From f11cf8cdf866b04c438eaf3f9bee492ce036ff09 Mon Sep 17 00:00:00 2001
From: Ofer Shezaf <39997089+oshezaf@users.noreply.github.com>
Date: Tue, 23 May 2023 12:02:55 +0300
Subject: [PATCH] Update ASIM parsers list.md
---
ASIM/ASIM parsers list.md | 60 +++++++++++++++++++--------------------
1 file changed, 30 insertions(+), 30 deletions(-)
diff --git a/ASIM/ASIM parsers list.md b/ASIM/ASIM parsers list.md
index 750cf644c83..5deddd4d26f 100644
--- a/ASIM/ASIM parsers list.md
+++ b/ASIM/ASIM parsers list.md
@@ -22,70 +22,70 @@ Note that this table is not maintained on an ongoing basis and there might be pa
| [ASimAuthenticationMD4IoT](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftMD4IoT.yaml) | Authentication | SecurityIoTRawEvent | RawEventName == 'Login' | Deprecated |
| [ASimAuthenticationMicrosoftWindowsEvent](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/ASimAuthenticationMicrosoftWindowsEvent.yaml) | Authentication | WindowsEvent, SecurityEvent | EventID in (4624,4625,4634,4647) | (Also, for WindowsEvent Provider == 'Microsoft-Windows-Security-Auditing') |
| [ASimAuthenticationOktaSSO](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/ASimAuthenticationOktaOSS.yaml) | Authentication | Okta_CL | eventType_s in ('user.session.start', 'user.session.end') | |
-| [ASimAuthenticationPostgreSQL](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/ASimAuthenticationPostgreSQL.yaml) | Authentication | PostgreSQL_CL | RawData has 'connection authorized' or RawData has 'authentication failed' or RawData has_all ('role', 'does', 'not', 'exist') or RawData has_all ('no', 'entry', 'user') or RawData has 'disconnection' | |
-| [ASimAuthenticationSshd](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSshd.yaml) | Authentication | Syslog | ProcessName == 'sshd' and (SyslogMessage startswith 'Accepted' or SyslogMessage startswith 'Failed' or (SyslogMessage startswith 'message repeated' and SyslogMessage has 'Failed') of SyslogMessage startswith 'Timeout' or SyslogMessage startswith 'Invalid user' | TBC |
-| [ASimAuthenticationSu](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSu.yaml) | Authentication | Syslog | ProcessName == 'su' and (SyslogMessage startswith 'Successful su for' or SyslogMessage has_all ('pam_unix(su', 'session): session closed for user') | |
+| [ASimAuthenticationPostgreSQL](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/ASimAuthenticationPostgreSQL.yaml) | Authentication | PostgreSQL_CL | RawData has 'connection authorized'
or RawData has 'authentication failed'
or RawData has_all ('role', 'does', 'not', 'exist')
or RawData has_all ('no', 'entry', 'user')
or RawData has 'disconnection' | |
+| [ASimAuthenticationSshd](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSshd.yaml) | Authentication | Syslog | ProcessName == 'sshd'
and (SyslogMessage startswith 'Accepted'
or SyslogMessage startswith 'Failed'
or (SyslogMessage startswith 'message repeated'
and SyslogMessage has 'Failed')
or SyslogMessage startswith 'Timeout'
or SyslogMessage startswith 'Invalid user' | TBC |
+| [ASimAuthenticationSu](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSu.yaml) | Authentication | Syslog | ProcessName == 'su'
and (SyslogMessage startswith 'Successful su for'
or SyslogMessage has_all ('pam_unix(su', 'session): session closed for user') | |
| [ASimAuthenticationSudo](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml) | Authentication | Syslog | | Parser is incomplete |
| [ASimDnsAzureFirewall](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsAzureFirewall.yaml) | Dns | AzureDiagnostics | Category in ('AzureFirewallDnsProxy','AzureFirewallDnsProxy') | |
| [ASimDnsCiscoUmbrella](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsCiscoUmbrella.yaml) | Dns | Cisco_Umbrella_dns_CL | - | |
-| [ASimDnsCorelightZeek](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsCorelightZeek.yaml) | Dns | Corelight_CL | Message has ''_path':'dns'' or Message has ''_path':'dns_red'' | |
+| [ASimDnsCorelightZeek](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsCorelightZeek.yaml) | Dns | Corelight_CL | Message has '_path':'dns '
or Message has '_path':'dns_red ' | |
| [ASimDnsGcp](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsGcp.yaml) | Dns | GCP_DNS_CL | resource_type_s == 'dns_query' | |
-| [ASimDnsInfobloxNIOS](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsInfobloxNIOS.yaml) | Dns | Syslog | ProcessName == 'named' and (SyslogMessage has_all ('client', 'query:', 'response:') or SyslogMessage has_all ('client', 'query:') and SyslogMessage !has 'response:') | |
+| [ASimDnsInfobloxNIOS](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsInfobloxNIOS.yaml) | Dns | Syslog | ProcessName == 'named'
and (SyslogMessage has_all ('client', 'query:', 'response:')
or SyslogMessage has_all ('client', 'query:')
and SyslogMessage !has 'response:') | |
| [ASimDnsMicrosoftNXlog](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsMicrosoftNXlog.yaml) | Dns | NXLog_DNS_Server_CL | EventID_d < 281 | |
| [ASimDnsMicrosoftOMS](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsMicrosoftOMS.yaml) | Dns | DnsEvents | EventId < 500 | |
-| [ASimDnsMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsMicrosoftSysmon.yaml) | Dns | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID==22 | Source is used for Event, Provider for WindowsEvent |
+| [ASimDnsMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsMicrosoftSysmon.yaml) | Dns | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon'
and EventID==22 | Source is used for Event, Provider for WindowsEvent |
| [ASimDnsNative](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsNative.yaml) | Dns | ASimDnsActivityLogs | - | |
| [ASimDnsVectraAI](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsVectraAI.yaml) | Dns | VectraStream_CL | metadata_type_s == 'metadata_dns' | Share the sample file with other VectraAI parsers |
| [ASimDnsZscalerZIA](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimDns/Parsers/ASimDnsZscalerZIA.yaml) | Dns | CommonSecurityLog | DeviceProduct == 'NSSDNSlog' | |
| [ASimNetworkSessionAWSVPC](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAWSVPC.yaml) | NetworkSession | AWSVPCFlow | LogStatus == 'OK' | |
-| [ASimNetworkSessionAppGateSDP](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAppGateSDP.yaml) | NetworkSession | Syslog | ProcessName in ('cz-sessiond', 'cz-vpnd') and (SyslogMessage has_all ('[AUDIT]','ip_access',''rule_name'') and SyslogMessage has_any (''protocol':'UDP'',''protocol':'TCP'') or (SyslogMessage has_all ('[AUDIT]','ip_access',''drop-reason'') and SyslogMessage has_any (''protocol':'UDP'',''protocol':'TCP'') or SyslogMessage has_all ('[AUDIT]','ip_access',''protocol':'ICMP'') | |
-| [ASimNetworkSessionAzureFirewall](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAzureFirewall.yaml) | NetworkSession | AzureDiagnostics | Category == 'AzureFirewallNetworkRule' or OperationName in ('AzureFirewallNetworkRuleLog','AzureFirewallThreatIntelLog') | |
+| [ASimNetworkSessionAppGateSDP](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAppGateSDP.yaml) | NetworkSession | Syslog | ProcessName in ('cz-sessiond', 'cz-vpnd')
and (SyslogMessage has_all ('[AUDIT]','ip_access', 'rule_name ')
and SyslogMessage has_any ( 'protocol':'UDP ', 'protocol':'TCP ')
or (SyslogMessage has_all ('[AUDIT]','ip_access', 'drop-reason ')
and SyslogMessage has_any ( 'protocol':'UDP ', 'protocol':'TCP ')
or SyslogMessage has_all ('[AUDIT]','ip_access', 'protocol':'ICMP ') | |
+| [ASimNetworkSessionAzureFirewall](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAzureFirewall.yaml) | NetworkSession | AzureDiagnostics | Category == 'AzureFirewallNetworkRule'
or OperationName in ('AzureFirewallNetworkRuleLog','AzureFirewallThreatIntelLog') | |
| [ASimNetworkSessionAzureNSG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionAzureNSG.yaml) | NetworkSession | AzureNetworkAnalytics_CL | isnotempty(FlowType_s) | |
-| [ASimNetworkSessionCheckPointFirewall](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCheckPointFirewall.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor=='Check Point' and DeviceProduct=='VPN-1 & FireWall-1' | |
-| [ASimNetworkSessionCiscoASA](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor == 'Cisco' and DeviceProduct == 'ASA' and DeviceEventClassID in ('106001','106006','106015','106016','106021','106022','106010','106014','106018','106023','302013','302015','302014','302016','302020','302021','710002','710003','710004','710005','106007','106017','106100','106002','106012','106013','106020') | |
+| [ASimNetworkSessionCheckPointFirewall](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCheckPointFirewall.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor=='Check Point'
and DeviceProduct=='VPN-1 & FireWall-1' | |
+| [ASimNetworkSessionCiscoASA](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoASA.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor == 'Cisco'
and DeviceProduct == 'ASA'
and DeviceEventClassID in ('106001','106006','106015','106016',
'106021','106022','106010','106014',
'106018','106023','302013','302015',
'302014','302016','302020','302021',
'710002','710003','710004','710005',
'106007','106017','106100','106002',
'106012','106013','106020') | |
| [ASimNetworkSessionCiscoMeraki](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCiscoMeraki.yaml) | NetworkSession | CiscoMerakiNativePoller_CL | EventOriginalType == 'IDS Alert' | |
-| [ASimNetworkSessionCorelightZeek](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCorelightZeek.yaml) | NetworkSession | Corelight_CL | Message has ''_path':'conn'' or Message has ''conn_red'' | |
-| [ASimNetworkSessionForcePointFirewall](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionForcePointFirewall.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor=='FORCEPOINT' and DeviceProduct=='Firewall' and DeviceFacility in ('Inspection','Packet Filtering','File Filtering') and isnotempty(DeviceEventClassID) and DeviceEventClassID != '0' | |
-| [ASimNetworkSessionFortinetFortiGate](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionFortinetFortiGate.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor == 'Fortinet' and DeviceProduct startswith 'FortiGate' and DeviceEventCategoryhas 'traffic' and DeviceAction != 'dns' and Activity !has 'dns' | |
+| [ASimNetworkSessionCorelightZeek](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionCorelightZeek.yaml) | NetworkSession | Corelight_CL | Message has '_path':'conn ' or Message has 'conn_red ' | |
+| [ASimNetworkSessionForcePointFirewall](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionForcePointFirewall.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor=='FORCEPOINT'
and DeviceProduct=='Firewall'
and DeviceFacility in ('Inspection','Packet Filtering','File Filtering')
and isnotempty(DeviceEventClassID)
and DeviceEventClassID != '0' | |
+| [ASimNetworkSessionFortinetFortiGate](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionFortinetFortiGate.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor == 'Fortinet'
and DeviceProduct startswith 'FortiGate'
and DeviceEventCategoryhas 'traffic'
and DeviceAction != 'dns'
and Activity !has 'dns' | |
| [ASimNetworkSessionMD4IoTAgent](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMD4IoTAgent.yaml) | NetworkSession | SecurityIoTRawEvent | RawEventName == 'NetworkActivity' | Deprecated |
| [ASimNetworkSessionMD4IoTSensor](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMD4IoTSensor.yaml) | NetworkSession | DefenderIoTRawEvent | RawEventName == 'NetworkConnectionData' | |
| [ASimNetworkSessionMicrosoft365Defender](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoft365Defender.yaml) | NetworkSession | DeviceNetworkEvents | - | |
-| [ASimNetworkSessionLinuxSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftLinuxSysmon.yaml) | NetworkSession | Syslog | SyslogMessage has_all ('3') | |
-| [ASimNetworkSessionMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftSysmon.yaml) | NetworkSession | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID == 3 | Source is used for Event, Provider for WindowsEvent |
+| [ASimNetworkSessionLinuxSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftLinuxSysmon.yaml) | NetworkSession | Syslog | SyslogMessage has_all ('3') | |
+| [ASimNetworkSessionMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftSysmon.yaml) | NetworkSession | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon'
and EventID == 3 | Source is used for Event, Provider for WindowsEvent |
| [ASimNetworkSessionMicrosoftWindowsEventFirewall](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionMicrosoftWindowsEventFirewall.yaml) | NetworkSession | SecurityEvent, WindowsEvent | EventID in (5151 .. 5159) | |
| [ASimNetworkSessionNative](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionNative.yaml) | NetworkSession | ASimNetworkSessionLogs | - | |
-| [ASimNetworkSessionPaloAltoCEF](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionPaloAltoCEF.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor == 'Palo Alto Networks' and DeviceProduct == 'PAN-OS' and Activity == 'TRAFFIC' | |
+| [ASimNetworkSessionPaloAltoCEF](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionPaloAltoCEF.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor == 'Palo Alto Networks'
and DeviceProduct == 'PAN-OS'
and Activity == 'TRAFFIC' | |
| [ASimNetworkSessionVMConnection](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVMConnection.yaml) | NetworkSession | VMConnection | - | |
| [ASimNetworkSessionVectraAI](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionVectraAI.yaml) | NetworkSession | VectraStream_CL | metadata_type_s == 'metadata_isession' | Share the sample file with other VectraAI parsers |
-| [ASimNetworkSessionWatchGuardFirewareOS](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionWatchGuardFirewareOS.yaml) | NetworkSession | Syslog | SyslogMessage has_any('msg_id='3000-0148'' , 'msg_id='3000-0149'' , 'msg_id='3000-0150'' , 'msg_id='3000-0151'' , 'msg_id='3000-0173'' ) and SyslogMessage !has 'msg='DNS Forwarding' ' | |
-| [ASimNetworkSessionZscalerZIA](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionzScalerZIA.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor == 'Zscaler' and DeviceProduct == 'NSSFWlog' | |
-| [ASimProcessCreateLinuxSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateLinuxSysmon.yaml) | ProcessEvent | Syslog | SyslogMessage has_all ('1') | |
+| [ASimNetworkSessionWatchGuardFirewareOS](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionWatchGuardFirewareOS.yaml) | NetworkSession | Syslog | SyslogMessage has_any('msg_id='3000-0148 ' , 'msg_id='3000-0149 ' ,
'msg_id='3000-0150 ' , 'msg_id='3000-0151 ' , 'msg_id='3000-0173 ' )
and SyslogMessage !has 'msg='DNS Forwarding' ' | |
+| [ASimNetworkSessionZscalerZIA](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimNetworkSession/Parsers/ASimNetworkSessionzScalerZIA.yaml) | NetworkSession | CommonSecurityLog | DeviceVendor == 'Zscaler'
and DeviceProduct == 'NSSFWlog' | |
+| [ASimProcessCreateLinuxSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateLinuxSysmon.yaml) | ProcessEvent | Syslog | SyslogMessage has_all ('1') | |
| [ASimProcessCreateMicrosoftSecurityEvents](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateMicrosoftSecurityEvents.yaml) | ProcessEvent | SecurityEvent | EventID == 4688 | |
-| [ASimProcessCreateMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateMicrosoftSysmon.yaml) | ProcessEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID==1 | Source is used for Event, Provider for WindowsEvent |
+| [ASimProcessCreateMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateMicrosoftSysmon.yaml) | ProcessEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon'
and EventID==1 | Source is used for Event, Provider for WindowsEvent |
| [ASimProcessCreateMicrosoftWindowsEvents](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessCreateMicrosoftWindowsEvents.yaml) | ProcessEvent | WindowsEvent | EventID == 4688 | |
| [ASimProcessEventMD4IoT](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessEventMD4IoT.yaml) | ProcessEvent | SecurityIoTRawEvent | RawEventName == 'Process' | Deprecated |
| [ASimProcessEventMicrosoft365D](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessEventMicrosoft365D.yaml) | ProcessEvent | DeviceProcessEvents | - | |
-| [ASimProcessTerminateLinuxSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessTerminateLinuxSysmon.yaml) | ProcessEvent | Syslog | SyslogMessage has_all ('5') | |
+| [ASimProcessTerminateLinuxSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessTerminateLinuxSysmon.yaml) | ProcessEvent | Syslog | SyslogMessage has_all ('5') | |
| [ASimProcessTerminateMicrosoftSecurityEvents](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessTerminateMicrosoftSecurityEvents.yaml) | ProcessEvent | SecurityEvent | EventID == 4689 | |
-| [ASimProcessTerminateMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessTerminateMicrosoftSysmon.yaml) | ProcessEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID==5 | Source is used for Event, Provider for WindowsEvent |
+| [ASimProcessTerminateMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessTerminateMicrosoftSysmon.yaml) | ProcessEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon'
and EventID==5 | Source is used for Event, Provider for WindowsEvent |
| [ASimProcessTerminateMicrosoftWindowsEvents](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimProcessEvent/Parsers/ASimProcessTerminateMicrosoftWindowsEvents.yaml) | ProcessEvent | WindowsEvent | EventID == 4689 | |
| [ASimWebSessionIIS](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionIIS.yaml) | WebSession | W3CIISLog | - | |
| [ASimWebSessionNative](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionNative.yaml) | WebSession | ASimWebSessionLogs | - | |
-| [ASimWebSessionPaloAltoCEF](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionPaloAltoCEF.yaml) | WebSession | CommonSecurityLog | DeviceVendor == 'Palo Alto Networks' and DeviceProduct == 'PAN-OS' and Activity == 'THREAT' and DeviceEventClassID == 'url' | |
+| [ASimWebSessionPaloAltoCEF](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionPaloAltoCEF.yaml) | WebSession | CommonSecurityLog | DeviceVendor == 'Palo Alto Networks'
and DeviceProduct == 'PAN-OS'
and Activity == 'THREAT'
and DeviceEventClassID == 'url' | |
| [ASimWebSessionSquidProxy](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionSquidProxy.yaml) | WebSession | SquidProxy_CL | - | |
| [ASimWebSessionVectraAI](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionVectraAI.yaml) | WebSession | VectraStream_CL | metadata_type_s == 'metadata_httpsessioninfo' | Share the sample file with other VectraAI parsers |
-| [ASimWebSessionZscalerZIA](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml) | WebSession | CommonSecurityLog | DeviceVendor == 'Zscaler' and DeviceProduct == 'NSSWeblog' | |
+| [ASimWebSessionZscalerZIA](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimWebSession/Parsers/ASimWebSessionzScalerZIA.yaml) | WebSession | CommonSecurityLog | DeviceVendor == 'Zscaler'
and DeviceProduct == 'NSSWeblog' | |
| [vimFileEventAzureBlobStorage](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventAzureBlobStorage.yaml) | FileEvent | StorageBlobLogs | OperationName in (...bloboperations...) | |
| [vimFileEventAzureFileStorage](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventAzureFileStorage.yaml) | FileEvent | StorageFileLogs | OperationName in (...fileoperations...) | |
| [vimFileEventAzureQueueStorage](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventAzureQueueStorage.yaml) | FileEvent | StorageQueueLogs | OperationName in (...queueoperations...) | |
| [vimFileEventAzureTableStorage](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventAzureTableStorage.yaml) | FileEvent | StorageTableLogs | OperationName in (...tableoperations...) | |
-| [vimFileEventLinuxSysmonFileCreated](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventLinuxSysmonFileCreated.yaml) | FileEvent | Syslog | SyslogMessage has_all ('11') | |
-| [vimFileEventLinuxSysmonFileDeleted](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventLinuxSysmonFileDeleted.yaml) | FileEvent | Syslog | SyslogMessage has ('23','26') | |
+| [vimFileEventLinuxSysmonFileCreated](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventLinuxSysmonFileCreated.yaml) | FileEvent | Syslog | SyslogMessage has_all ('11') | |
+| [vimFileEventLinuxSysmonFileDeleted](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventLinuxSysmonFileDeleted.yaml) | FileEvent | Syslog | SyslogMessage has ('and SyslogMessage has_any('23','26') | |
| [vimFileEventM365D](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventM365D.yaml) | FileEvent | DeviceFileEvents | - | |
-| [vimFileEventMicrosoftSharePoint](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventMicrosoftSharePoint.yaml) | FileEvent | OfficeActivity | RecordType == 'SharePointFileOperation' and Operation != 'FileMalwareDetected' | |
-| [vimFileEventMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventMicrosoftSysmon.yaml) | FileEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID in (11,23,26) | Source is used for Event, Provider for WindowsEvent |
+| [vimFileEventMicrosoftSharePoint](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventMicrosoftSharePoint.yaml) | FileEvent | OfficeActivity | RecordType == 'SharePointFileOperation'
and Operation != 'FileMalwareDetected' | |
+| [vimFileEventMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventMicrosoftSysmon.yaml) | FileEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon'
and EventID in (11,23,26) | Source is used for Event, Provider for WindowsEvent |
| [vimFileEventMicrosoftWindowsEvents](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimFileEvent/Parsers/vimFileEventMicrosoftWindowsEvents.yaml) | FileEvent | SecurityEvent, WindowsEvent | EventID == 4663 | |
| [vimRegistryEventMicrosoft365D](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoft365D.yaml) | RegisttryEvent | DeviceRegistryEvents | - | |
| [vimRegistryEventMicrosoftSecurityEvents](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftSecurityEvent.yaml) | RegisttryEvent | SecurityEvent | EventID == 4657 | |
-| [vimRegistryEventMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftSysmon.yaml) | RegisttryEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon' and EventID in (12, 13, 14) | Source is used for Event, Provider for WindowsEvent |
-| [vimRegistryEventMicrosoftWindowsEvent](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftWindowsEvent.yaml) | RegisttryEvent | SecurityEvent, WindowsEvent | EventID == 4663 or EventID == 4657 | |
+| [vimRegistryEventMicrosoftSysmon](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftSysmon.yaml) | RegisttryEvent | WindowsEvent, Event | Source/Provider == 'Microsoft-Windows-Sysmon'
and EventID in (12, 13, 14) | Source is used for Event, Provider for WindowsEvent |
+| [vimRegistryEventMicrosoftWindowsEvent](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimRegistryEvent/Parsers/vimRegistryEventMicrosoftWindowsEvent.yaml) | RegisttryEvent | SecurityEvent, WindowsEvent | EventID == 4663
or EventID == 4657 | |