Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

Update ASimAuditEvent parsers to improve Scheduled Task Event Parsing

Open andrewj-t opened this issue 2 months ago • 9 comments

Required items, please complete

Change(s):

  • Updated vimAuditEventMicrosoftSecurityEvents.yaml to include additional fields
  • Updated vimAuditEventMicrosoftSecurityEvents.yaml to correctly unescape TaskContent XML
  • Updated ASimAuditEventMicrosoftSecurityEvents.yaml.yaml to correctly unescape TaskContent XML

Reason for Change(s):

  • Fix Issue https://github.com/Azure/Azure-Sentinel/issues/13168
  • Fix issue https://github.com/Azure/Azure-Sentinel/issues/13169

Version Updated:

  • Yes, Updated to 0.2.2

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • Yes

andrewj-t avatar Nov 20 '25 01:11 andrewj-t

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

  1. 📝 Review the code changes carefully
  2. Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
  3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

🤖 Automated security check • Created: 2025-11-20T01:39:59.494Z
Learn more: GitHub Security Lab - Preventing PWN Requests

github-actions[bot] avatar Nov 20 '25 01:11 github-actions[bot]

@microsoft-github-policy-service agree

andrewj-t avatar Nov 20 '25 01:11 andrewj-t

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

  1. 📝 Review the code changes carefully
  2. Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
  3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

🤖 Automated security check • Created: 2025-11-20T08:34:33.716Z
Learn more: GitHub Security Lab - Preventing PWN Requests

github-actions[bot] avatar Nov 20 '25 08:11 github-actions[bot]

🔒 Security Approval Required

This fork PR requires manual approval before automated testing can run.

For security, a maintainer must:

  1. 📝 Review the code changes carefully
  2. Verify file types - This PR should only contain .yml, .yaml, or .json files. Check for any executable scripts (.ps1, .py, .sh, .exe, etc.) which are not allowed in this context.
  3. 🏷️ Add the SafeToRun label if the changes are safe to execute

Note: If new commits are added later, simply remove and re-add the SafeToRun label.

🤖 Automated security check • Created: 2025-11-25T07:55:33.086Z
Learn more: GitHub Security Lab - Preventing PWN Requests

github-actions[bot] avatar Nov 25 '25 07:11 github-actions[bot]

Hi @andrewj-t, Please upload a sample data. Thanks

v-atulyadav avatar Nov 25 '25 08:11 v-atulyadav

Hi @andrewj-t, Validations are failing due to the issues listed below. Please include the necessary sample data file. Thanks

image image

Sample data file path: https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data/ASIM

v-atulyadav avatar Nov 27 '25 11:11 v-atulyadav

Hi @v-atulyadav

I will look to generate some sample data that covers off the scheduled task related event IDs and will add to the PR.

As for the replace_strings error, this may be an issue in the KqlValidator not being up to date with the latest functions available in the Kql language. It is documented as a supported function here and I am able to use it in my production Sentinel Workspace sucessfully. There is the older replace_string function, but I thought it would be more performant to use replace_strings, rather than calling replace_string 3 times for every row processed

andrewj-t avatar Nov 28 '25 07:11 andrewj-t

Hi @andrewj-t,

It appears that the KQL query fails when using the condition shown in brackets, but it succeeds when we replace it with the underlined condition.

image

Please verify at your end.

v-atulyadav avatar Nov 28 '25 09:11 v-atulyadav

Hi @v-atulyadav

I am having problems generating sample logs to match the existing Microsoft_Windows_AuditEvent_SecurityEvent_IngestedLogs.csv in the Sample data directory. It seems the columns may have changed since the sample data was generated previously.

I have emailed you directly with the results of the query from my company's internal environment for an example.

SecurityEvent
| where EventID in (4698,4699)

If you have access to an internal tool that can sanitize it and match to the existing data please go ahead and use it.. I hope this is acceptable to progress the PR, if not, let me know and I will withdraw it as I don't think I will be able to have time to be able to regenerate the sample data.

andrewj-t avatar Dec 02 '25 22:12 andrewj-t