Merge pull request #10994 from illumio-shield/illumio-sentinel-m2

M2: ASIM Parsers, connector optimizations/enhancements
Azure · Oct 17, 2024 · 3bca631 · 3bca631
2 parents 3a87bd7 + 726c950
commit 3bca631
Show file tree

Hide file tree

Showing 45 changed files with 3,200 additions and 341 deletions.
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Auditable_Events_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Auditable_Events_CL.json
@@ -44,6 +44,14 @@
  {
  "name": "version",
  "type": "int"
+ },
+ {
+ "name": "TenantId",
+ "type": "String"
+ },
+ {
+ "Name": "_ItemId",
+ "Type": "String"
  }
  ]
 }
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Flow_Events_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/Illumio_Flow_Events_CL.json
@@ -45,6 +45,10 @@
  "name": "un",
  "type": "string"
  },
+ {
+ "name": "sn",
+ "type": "string"
+ }, 
  {
  "name": "src_ip",
  "type": "string"
@@ -128,6 +132,18 @@
  {
  "name": "version",
  "type": "int"
- }
+ },
+ {
+ "name": "icmp_type",
+ "type": "int"
+ }, 
+ {
+ "name": "TenantId",
+ "type": "String"
+ },
+ {
+ "Name": "_ItemId",
+ "Type": "String"
+ } 
  ]
 }
diff --git a/ASIM/dev/ASimTester/ASimTester.csv b/ASIM/dev/ASimTester/ASimTester.csv
@@ -547,13 +547,13 @@ EventOwner,string,Optional,ProcessEvent,,,
 EventOwner,string,Optional,RegistryEvent,,,
 EventOwner,string,Optional,UserManagement,,,
 EventOwner,string,Optional,WebSession,,,
-EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF|FalconHost|Carbon Black Cloud|Cortex Data Lake|Workspace,
-EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki|FalconHost|SentinelOne|Carbon Black Cloud|BloxOne,
+EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF|FalconHost|Carbon Black Cloud|Cortex Data Lake|Workspace|Core,
+EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki|FalconHost|SentinelOne|Carbon Black Cloud|BloxOne|Core,
 EventProduct,string,Mandatory,Common,,,
 EventProduct,string,Mandatory,DhcpEvent,,BloxOne,
 EventProduct,string,Mandatory,FileEvent,Enumerated,Security Events|Sysmon for Linux|Sysmon|M365 Defender for Endpoint|Azure File Storage|SharePoint|OneDrive|SentinelOne|Carbon Black Cloud|Workspace,
 EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne|FortiGate|BloxOne,
-EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|FalconHost|Carbon Black Cloud|Cortex Data Lake,
+EventProduct,string,Mandatory,NetworkSession,Enumerated,Fortigate|IOS|ISE|SDP|Vectra Stream|NSGFlow|Fireware|VPC|Azure Defender for IoT|Azure Firewall|M365 Defender for Endpoint|Sysmon|Sysmon for Linux|Windows Firewall|WireData|ZIA Firewall|CDL|PanOS|VMConnection|Meraki|Zeek|Firewall|ASA|Cynerio|SentinelOne|WAF|Firepower|FalconHost|Carbon Black Cloud|Cortex Data Lake|Core,
 EventProduct,string,Mandatory,ProcessEvent,Enumerated,M365 Defender for Endpoint|Sysmon for Linux|Sysmon|Azure Defender for IoT|Security Events|SentinelOne|Carbon Black Cloud|Vision One,
 EventProduct,string,Mandatory,RegistryEvent,Enumerated,M365 Defender for Endpoint|Security Events|Sysmon|Windows Event|SentinelOne|Carbon Black Cloud|Vision One,
 EventProduct,string,Mandatory,WebSession,Enumerated,IIS|Squid Proxy|ZIA Proxy|Vectra Stream|PanOS|CDL|Fireware|Meraki|Web Security Gateway|Zeek|Dataminr Pulse|HTTP Server|Fortigate|WAF|ASM|NetScaler|Firepower|Cortex Data Lake|Firewall,
@@ -677,13 +677,13 @@ EventUid,string,Recommended,ProcessEvent,,,
 EventUid,string,Recommended,RegistryEvent,,,
 EventUid,string,Recommended,UserManagement,,,
 EventUid,string,Recommended,WebSession,,,
-EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne|CrowdStrike|VMware|Google,
-EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra|CrowdStrike|SentinelOne|VMware|Infoblox,
+EventVendor,string,Mandatory,Authentication,Enumerated,Salesforce|AWS|Barracuda|Cisco|Microsoft|Okta|PostgreSQL|OpenBSD|Linux|Vectra|SentinelOne|CrowdStrike|VMware|Google|Illumio,
+EventVendor,string,Mandatory,AuditEvent,Enumerated,Microsoft|AWS|Barracuda|Cisco|Dataminr|Vectra|CrowdStrike|SentinelOne|VMware|Infoblox|Illumio,
 EventVendor,string,Mandatory,Common,,,
 EventVendor,string,Mandatory,DhcpEvent,,Infoblox,
 EventVendor,string,Mandatory,FileEvent,Enumerated,Microsoft|SentinelOne|VMware|Google,
 EventVendor,string,Mandatory,Dns,Enumerated,Cisco|Corelight|GCP|Infoblox|Microsoft|Zscaler|Vectra AI|SentinelOne|Fortinet,
-EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|CrowdStrike|VMware|SonicWall,
+EventVendor,string,Mandatory,NetworkSession,Enumerated,Fortinet|AppGate|Barracuda|Palo Alto|Microsoft|Zscaler|AWS|Vectra AI|WatchGuard|Cisco|Corelight|Check Point|Forcepoint|Cynerio|SentinelOne|CrowdStrike|VMware|SonicWall|Illumio,
 EventVendor,string,Mandatory,ProcessEvent,Enumerated,Microsoft|SentinelOne|VMware|TrendMicro,
 EventVendor,string,Mandatory,WebSession,Enumerated,Apache|Barracuda|Fortinet|Microsoft|Squid|Zscaler|Vectra AI|Palo Alto|WatchGuard|Cisco|Forcepoint|Corelight|Dataminr|Citrix|F5|SonicWall,
 EventVendor,string,Mandatory,UserManagement,Enumerated,Microsoft|Linux|Cisco|SentinelOne,

diff --git a/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml b/Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml
@@ -33,6 +33,7 @@ Parsers:
  - _ASim_AuditEvent_SentinelOne
  - _ASim_AuditEvent_VMwareCarbonBlackCloud
  - _ASim_AuditEvent_InfobloxBloxOne
+ - _ASim_AuditEvent_IllumioSaaSCore
 ParserParams:
  - Name: pack
  Type: bool
@@ -56,5 +57,6 @@ ParserQuery: |
  ASimAuditEventSentinelOne (BuiltInDisabled or ('ExcludeASimAuditEventSentinelOne' in (DisabledParsers))),
  ASimAuditEventCrowdStrikeFalconHost(BuiltInDisabled or ('ExcludeASimAuditEventCrowdStrikeFalconHost' in (DisabledParsers))),
  ASimAuditEventVMwareCarbonBlackCloud(BuiltInDisabled or ('ExcludeASimAuditEventVMwareCarbonBlackCloud' in (DisabledParsers))),
- ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers)))
+ ASimAuditEventInfobloxBloxOne(BuiltInDisabled or ('ExcludeASimAuditEventInfobloxBloxOne' in (DisabledParsers))),
+ ASimAuditEventIllumioSaaSCore(BuiltInDisabled or ('ExcludeASimAuditEventIllumioSaaSCore' in (DisabledParsers)))