Skip to content

Commit 4ca9b3a

Browse files
committed
[ASIM] Anthropic Claude Compliance - AgentEvent
1 parent bc7249c commit 4ca9b3a

18 files changed

Lines changed: 599 additions & 12 deletions
Lines changed: 89 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,89 @@
1+
{
2+
"Name": "BV_ClaudeCompliance_ComplianceActivities_CL",
3+
"Properties": [
4+
{
5+
"Name": "TimeGenerated",
6+
"Type": "datetime"
7+
},
8+
{
9+
"Name": "actor",
10+
"Type": "Object"
11+
},
12+
{
13+
"Name": "claude_artifact_id",
14+
"Type": "string"
15+
},
16+
{
17+
"Name": "claude_chat_id",
18+
"Type": "string"
19+
},
20+
{
21+
"Name": "claude_file_id",
22+
"Type": "string"
23+
},
24+
{
25+
"Name": "claude_project_id",
26+
"Type": "string"
27+
},
28+
{
29+
"Name": "created_at",
30+
"Type": "datetime"
31+
},
32+
{
33+
"Name": "filename",
34+
"Type": "string"
35+
},
36+
{
37+
"Name": "id_CF",
38+
"Type": "string"
39+
},
40+
{
41+
"Name": "organization_id",
42+
"Type": "string"
43+
},
44+
{
45+
"Name": "organization_uuid",
46+
"Type": "string"
47+
},
48+
{
49+
"Name": "request_body",
50+
"Type": "string"
51+
},
52+
{
53+
"Name": "request_id",
54+
"Type": "string"
55+
},
56+
{
57+
"Name": "request_method",
58+
"Type": "string"
59+
},
60+
{
61+
"Name": "status_code",
62+
"Type": "int"
63+
},
64+
{
65+
"Name": "type_CF",
66+
"Type": "string"
67+
},
68+
{
69+
"Name": "url",
70+
"Type": "string"
71+
},
72+
{
73+
"Name": "TenantId",
74+
"Type": "string"
75+
},
76+
{
77+
"Name": "Type",
78+
"Type": "string"
79+
},
80+
{
81+
"Name": "_ResourceId",
82+
"Type": "string"
83+
},
84+
{
85+
"Name": "_ItemId",
86+
"Type": "string"
87+
}
88+
]
89+
}

Parsers/ASimAgentEvent/ARM/ASimAgentEntity/ASimAgentEntity.json renamed to Parsers/ASimAgentEvent/ARM/ASimAgentEvent/ASimAgentEvent.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
"displayName": "Agent Event ASIM parser",
2828
"category": "ASIM",
2929
"FunctionAlias": "ASimAgentEvent",
30-
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAgentEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAgentEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimAgentEventEmpty\n}; \nparser (pack=pack)",
30+
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAgentEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser| where isnotempty(SourceSpecificParser));\nlet ASimBuiltInDisabled=toscalar('ExcludeASimAgentEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(pack:bool=false){\nunion isfuzzy=true\n vimAgentEventEmpty,\n ASimAgentEventAnthropicClaudeCompliance (disabled=(ASimBuiltInDisabled or ('ExcludeASimAgentEventAnthropicClaudeCompliance' in (DisabledParsers))), pack=pack)\n}; \nparser (pack=pack)",
3131
"version": 1,
3232
"functionParameters": "pack:bool=False"
3333
}

Parsers/ASimAgentEvent/ARM/ASimAgentEntity/README.md renamed to Parsers/ASimAgentEvent/ARM/ASimAgentEvent/README.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,8 @@ For more information, see:
1414
- [ASIM AgentEvent normalization schema reference](https://aka.ms/ASimAgentEventDoc)
1515

1616
For the changelog, see:
17-
- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAgentEvent/CHANGELOG/ASimAgentEntity.md)
17+
- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAgentEvent/CHANGELOG/ASimAgentEvent.md)
1818

1919
<br>
2020

21-
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAgentEvent%2FARM%2FASimAgentEntity%2FASimAgentEntity.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAgentEvent%2FARM%2FASimAgentEntity%2FASimAgentEntity.json)
21+
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAgentEvent%2FARM%2FASimAgentEvent%2FASimAgentEvent.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAgentEvent%2FARM%2FASimAgentEvent%2FASimAgentEvent.json)
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
3+
"contentVersion": "1.0.0.0",
4+
"parameters": {
5+
"Workspace": {
6+
"type": "string",
7+
"metadata": {
8+
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
9+
}
10+
},
11+
"WorkspaceRegion": {
12+
"type": "string",
13+
"defaultValue": "[resourceGroup().location]",
14+
"metadata": {
15+
"description": "The region of the selected workspace. The default value will use the Region selection above."
16+
}
17+
}
18+
},
19+
"resources": [
20+
{
21+
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
22+
"apiVersion": "2020-08-01",
23+
"name": "[concat(parameters('Workspace'), '/ASimAgentEventAnthropicClaudeCompliance')]",
24+
"location": "[parameters('WorkspaceRegion')]",
25+
"properties": {
26+
"etag": "*",
27+
"displayName": "Agent Event ASIM parser for Anthropic Claude Compliance",
28+
"category": "ASIM",
29+
"FunctionAlias": "ASimAgentEventAnthropicClaudeCompliance",
30+
"query": "let Parser = (\n disabled: bool=false,\n pack: bool=false\n)\n{\n BV_ClaudeCompliance_ComplianceActivities_CL\n | where not(disabled)\n | where type_CF != 'compliance_api_accessed' //filter out API requests for logs\n | project-rename\n EventStartTime = created_at,\n EventUid = _ItemId,\n EventOriginalUid = id_CF,\n EventType = type_CF\n | extend\n EventSchema = 'AgentEvent',\n EventSchemaVersion = '0.1.0',\n EventCount = toint(1),\n EventVendor = 'Anthropic',\n EventProduct = 'Claude Enterprise',\n TargetAgentId = coalesce(claude_project_id, claude_chat_id),\n EventEndTime = TimeGenerated\n | evaluate bag_unpack(actor)\n | project-rename\n ActorUserId = user_id,\n SrcIpAddr = ip_address\n | extend\n ActorUsername = coalesce(email_address, unauthenticated_email_address),\n ActorUsernameType = iff(isnotempty(coalesce(email_address, unauthenticated_email_address)), 'UPN', '')\n | extend AdditionalFields = iff (\n pack,\n bag_pack(\n 'request_id', request_id,\n 'request_method', request_method,\n 'status_code', status_code,\n 'url', url,\n 'claude_chat_id', claude_chat_id,\n 'claude_file_id', claude_file_id,\n 'claude_project_id', claude_project_id,\n 'user_agent', user_agent\n ),\n dynamic({})\n )\n | project\n TimeGenerated,\n Type,\n EventStartTime,\n EventEndTime,\n EventUid,\n EventOriginalUid,\n EventType,\n EventSchema,\n EventSchemaVersion,\n EventCount,\n EventVendor,\n EventProduct,\n TargetAgentId,\n ActorUserId,\n SrcIpAddr,\n ActorUsername,\n ActorUsernameType,\n AdditionalFields,\n EventResult = 'Success',\n Dvc = SrcIpAddr\n};\nParser\n(\n disabled = disabled,\n pack = pack\n) ",
31+
"version": 1,
32+
"functionParameters": "disabled:bool=False,pack:bool=False"
33+
}
34+
}
35+
]
36+
}
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
# Anthropic Claude Compliance ASIM AgentEvent Normalization Parser
2+
3+
ARM template for ASIM AgentEvent schema parser for Anthropic Claude Compliance.
4+
5+
This ASIM parser supports normalizing the Anthropic Claude Compliance logs (via Codeless Connector Framework by BlueVoyant) to the ASIM Agent normalized schema.
6+
7+
8+
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
9+
10+
For more information, see:
11+
12+
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
13+
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
14+
- [ASIM AgentEvent normalization schema reference](https://aka.ms/ASimAgentEventDoc)
15+
16+
For the changelog, see:
17+
- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAgentEvent/CHANGELOG/ASimAgentEventAnthropicClaudeCompliance.md)
18+
19+
<br>
20+
21+
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAgentEvent%2FARM%2FASimAgentEventAnthropicClaudeCompliance%2FASimAgentEventAnthropicClaudeCompliance.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAgentEvent%2FARM%2FASimAgentEventAnthropicClaudeCompliance%2FASimAgentEventAnthropicClaudeCompliance.json)

Parsers/ASimAgentEvent/ARM/FullDeploymentAgentEvent.json

Lines changed: 42 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,11 +21,31 @@
2121
{
2222
"type": "Microsoft.Resources/deployments",
2323
"apiVersion": "2020-10-01",
24-
"name": "linkedASimAgentEntity",
24+
"name": "linkedASimAgentEvent",
2525
"properties": {
2626
"mode": "Incremental",
2727
"templateLink": {
28-
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAgentEvent/ARM/ASimAgentEntity/ASimAgentEntity.json",
28+
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAgentEvent/ARM/ASimAgentEvent/ASimAgentEvent.json",
29+
"contentVersion": "1.0.0.0"
30+
},
31+
"parameters": {
32+
"Workspace": {
33+
"value": "[parameters('Workspace')]"
34+
},
35+
"WorkspaceRegion": {
36+
"value": "[parameters('WorkspaceRegion')]"
37+
}
38+
}
39+
}
40+
},
41+
{
42+
"type": "Microsoft.Resources/deployments",
43+
"apiVersion": "2020-10-01",
44+
"name": "linkedASimAgentEventAnthropicClaudeCompliance",
45+
"properties": {
46+
"mode": "Incremental",
47+
"templateLink": {
48+
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAgentEvent/ARM/ASimAgentEventAnthropicClaudeCompliance/ASimAgentEventAnthropicClaudeCompliance.json",
2949
"contentVersion": "1.0.0.0"
3050
},
3151
"parameters": {
@@ -58,6 +78,26 @@
5878
}
5979
}
6080
},
81+
{
82+
"type": "Microsoft.Resources/deployments",
83+
"apiVersion": "2020-10-01",
84+
"name": "linkedvimAgentEventAnthropicClaudeCompliance",
85+
"properties": {
86+
"mode": "Incremental",
87+
"templateLink": {
88+
"uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAgentEvent/ARM/vimAgentEventAnthropicClaudeCompliance/vimAgentEventAnthropicClaudeCompliance.json",
89+
"contentVersion": "1.0.0.0"
90+
},
91+
"parameters": {
92+
"Workspace": {
93+
"value": "[parameters('Workspace')]"
94+
},
95+
"WorkspaceRegion": {
96+
"value": "[parameters('WorkspaceRegion')]"
97+
}
98+
}
99+
}
100+
},
61101
{
62102
"type": "Microsoft.Resources/deployments",
63103
"apiVersion": "2020-10-01",

Parsers/ASimAgentEvent/ARM/imAgentEvent/imAgentEvent.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
"displayName": "Agent Event ASIM filtering parser",
2828
"category": "ASIM",
2929
"FunctionAlias": "imAgentEvent",
30-
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAgentEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimAgentEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n agentid_has_any: dynamic=dynamic([]),\n agentname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimAgentEventEmpty\n};\nparser (starttime=starttime, endtime=endtime, agentid_has_any=agentid_has_any, agentname_has_any=agentname_has_any, username_has_any=username_has_any, pack=pack)",
30+
"query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeimAgentEvent') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser | where isnotempty(SourceSpecificParser));\nlet vimBuiltInDisabled=toscalar('ExcludevimAgentEvent' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nlet parser=(\n starttime: datetime=datetime(null), \n endtime: datetime=datetime(null), \n agentid_has_any: dynamic=dynamic([]),\n agentname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n pack:bool=false)\n{\nunion isfuzzy=true\n vimAgentEventEmpty,\n vimAgentEventAnthropicClaudeCompliance (starttime=starttime, endtime=endtime, agentid_has_any=agentid_has_any, agentname_has_any=agentname_has_any, username_has_any=username_has_any, disabled=(vimBuiltInDisabled or ('ExcludevimAgentEventAnthropicClaudeCompliance' in (DisabledParsers))), pack=pack)\n};\nparser (starttime=starttime, endtime=endtime, agentid_has_any=agentid_has_any, agentname_has_any=agentname_has_any, username_has_any=username_has_any, pack=pack)",
3131
"version": 1,
3232
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),agentid_has_any:dynamic=dynamic([]),agentname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),pack:bool=False"
3333
}
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
# Anthropic Claude Compliance ASIM AgentEvent Normalization Parser
2+
3+
ARM template for ASIM AgentEvent schema parser for Anthropic Claude Compliance.
4+
5+
This ASIM parser supports normalizing the Anthropic Claude Compliance logs (via Codeless Connector Framework by BlueVoyant) to the ASIM Agent normalized schema.
6+
7+
8+
The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
9+
10+
For more information, see:
11+
12+
- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
13+
- [Deploy all of ASIM](https://aka.ms/DeployASIM)
14+
- [ASIM AgentEvent normalization schema reference](https://aka.ms/ASimAgentEventDoc)
15+
16+
For the changelog, see:
17+
- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAgentEvent/CHANGELOG/vimAgentEventAnthropicClaudeCompliance.md)
18+
19+
<br>
20+
21+
[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAgentEvent%2FARM%2FvimAgentEventAnthropicClaudeCompliance%2FvimAgentEventAnthropicClaudeCompliance.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAgentEvent%2FARM%2FvimAgentEventAnthropicClaudeCompliance%2FvimAgentEventAnthropicClaudeCompliance.json)
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
3+
"contentVersion": "1.0.0.0",
4+
"parameters": {
5+
"Workspace": {
6+
"type": "string",
7+
"metadata": {
8+
"description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
9+
}
10+
},
11+
"WorkspaceRegion": {
12+
"type": "string",
13+
"defaultValue": "[resourceGroup().location]",
14+
"metadata": {
15+
"description": "The region of the selected workspace. The default value will use the Region selection above."
16+
}
17+
}
18+
},
19+
"resources": [
20+
{
21+
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
22+
"apiVersion": "2020-08-01",
23+
"name": "[concat(parameters('Workspace'), '/vimAgentEventAnthropicClaudeCompliance')]",
24+
"location": "[parameters('WorkspaceRegion')]",
25+
"properties": {
26+
"etag": "*",
27+
"displayName": "Agent Event ASIM parser for Anthropic Claude Compliance",
28+
"category": "ASIM",
29+
"FunctionAlias": "vimAgentEventAnthropicClaudeCompliance",
30+
"query": "let Parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n agentid_has_any: dynamic=dynamic([]),\n agentname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n disabled: bool=false,\n pack: bool=false\n)\n{\n BV_ClaudeCompliance_ComplianceActivities_CL\n | where not(disabled)\n | where (\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n // AgentID filtering done later in the parser\n // AgentName detail not available in this parser.\n // Username filtering done later in the parser\n )\n | where type_CF != 'compliance_api_accessed' //filter out API requests for logs\n | project-rename\n EventStartTime = created_at,\n EventUid = _ItemId,\n EventOriginalUid = id_CF,\n EventType = type_CF\n | extend\n EventSchema = 'AgentEvent',\n EventSchemaVersion = '0.1.0',\n EventCount = toint(1),\n EventVendor = 'Anthropic',\n EventProduct = 'Claude Enterprise',\n TargetAgentId = coalesce(claude_project_id, claude_chat_id),\n EventEndTime = TimeGenerated\n | where ((array_length(agentid_has_any) == 0) or (TargetAgentId has_any (agentid_has_any)))\n | evaluate bag_unpack(actor)\n | project-rename\n ActorUserId = user_id,\n SrcIpAddr = ip_address\n | extend\n ActorUsername = coalesce(email_address, unauthenticated_email_address),\n ActorUsernameType = iff(isnotempty(coalesce(email_address, unauthenticated_email_address)), 'UPN', '')\n | where ((array_length(username_has_any) == 0) or (ActorUsername has_any (username_has_any)))\n | extend AdditionalFields = iff (\n pack,\n bag_pack(\n 'request_id', request_id,\n 'request_method', request_method,\n 'status_code', status_code,\n 'url', url,\n 'claude_chat_id', claude_chat_id,\n 'claude_file_id', claude_file_id,\n 'claude_project_id', claude_project_id,\n 'user_agent', user_agent\n ),\n dynamic({})\n )\n | project\n TimeGenerated,\n Type,\n EventStartTime,\n EventEndTime,\n EventUid,\n EventOriginalUid,\n EventType,\n EventSchema,\n EventSchemaVersion,\n EventCount,\n EventVendor,\n EventProduct,\n TargetAgentId,\n ActorUserId,\n SrcIpAddr,\n ActorUsername,\n ActorUsernameType,\n AdditionalFields,\n EventResult = 'Success',\n Dvc = SrcIpAddr\n};\nParser(\n starttime = starttime,\n endtime = endtime,\n agentid_has_any = agentid_has_any,\n agentname_has_any = agentname_has_any,\n username_has_any = username_has_any,\n disabled = disabled,\n pack = pack\n)",
31+
"version": 1,
32+
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),agentid_has_any:dynamic=dynamic([]),agentname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False"
33+
}
34+
}
35+
]
36+
}

0 commit comments

Comments
 (0)