From e84f0a7d29fcfb984d1f39b63047aad8fd03a926 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Mon, 10 Feb 2025 17:27:13 +0000
Subject: [PATCH] [ASIM Parsers] Generate deployable ARM templates from KQL
 function YAML files.

---
 .../ASimAuthenticationAADSigninLogs.json                        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
index f8689ef2049..40a7bd5d468 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationAADSigninLogs/ASimAuthenticationAADSigninLogs.json
@@ -27,7 +27,7 @@
         "displayName": "Authentication ASIM parser for Microsoft Entra ID interactive sign-in logs",
         "category": "ASIM",
         "FunctionAlias": "ASimAuthenticationSigninLogs",
-        "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n  '0', 'Success',\n  '50005', 'Logon violates policy',\n  '50011', 'Logon violates policy', \n  '50020', 'Logon violates policy',\n  '50034', 'No such user or password',\n  '50053', 'User locked',\n  '50055', 'Password expired',\n  '50056', 'Incorrect password',\n  '50057', 'User disabled',\n  '50058', 'Logon violates policy',\n  '50059', 'No such user or password',\n  '50064', 'No such user or password',\n  '50072', 'Logon violates policy',\n  '50074', 'Logon violates policy', \n  '50076', 'Logon violates policy',\n  '50079', 'Logon violates policy',\n  '50105', 'Logon violates policy',\n  '50126', 'No such user or password',\n  '50132', 'Password expired',\n  '50133', 'Password expired',\n  '50144', 'Password expired',\n  '50173', 'Password expired',\n  '51004', 'No such user or password',\n  '53003', 'Logon violates policy',\n  '70008', 'Password expired',\n  '80012', 'Logon violates policy',\n  '500011', 'No such user or password',\n  '700016',  'No such user or password', \n  ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n  'Guest','Guest', \n  'Member', 'Regular',\n  '',''\n];\nlet parser=(disabled:bool=false){\nSigninLogs \n| where not(disabled)\n| extend\n    EventCount                 = int(1),\n    EventEndTime               = TimeGenerated,\n    EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n    EventProduct               = 'Entra ID',\n    EventResult                = iff (ResultType ==0, 'Success', 'Failure'),\n    EventSchemaVersion         = '0.1.0',\n    EventStartTime             = TimeGenerated,\n    EventSubType               = 'Interactive',\n    EventType                  = 'Logon',\n    EventVendor                = 'Microsoft',\n    Location                   = todynamic(LocationDetails),\n    SrcHostname             = tostring(DeviceDetail.displayName),\n    SrcDvcId                   = tostring(DeviceDetail.deviceId),\n    SrcIpAddr                  = IPAddress,\n    SrcDvcOs                   = tostring(DeviceDetail.operatingSystem),\n    TargetUserIdType           = 'EntraID',\n    TargetUsernameType         = 'UPN'\n| extend\n    SrcGeoCity        = tostring(Location.city),\n    SrcGeoCountry     = tostring(Location.countryOrRegion),\n    SrcGeoLatitude    = toreal(Location.geoCoordinates.latitude),\n    SrcGeoLongitude   = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n     EventOriginalUid = Id,\n     EventUid         = _ItemId,\n     HttpUserAgent    = UserAgent,\n     LogonMethod      = AuthenticationRequirement,\n     TargetAppId      = ResourceIdentity,\n     TargetAppName    = ResourceDisplayName,\n     TargetSessionId  = CorrelationId,\n     TargetUserId     = UserId,\n     TargetUsername   = UserPrincipalName\n  //\n  | lookup UserTypeLookup on UserType\n  | project-away UserType\n  // ** Aliases\n  | extend \n      Dvc             = EventVendor,\n      LogonTarget     = TargetAppName,\n      User            = TargetUsername,\n    // -- Entity identifier explicit aliases\n      TargetUserAadId = TargetUserId,\n      TargetUserUpn   = TargetUsername\n  };\n  parser  \n  (\n      disabled = disabled\n  )",
+        "query": "let FailedReason=datatable(ResultType:string, EventResultDetails:string)[\n  '0', 'Success',\n  '50005', 'Logon violates policy',\n  '50011', 'Logon violates policy', \n  '50020', 'Logon violates policy',\n  '50034', 'No such user or password',\n  '50053', 'User locked',\n  '50055', 'Password expired',\n  '50056', 'Incorrect password',\n  '50057', 'User disabled',\n  '50058', 'Logon violates policy',\n  '50059', 'No such user or password',\n  '50064', 'No such user or password',\n  '50072', 'Logon violates policy',\n  '50074', 'Logon violates policy', \n  '50076', 'Logon violates policy',\n  '50079', 'Logon violates policy',\n  '50105', 'Logon violates policy',\n  '50126', 'No such user or password',\n  '50132', 'Password expired',\n  '50133', 'Password expired',\n  '50144', 'Password expired',\n  '50173', 'Password expired',\n  '51004', 'No such user or password',\n  '53003', 'Logon violates policy',\n  '70008', 'Password expired',\n  '80012', 'Logon violates policy',\n  '500011', 'No such user or password',\n  '700016',  'No such user or password', \n  ];\nlet UserTypeLookup = datatable (UserType:string, TargetUserType:string) [\n  'Guest','Guest', \n  'Member', 'Regular',\n  '',''\n];\nlet parser=(disabled:bool=false){\nSigninLogs \n| where not(disabled)\n| extend\n    EventCount                 = int(1),\n    EventEndTime               = TimeGenerated,\n    EventOriginalResultDetails = coalesce(ResultDescription, ResultType),\n    EventProduct               = 'Entra ID',\n    EventResult                = iff (ResultType ==0, 'Success', 'Failure'),\n    EventSchemaVersion         = '0.1.1',\n    EventStartTime             = TimeGenerated,\n    EventSubType               = 'Interactive',\n    EventType                  = 'Logon',\n    EventVendor                = 'Microsoft',\n    Location                   = todynamic(LocationDetails),\n    SrcHostname             = tostring(DeviceDetail.displayName),\n    SrcDvcId                   = tostring(DeviceDetail.deviceId),\n    SrcIpAddr                  = IPAddress,\n    SrcDvcOs                   = tostring(DeviceDetail.operatingSystem),\n    TargetUserIdType           = 'EntraID',\n    TargetUsernameType         = 'UPN'\n| extend\n    SrcGeoCity        = tostring(Location.city),\n    SrcGeoCountry     = tostring(Location.countryOrRegion),\n    SrcGeoLatitude    = toreal(Location.geoCoordinates.latitude),\n    SrcGeoLongitude   = toreal(Location.geoCoordinates.longitude)\n | lookup FailedReason on ResultType\n | project-rename\n     EventOriginalUid = Id,\n     EventUid         = _ItemId,\n     HttpUserAgent    = UserAgent,\n     LogonMethod      = AuthenticationRequirement,\n     TargetAppId      = ResourceIdentity,\n     TargetAppName    = ResourceDisplayName,\n     TargetSessionId  = CorrelationId,\n     TargetUserId     = UserId,\n     TargetUsername   = UserPrincipalName\n  //\n  | lookup UserTypeLookup on UserType\n  | project-away UserType\n  // ** Aliases\n  | extend \n      Dvc             = EventVendor,\n      LogonTarget     = TargetAppName,\n      User            = TargetUsername,\n    // -- Entity identifier explicit aliases\n      TargetUserUpn   = TargetUsername\n  };\n  parser  \n  (\n      disabled = disabled\n  )",
         "version": 1,
         "functionParameters": "disabled:bool=False"
       }