From e15ac1427594e334f5ac7baf2576e820753dce2a Mon Sep 17 00:00:00 2001 From: Frode Hus Date: Thu, 19 Dec 2024 10:20:53 +0100 Subject: [PATCH] Add imBeyondTrustAccessSessions resource to asimparsers.bicep Introduced a new resource `imBeyondTrustAccessSessions` of type `Microsoft.OperationalInsights/workspaces/savedSearches@2023-09-01` in the `asimparsers.bicep` file. This resource is categorized under 'Audit' with the display name 'BeyondTrust - Session Audit' and function alias 'imBeyondTrustAccessSessions'. The associated query processes data from `BeyondTrustAccessSession_CL`, filtering for non-empty `SessionId` values and extracting details such as `Username`, `ClientPublicIp`, `ClientPrivateIp`, and `ClientDevice` from the `UserDetails` array where `SessionOwner` is true. It also extends the data with a `UserCount` representing the length of the `UserDetails` array. --- modules/asimparsers.bicep | 11 +++++++++++ modules/workbooks.bicep | Bin 7866 -> 7866 bytes 2 files changed, 11 insertions(+) diff --git a/modules/asimparsers.bicep b/modules/asimparsers.bicep index f81935a..2c42a27 100644 --- a/modules/asimparsers.bicep +++ b/modules/asimparsers.bicep @@ -26,4 +26,15 @@ resource vimBeyondTrustAudit 'Microsoft.OperationalInsights/workspaces/savedSea functionParameters: 'starttime:datetime = datetime(null), endtime:datetime = datetime(null), srcipaddr_has_any_prefix:dynamic = dynamic(null), eventtype_in:string = \'*\', operation_has_any:dynamic = dynamic(null), object_has_any:dynamic = dynamic(null), newvalue_has_any:dynamic = dynamic(null), disabled:bool = False, eventresult:string = \'*\'' query: 'let BeyondTrustAuditParser = (\r\n starttime: datetime=datetime(null),\r\n endtime: datetime=datetime(null),\r\n srcipaddr_has_any_prefix: dynamic=dynamic(null),\r\n eventtype_in: string = \'*\',\r\n eventresult: string = \'*\',\r\n actorusername_has_any: dynamic = dynamic(null),\r\n operation_has_any: dynamic = dynamic(null),\r\n object_has_any: dynamic = dynamic(null),\r\n newvalue_has_any: dynamic = dynamic(null),\r\n disabled: bool=False\r\n) {\r\nBeyondTrustEvents_CL\r\n| where EventType in (\'user_changed\',\'api_account_changed\')\r\n| extend ActorUsername = iif(AdditionalData.who != \'\', AdditionalData.who, \'\')\r\n| extend Object = iif(AdditionalData.old_username != \'\', AdditionalData.old_username, iif(AdditionalData.old_client_id != \'\', AdditionalData.old_client_id, \'\'))\r\n| where (isnull(starttime) or TimeGenerated >= starttime)\r\n and (isnull(endtime) or TimeGenerated <= endtime)\r\n and (isnull(object_has_any) or (Object has_any (object_has_any))) \r\n| extend\r\n EventType = iif(EventType contains \'changed\', \'Set\', \'Other\'),\r\n EventSchemaVersion = \'0.1\',\r\n EventSchema = \'AuditEvent\',\r\n EventProduct = \'Privileged Remote Access\',\r\n EventVendor = \'BeyondTrust\',\r\n EventCount = toint(1),\r\n EventStartTime = TimeGenerated,\r\n EventEndTime = TimeGenerated,\r\n EventResult = \'Success\',\r\n Dvc = tostring(AdditionalData.site),\r\n Operation = \'UserChanged\',\r\n TargetAppType = \'SaaS application\',\r\n TargetAppName = \'BeyondTrust PRA\',\r\n SrcIpAddress = iff(AdditionalData.who_ip != \'\', AdditionalData.who_ip, \'\'),\r\n ObjectType = \'Other\'\r\n| mv-apply key=bag_keys(AdditionalData) on (\r\n where key startswith \'old_\'\r\n | summarize OldValue=make_list(pack(\'Name\',substring(key,4), \'Value\',tostring(AdditionalData[tostring(key)])), 100)\r\n )\r\n| mv-apply key=bag_keys(AdditionalData) on (\r\n where key startswith \'new_\'\r\n | summarize NewValue=make_list(pack(\'Name\',substring(key,4), \'Value\',tostring(AdditionalData[tostring(key)])), 100)\r\n )\r\n| where (isnull(operation_has_any) or (Operation has_any (object_has_any)))\r\n and (isnull(newvalue_has_any) or (NewValue has_any (newvalue_has_any)))\r\n and (isnull(srcipaddr_has_any_prefix) or (SrcIpAddress has_any (srcipaddr_has_any_prefix)))\r\n and (eventresult == \'*\' or EventResult == eventresult)\r\n and (eventtype_in == \'*\' or EventType in (eventtype_in))\r\n| project-away AdditionalData, CorrelationId, SiteId, Hostname\r\n| project TimeGenerated, EventType, EventSchemaVersion, EventSchema, EventProduct, EventVendor, EventCount, EventStartTime, EventEndTime, EventResult, Dvc, ActorUsername, Object, ObjectType, TargetAppName, TargetAppType, OldValue, NewValue,SrcIpAddress\r\n};\r\nBeyondTrustAuditParser(starttime=starttime, endtime=endtime,srcipaddr_has_any_prefix=srcipaddr_has_any_prefix, eventtype_in=eventtype_in, newvalue_has_any=newvalue_has_any, operation_has_any=operation_has_any, object_has_any=object_has_any, disabled=disabled)' } +} + +resource imBeyondTrustAccessSessions 'Microsoft.OperationalInsights/workspaces/savedSearches@2023-09-01' = { + parent: workspace + name: 'imBeyondTrustAccessSessions' + properties: { + category: 'Audit' + displayName: 'BeyondTrust - Session Audit' + functionAlias: 'imBeyondTrustAccessSessions' + query: 'BeyondTrustAccessSession_CL\r\n| where not(isempty(SessionId))\r\n| mv-apply detail=UserDetails on (\r\n\twhere detail.SessionOwner == true\r\n\t| extend Username=detail.Username\r\n\t| extend ClientPublicIp = detail.PublicIP\r\n\t| extend ClientPrivateIp = detail.PrivateIP\r\n\t| extend ClientDevice = detail.Hostname\r\n)\r\n| extend UserCount=array_length(UserDetails)' + } } \ No newline at end of file diff --git a/modules/workbooks.bicep b/modules/workbooks.bicep index c1d35b45e77d6bb8acd3a63444bd280f534bb382..90c2d84a182c70017486ec840c7a80b2205c5019 100644 GIT binary patch delta 26 icmdmGyUTXNBvIx}hTO>$MGYB?C+qXOZ{`zQ!vO$+hX|km delta 26 icmdmGyUTXNB+<#!L=9Nu8Jrn>ChPONZ{`zQ!vO$*9tcVR