\n | parse AdditionalData.who with UserDisplayName \' (\' UserAccountName \') using \' AuthMethod\r\n | where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated <= endtime)\r\n and (targetusername_has==\'*\' or (UserAccountName has targetusername_has))\r\n | extend\r\n EventType = iif(EventType == \'login\', \'Logon\', \'Logoff\'),\r\n EventSchemaVersion = \'0.1.3\',\r\n EventSchema = \'Authentication\',\r\n EventProduct = \'Privileged Remote Access\',\r\n EventVendor = \'BeyondTrust\',\r\n EventCount = toint(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventResult = iif(AdditionalData.status == \'success\', \'Success\', \'Failure\'),\r\n Dvc = tostring(AdditionalData.site),\r\n SrcIpAddress = iff(AdditionalData.who_ip != \'\', AdditionalData.who_ip, \'\')\r\n | project-away AdditionalData, AuthMethod, CorrelationId, SiteId\r\n | project-rename TargetUsername = UserAccountName\r\n | project TimeGenerated, EventType, EventSchemaVersion, EventSchema, EventProduct, EventVendor, EventCount, EventStartTime, EventEndTime, EventResult, Dvc, TargetUsername, TargetDomain=Dvc,SrcIpAddress\r\n};\r\nBeyondTrustAuthParser(starttime=starttime, endtime=endtime, targetusername_has=targetusername_has, disabled=disabled)'
}
}

resource vimBeyondTrustAudit 'Microsoft.OperationalInsights/workspaces/savedSearches@2023-09-01' = {
parent: workspace
name: 'vimAuditBeyondTrust'
properties: {
category: 'Audit'
displayName: 'BeyondTrust - Audit'
functionAlias: 'vimAuditBeyondTrust'
functionParameters: 'starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic(null), eventtype_in:string = \'*\', operation_has_any:dynamic = dynamic(null), object_has_any:dynamic = dynamic(null), newvalue_has_any:dynamic = dynamic(null), disabled:bool = False, eventresult:string = \'*\''
query: 'let BeyondTrustAuditParser = (\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n srcipaddr_has_any_prefix: dynamic=dynamic(null),\r\n eventtype_in: string = \'*\',\r\n eventresult: string = \'*\',\r\n actorusername_has_any: dynamic = dynamic(null),\r\n operation_has_any: dynamic = dynamic(null),\r\n object_has_any: dynamic = dynamic(null),\r\n newvalue_has_any: dynamic = dynamic(null),\r\n disabled: bool=False\r\n) {\r\nBeyondTrustEvents_CL\r\n| where EventType == \'user_changed\'\r\n| parse AdditionalData.who with * \'(\' Object \')\'\r\n| where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated <= endtime)\r\n and (isnull(object_has_any) or (Object has_any (object_has_any))) \r\n| extend\r\n EventType = iif(EventType == \'user_changed\', \'Set\', \'Other\'),\r\n EventSchemaVersion = \'0.1\',\r\n EventSchema = \'AuditEvent\',\r\n EventProduct = \'Privileged Remote Access\',\r\n EventVendor = \'BeyondTrust\',\r\n EventCount = toint(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventResult = \'Success\',\r\n Dvc = tostring(AdditionalData.site),\r\n Operation = \'UserChanged\',\r\n TargetAppType = \'SaaS application\',\r\n TargetAppName = \'BeyondTrust PRA\',\r\n SrcIpAddress = iff(AdditionalData.who_ip != \'\', AdditionalData.who_ip, \'\'),\r\n ObjectType = \'Other\'\r\n| mv-apply key=bag_keys(AdditionalData) on (\r\n where key startswith \'old_\'\r\n | summarize OldValue=make_list(pack(\'Name\',tostring(split(tostring(key), \'_\')[1]), \'Value\',tostring(AdditionalData[tostring(key)])), 100)\r\n )\r\n| mv-apply key=bag_keys(AdditionalData) on (\r\n where key startswith \'new_\'\r\n | summarize NewValue=make_list(pack(\'Name\',tostring(split(tostring(key), \'_\')[1]), \'Value\',tostring(AdditionalData[tostring(key)])), 100)\r\n )\r\n| where (isnull(operation_has_any) or (Operation has_any (object_has_any)))\r\n and (isnull(newvalue_has_any) or (NewValue has_any (newvalue_has_any)))\r\n and (isnull(srcipaddr_has_any_prefix) or (SrcIpAddress has_any (srcipaddr_has_any_prefix)))\r\n and (eventresult == \'*\' or EventResult == eventresult)\r\n and (eventtype_in == \'*\' or EventType in (eventtype_in))\r\n| project-away AdditionalData, CorrelationId, SiteId, Hostname\r\n| project TimeGenerated, EventType, EventSchemaVersion, EventSchema, EventProduct, EventVendor, EventCount, EventStartTime, EventEndTime, EventResult, Dvc, Object, ObjectType, TargetAppName, TargetAppType, OldValue, NewValue,SrcIpAddress\r\n};\r\nBeyondTrustAuditParser(starttime=starttime, endtime=endtime,srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, newvalue_has_any=newvalue_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=disabled)'
}
}

0 comments on commit 6273d96

Please sign in to comment.