Inlcude AlertEvent Parsers for ASIM Validations

Azure · Nov 27, 2024 · fdf7380 · fdf7380
1 parent 5a4dbd2
commit fdf7380
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/.script/tests/asimParsersTest/ASimFilteringTest.py b/.script/tests/asimParsersTest/ASimFilteringTest.py
@@ -817,6 +817,20 @@ def send_query(self, query_str):
 
 # For each schema supported by the test there is a mapping between each of the schema's parameter to the column that the parameter filters.
 all_schemas_parameters = {
+    "AlertEvent" :
+    {
+		"ipaddr_has_any_prefix" : "DvcIpAddr",
+        "disabled" : "",
+        "endtime" : "EventEndTime",
+        "hostname_has_any" : "DvcHostname",
+		"username_has_any" : "Username",
+        "attacktactics_has_any" : "AttackTactics",
+        "attacktechniques_has_any" : "AttackTechniques",
+        "threatcategory_has_any" : "ThreatCategory",
+        "alertverdict_has_any" : "AlertVerdict",
+        "starttime" : "EventStartTime",
+        "eventseverity_has_any": "EventSeverity"
+    },
     "AuditEvent" :
     {
 		"actorusername_has_any" : "ActorUsername",

diff --git a/.script/tests/asimParsersTest/VerifyASimParserTemplate.py b/.script/tests/asimParsersTest/VerifyASimParserTemplate.py
@@ -15,6 +15,7 @@
 # Sentinel Repo URL
 SentinelRepoUrl = f"https://github.com/Azure/Azure-Sentinel.git"
 SCHEMA_INFO = [
+    {"SchemaName": "AlertEvent", "SchemaVersion": "0.1", "SchemaTitle":"ASIM Alert Event Schema", "SchemaLink": "https://aka.ms/ASimAlertEventDoc"},
     {"SchemaName": "AuditEvent", "SchemaVersion": "0.1", "SchemaTitle":"ASIM Audit Event Schema", "SchemaLink": "https://aka.ms/ASimAuditEventDoc"},
     {"SchemaName": "Authentication", "SchemaVersion": "0.1.3","SchemaTitle":"ASIM Authentication Schema","SchemaLink": "https://aka.ms/ASimAuthenticationDoc"},
     {"SchemaName": "Dns", "SchemaVersion": "0.1.7", "SchemaTitle":"ASIM Dns Schema","SchemaLink": "https://aka.ms/ASimDnsDoc"},