ASIM Authentication Parser for VMware ESXi#13989
ASIM Authentication Parser for VMware ESXi#13989SpeedyFireCyclone wants to merge 13 commits intoAzure:masterfrom
Conversation
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2026-04-03T12:06:10.060Z |
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2026-04-03T13:25:45.667Z |
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2026-04-06T08:01:42.341Z |
v-atulyadav
added
SafeToRun
|
Hi @SpeedyFireCyclone, 
|
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2026-04-09T16:10:29.684Z |
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2026-04-13T09:00:18.390Z |
yummyblabla
added
the
SafeToRun
|
It looks like KQL validation is failing because AVSSyslog and AVSEsxiSyslog are not recognized as tables. You will need to add those tables in .script/tests/KqlvalidationsTests/CustomTables/ similar to what I did here: https://github.com/Azure/Azure-Sentinel/blob/master/.script/tests/KqlvalidationsTests/CustomTables/AVSVcSyslog.json |
v-atulyadav
removed
the
SafeToRun
|
🔒 Security Approval Required This fork PR requires manual approval before automated testing can run. For security, a maintainer must:
Note: If new commits are added later, simply remove and re-add the 🤖 Automated security check • Created: 2026-04-14T09:38:34.789Z |
| ), | ||
| EventType = "Logon", | ||
| EventSubType = "Remote", | ||
| EventResultDetails = extract(@"@[\d.]+: (.+)$", 1, SyslogMessage), |
There was a problem hiding this comment.
Another customer previewed this parser and found that this should be mapped to EventOriginalResultDetails. Then EventOriginalResultDetails should be mapped to one of the enums provided in this link for EventResultDetails: https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-authentication#common-fields-with-specific-guidelines
| OperationId = extract(@"opID=([^\s\]]+)", 1, SyslogMessage), | ||
| SessionIdShort = extract(@"sid=([a-f0-9]+)", 1, SyslogMessage) | ||
| | where isnotempty(TargetUsername) | ||
| // Hostd double-logs each auth failure: once as "Rejected password" (PAM) and once as "Cannot login" (Event Manager), typically within 35-300ms of each other. |
There was a problem hiding this comment.
A further issue concerns the deduplication logic that causes an inconsistency in event count.
The parser applies a 1-second deduplication window to all Hostd events, but the comment in the code itself specifies that this logic is intended exclusively for failures.
By applying the same window to Successes as well, the parser collapses legitimate events such as consecutive API calls by the same user within the same second. Verifying against real logs over a 24-hour time window, out of 57 raw "Accepted password" events, the parser only produces 33, with 24 confirmed lost events verified through direct analysis queries.
Perhaps it may be best to apply this dudupe to only failure events or to remove the dedupe logic.
4 participants
Required items, please complete
Change(s):
Reason for Change(s):
Version Updated:
Testing Completed:
Checked that the validations are passing and have addressed any issues that are present: