id: ee50cfb3-9d10-4705-931e-77f8c4db8678
Function:
  Title: Parser for ForescoutEvent
  Version: '1.0.0'
  LastUpdated: '2023-08-23'
Category: Microsoft Sentinel Parser
FunctionName: ForescoutEvent
FunctionAlias: ForescoutEvent
FunctionQuery: |
    Syslog 
    | where ProcessName == ```ACTIONidentity```
    | extend EventVendor = 'Forescout'
    | extend EventProduct = 'Forescout'
    | extend EventName = extract(@'([^\.:]+).*', 1, SyslogMessage)
    | extend SrcIpAddr = extract(@'.*?(Source|Host):\s+?(\d+.\d+.\d+.\d+).*', 2, SyslogMessage)
    | extend DstIpAddr = extract(@'.*?(Destination|Target):\s+?(\d+.\d+.\d+.\d+).*', 2, SyslogMessage)
    | extend SrcUserUpn = extract(@'.*?mail_from=([^,]+).*', 1, SyslogMessage)
    | extend DstUserUpn = extract(@'.*?mail_to=([^,]+).*', 1, SyslogMessage)
    | extend EmailSubject = extract(@'.*?mail_subject=([^,]+).*', 1, SyslogMessage)
    | extend EventResultDetails = extract(@'.*?Reason:\s+?([^,]+).*', 1, SyslogMessage)
    | extend EventSchemaVersion = '0.1'
    | extend EventCount = 1
    | project-away SyslogMessage