Azure
test ASimAuditEvent
Required items, please complete
Change(s):
- ASimAuditEvent parsers to improve Scheduled Task
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. To find the new ARM templates, pull your branch.
![contentautomationbot[bot] avatar](https://avatars.githubusercontent.com/u/33221666?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for the fix @v-atulyadav . Tagging @yummyblabla and @marjoriehahn for awareness.
Now two comments/questions:
- How did we identify this issue? Is it a GitHub ticket? an IcM? Otherwise?
- It may be a bug in the SecurityEvent connector itself. Did we look into this?
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. To find the new ARM templates, pull your branch.
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. To find the new ARM templates, pull your branch.
Thanks for the fix @v-atulyadav . Tagging @yummyblabla and @marjoriehahn for awareness.
Now two comments/questions:
- How did we identify this issue? Is it a GitHub ticket? an IcM? Otherwise?
- It may be a bug in the SecurityEvent connector itself. Did we look into this?
Hi @oshezaf,
This is the test PR we have created. The author has submitted it, and we are currently waiting for sample logs to continue testing. https://github.com/Azure/Azure-Sentinel/pull/13170
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. To find the new ARM templates, pull your branch.
ASIM parsers have been changed. ARM templates were regenerated from the updated KQL function YAML files. To find the new ARM templates, pull your branch.
Hi @oshezaf
I am the customer that run into these issues while trying to use ASimAuditEvent to develop an analytic rule, and raised the PR with what is really a workaround that I came up with.
It may be a bug in the SecurityEvent connector itself. Did we look into this?
I found that if I used wevutil on a local windows machine, the task data is escaped in the same way as it appears in SecurityEvent. It also appears this way if you query via the ForwardedEvents table on a WEC server, so my guess would be that there is something in the WindowsEvent data connector that unescapes it correctly as part of parsing EventData into a dynamic object which the Security Event doesn't do. If it could be fixed in the Data Connector level instead that would be great!
wevtutil qe Security /q:"*[System[(EventID=4698)]]" /f:xml /c:1
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
<EventID>4698</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime='2025-12-11T20:49:36.652845400Z'/>
<EventRecordID>95763572</EventRecordID>
<Correlation ActivityID='{d90ce5bb-f9ab-4033-9bf4-950c29e08567}'/>
<Execution ProcessID='876' ThreadID='5452'/>
<Channel>Security</Channel>
<Computer>myserver01.mydomain.internal/Computer>
<Security/>
</System>
<EventData>
<Data Name='SubjectUserSid'>S-1-5-18</Data>
<Data Name='SubjectUserName'>MYSERVER$</Data>
<Data Name='SubjectDomainName'>MYDOMAIN</Data>
<Data Name='SubjectLogonId'>0x3e7</Data>
<Data Name='TaskName'>\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan</Data>
<Data Name='TaskContent'><?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Description>Periodic scan task.</Description>
<URI>\Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan</URI>
</RegistrationInfo>
<Triggers>
<CalendarTrigger>
<StartBoundary>2000-01-01T04:55:09</StartBoundary>
<EndBoundary>2100-01-01T00:00:00</EndBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT0H1M0S</Duration>
<WaitTimeout>PT4H0M0S</WaitTimeout>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>true</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="LocalSystem">
<Exec>
<Command>C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.25110.5-0\MpCmdRun.exe</Command>
<Arguments>Scan -ScheduleJob -ScanTrigger 55 -IdleScheduledJob</Arguments>
</Exec>
</Actions>
</Task></Data>
<Data Name='ClientProcessStartKey'>19140298416329301</Data>
<Data Name='ClientProcessId'>5696</Data>
<Data Name='ParentProcessId'>856</Data>
<Data Name='RpcCallClientLocality'>0</Data>
<Data Name='FQDN'>myserver01.mydomain.internal</Data>
</EventData>
</Event>
Thanks @andrewj-t for the comprehensive information. We will start with an ASIM fix. Changing security event might be a breaking change and needs to be handled carefully.