[ASIM Parsers] Generate deployable ARM templates from KQL function YA…

…ML files.
Azure · Feb 10, 2025 · e84f0a7 · e84f0a7
1 parent 701ccf9
commit e84f0a7
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/...imAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json b/...imAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
@@ -27,7 +27,7 @@
         "displayName": "Authentication ASIM parser for Microsoft Entra ID interactive sign-in logs",
         "category": "ASIM",
         "FunctionAlias": "ASimAuthenticationSigninLogs",
-        "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n  '0', 'Success',\n  '50005', 'Logon violates policy',\n  '50011', 'Logon violates policy', \n  '50020', 'Logon violates policy',\n  '50034', 'No such user or password',\n  '50053', 'User locked',\n  '50055', 'Password expired',\n  '50056', 'Incorrect password',\n  '50057', 'User disabled',\n  '50058', 'Logon violates policy',\n  '50059', 'No such user or password',\n  '50064', 'No such user or password',\n  '50072', 'Logon violates policy',\n  '50074', 'Logon violates policy', \n  '50076', 'Logon violates policy',\n  '50079', 'Logon violates policy',\n  '50105', 'Logon violates policy',\n  '50126', 'No such user or password',\n  '50132', 'Password expired',\n  '50133', 'Password expired',\n  '50144', 'Password expired',\n  '50173', 'Password expired',\n  '51004', 'No such user or password',\n  '53003', 'Logon violates policy',\n  '70008', 'Password expired',\n  '80012', 'Logon violates policy',\n  '500011', 'No such user or password',\n  '700016',  'No such user or password', \n  ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n  'Guest','Guest', \n  'Member', 'Regular',\n  '',''\n];\nlet parser=(disabled:bool=false){\nSigninLogs \n| where not(disabled)\n| extend\n    EventCount                 = int(1),\n    EventEndTime               = TimeGenerated,\n    EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n    EventProduct               = 'Entra ID',\n    EventResult                = iff (ResultType ==0, 'Success', 'Failure'),\n    EventSchemaVersion         = '0.1.0',\n    EventStartTime             = TimeGenerated,\n    EventSubType               = 'Interactive',\n    EventType                  = 'Logon',\n    EventVendor                = 'Microsoft',\n    Location                   = todynamic(LocationDetails),\n    SrcHostname             = tostring(DeviceDetail.displayName),\n    SrcDvcId                   = tostring(DeviceDetail.deviceId),\n    SrcIpAddr                  = IPAddress,\n    SrcDvcOs                   = tostring(DeviceDetail.operatingSystem),\n    TargetUserIdType           = 'EntraID',\n    TargetUsernameType         = 'UPN'\n| extend\n    SrcGeoCity        = tostring(Location.city),\n    SrcGeoCountry     = tostring(Location.countryOrRegion),\n    SrcGeoLatitude    = toreal(Location.geoCoordinates.latitude),\n    SrcGeoLongitude   = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n     EventOriginalUid = Id,\n     EventUid         = _ItemId,\n     HttpUserAgent    = UserAgent,\n     LogonMethod      = AuthenticationRequirement,\n     TargetAppId      = ResourceIdentity,\n     TargetAppName    = ResourceDisplayName,\n     TargetSessionId  = CorrelationId,\n     TargetUserId     = UserId,\n     TargetUsername   = UserPrincipalName\n  //\n  | lookup UserTypeLookup on UserType\n  | project-away UserType\n  // ** Aliases\n  | extend \n      Dvc             = EventVendor,\n      LogonTarget     = TargetAppName,\n      User            = TargetUsername,\n    // -- Entity identifier explicit aliases\n      TargetUserAadId = TargetUserId,\n      TargetUserUpn   = TargetUsername\n  };\n  parser  \n  (\n      disabled = disabled\n  )",
+        "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n  '0', 'Success',\n  '50005', 'Logon violates policy',\n  '50011', 'Logon violates policy', \n  '50020', 'Logon violates policy',\n  '50034', 'No such user or password',\n  '50053', 'User locked',\n  '50055', 'Password expired',\n  '50056', 'Incorrect password',\n  '50057', 'User disabled',\n  '50058', 'Logon violates policy',\n  '50059', 'No such user or password',\n  '50064', 'No such user or password',\n  '50072', 'Logon violates policy',\n  '50074', 'Logon violates policy', \n  '50076', 'Logon violates policy',\n  '50079', 'Logon violates policy',\n  '50105', 'Logon violates policy',\n  '50126', 'No such user or password',\n  '50132', 'Password expired',\n  '50133', 'Password expired',\n  '50144', 'Password expired',\n  '50173', 'Password expired',\n  '51004', 'No such user or password',\n  '53003', 'Logon violates policy',\n  '70008', 'Password expired',\n  '80012', 'Logon violates policy',\n  '500011', 'No such user or password',\n  '700016',  'No such user or password', \n  ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n  'Guest','Guest', \n  'Member', 'Regular',\n  '',''\n];\nlet parser=(disabled:bool=false){\nSigninLogs \n| where not(disabled)\n| extend\n    EventCount                 = int(1),\n    EventEndTime               = TimeGenerated,\n    EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n    EventProduct               = 'Entra ID',\n    EventResult                = iff (ResultType ==0, 'Success', 'Failure'),\n    EventSchemaVersion         = '0.1.1',\n    EventStartTime             = TimeGenerated,\n    EventSubType               = 'Interactive',\n    EventType                  = 'Logon',\n    EventVendor                = 'Microsoft',\n    Location                   = todynamic(LocationDetails),\n    SrcHostname             = tostring(DeviceDetail.displayName),\n    SrcDvcId                   = tostring(DeviceDetail.deviceId),\n    SrcIpAddr                  = IPAddress,\n    SrcDvcOs                   = tostring(DeviceDetail.operatingSystem),\n    TargetUserIdType           = 'EntraID',\n    TargetUsernameType         = 'UPN'\n| extend\n    SrcGeoCity        = tostring(Location.city),\n    SrcGeoCountry     = tostring(Location.countryOrRegion),\n    SrcGeoLatitude    = toreal(Location.geoCoordinates.latitude),\n    SrcGeoLongitude   = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n     EventOriginalUid = Id,\n     EventUid         = _ItemId,\n     HttpUserAgent    = UserAgent,\n     LogonMethod      = AuthenticationRequirement,\n     TargetAppId      = ResourceIdentity,\n     TargetAppName    = ResourceDisplayName,\n     TargetSessionId  = CorrelationId,\n     TargetUserId     = UserId,\n     TargetUsername   = UserPrincipalName\n  //\n  | lookup UserTypeLookup on UserType\n  | project-away UserType\n  // ** Aliases\n  | extend \n      Dvc             = EventVendor,\n      LogonTarget     = TargetAppName,\n      User            = TargetUsername,\n    // -- Entity identifier explicit aliases\n      TargetUserUpn   = TargetUsername\n  };\n  parser  \n  (\n      disabled = disabled\n  )",
         "version": 1,
         "functionParameters": "disabled:bool=False"
       }