{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"Workspace": {
"type": "string",
"metadata": {
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
}
},
"WorkspaceRegion": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "The region of the selected workspace. The default value will use the Region selection above."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-08-01",
"name": "[concat(parameters('Workspace'), '/vimFileEventMicrosoftSysmon')]",
"location": "[parameters('WorkspaceRegion')]",
"properties": {
"etag": "*",
"displayName": "File event ASIM filtering parser for Windows Sysmon",
"category": "ASIM",
"FunctionAlias": "vimFileEventMicrosoftSysmon",
"query": "let parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n eventtype_in: dynamic=dynamic([]),\n srcipaddr_has_any_prefix: dynamic=dynamic([]),\n actorusername_has_any: dynamic=dynamic([]),\n targetfilepath_has_any: dynamic=dynamic([]),\n srcfilepath_has_any: dynamic=dynamic([]),\n hashes_has_any: dynamic=dynamic([]),\n dvchostname_has_any: dynamic=dynamic([]),\n disabled: bool=false\n ) {\n // -- Event parser\n let EventParser = () {\n Event\n | where not(disabled)\n | where (isnull(starttime) or TimeGenerated >= starttime) \n and (isnull(endtime) or TimeGenerated <= endtime)\n | project\n EventID,\n EventData,\n Computer,\n TimeGenerated,\n _ResourceId,\n _SubscriptionId,\n Source,\n Type, \n _ItemId \n | where Source == \"Microsoft-Windows-Sysmon\" and EventID in (11, 23, 26)\n | project-away Source\n // pre-filtering\n | where ((array_length(eventtype_in) == 0 or (iff (EventID == 11, 'FileCreated', 'FileDeleted') in~ (eventtype_in)))) and\n (array_length(srcipaddr_has_any_prefix) == 0) and\n ((array_length(srcfilepath_has_any) == 0)) and\n ((array_length(dvchostname_has_any) == 0) or Computer has_any (dvchostname_has_any))\n | parse-kv EventData as (\n RuleName: string,\n UtcTime: datetime, \n ProcessGuid: string,\n ProcessId: string,\n Image: string,\n User: string,\n TargetFilename: string,\n Hashes: string,\n CreationUtcTime: datetime\n )\n with (regex=@'<Data Name=\"(\\w+)\">{?([^<]*?)}?</Data>')\n | project-rename \n ActingProcessGuid = ProcessGuid,\n ActingProcessId = ProcessId,\n ActorUsername = User,\n ActingProcessName = Image,\n TargetFileCreationTime=CreationUtcTime,\n TargetFilePath=TargetFilename,\n EventStartTime=UtcTime\n // Filter for ActorUsername and TargetFilePath\n | where ((array_length(actorusername_has_any) == 0) or (ActorUsername has_any (actorusername_has_any))) and \n ((array_length(targetfilepath_has_any) == 0) or (TargetFilePath has_any (targetfilepath_has_any)))\n | project-away EventData\n};\n EventParser \n | project-rename\n DvcHostname = Computer,\n DvcScopeId = _SubscriptionId,\n DvcId = _ResourceId\n | extend\n EventType=iff (EventID == 11, 'FileCreated', 'FileDeleted'),\n EventProduct = 'Sysmon',\n EventVendor = 'Microsoft',\n EventSchema = 'FileEvent',\n EventSchemaVersion = '0.2.1',\n EventResult = 'Success',\n EventSeverity = 'Informational',\n DvcOs='Windows',\n TargetFilePathType = 'Windows',\n DvcIdType = iff (DvcId != \"\", \"AzureResourceId\", \"\"),\n EventCount = int(1),\n EventEndTime = EventStartTime,\n EventOriginalType = tostring(EventID),\n TargetFileName = tostring(split(TargetFilePath, '\\\\')[-1]),\n ActorUsernameType = iff(isnotempty(ActorUsername), 'Windows', ''),\n RuleName = iff (RuleName == \"-\", \"\", RuleName),\n EventUid = _ItemId\n | parse-kv Hashes as (\n MD5: string,\n SHA1: string,\n IMPHASH: string,\n SHA256: string\n )\n | project-rename\n TargetFileMD5 = MD5,\n TargetFileSHA1 = SHA1,\n TargetFileIMPHASH = IMPHASH,\n TargetFileSHA256 = SHA256\n // Filter for hash\n | where (array_length(hashes_has_any) == 0)\n or (TargetFileMD5 has_any (hashes_has_any))\n or (TargetFileSHA1 has_any (hashes_has_any))\n or (TargetFileIMPHASH has_any (hashes_has_any))\n or (TargetFileSHA256 has_any (hashes_has_any))\n | extend\n Hash=coalesce(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH)\n | extend\n HashType = tostring(dynamic([\"SHA256\", \"SHA1\", \"MD5\", \"IMPHASH\"])[array_index_of(pack_array(TargetFileSHA256, TargetFileSHA1, TargetFileMD5, TargetFileIMPHASH), Hash)])\n // -- Typed entity identifiers\n | extend\n ActorWindowsUsername = ActorUsername\n // -- Aliases\n | extend\n Process = ActingProcessName,\n Dvc = DvcHostname,\n FilePath = TargetFilePath,\n FileName = TargetFileName,\n User = ActorUsername\n | project-away EventID, Hashes,ActorWindowsUsername,TargetFileIMPHASH\n};\nparser (\n starttime=starttime, \n endtime=endtime, \n eventtype_in=eventtype_in,\n srcipaddr_has_any_prefix=srcipaddr_has_any_prefix,\n actorusername_has_any=actorusername_has_any,\n targetfilepath_has_any=targetfilepath_has_any,\n srcfilepath_has_any=srcfilepath_has_any,\n hashes_has_any=hashes_has_any,\n dvchostname_has_any=dvchostname_has_any,\n disabled=disabled\n)",
"version": 1,
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),eventtype_in:dynamic=dynamic([]),srcipaddr_has_any_prefix:dynamic=dynamic([]),actorusername_has_any:dynamic=dynamic([]),targetfilepath_has_any:dynamic=dynamic([]),srcfilepath_has_any:dynamic=dynamic([]),hashes_has_any:dynamic=dynamic([]),dvchostname_has_any:dynamic=dynamic([]),disabled:bool=False"
}
}
]
}