Skip to content

Commit a4e21b9

Browse files
committed
address copilot comments
1 parent 4ca9b3a commit a4e21b9

5 files changed

Lines changed: 123 additions & 109 deletions

File tree

Parsers/ASimAgentEvent/ARM/ASimAgentEventAnthropicClaudeCompliance/ASimAgentEventAnthropicClaudeCompliance.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
"displayName": "Agent Event ASIM parser for Anthropic Claude Compliance",
2828
"category": "ASIM",
2929
"FunctionAlias": "ASimAgentEventAnthropicClaudeCompliance",
30-
"query": "let Parser = (\n disabled: bool=false,\n pack: bool=false\n)\n{\n BV_ClaudeCompliance_ComplianceActivities_CL\n | where not(disabled)\n | where type_CF != 'compliance_api_accessed' //filter out API requests for logs\n | project-rename\n EventStartTime = created_at,\n EventUid = _ItemId,\n EventOriginalUid = id_CF,\n EventType = type_CF\n | extend\n EventSchema = 'AgentEvent',\n EventSchemaVersion = '0.1.0',\n EventCount = toint(1),\n EventVendor = 'Anthropic',\n EventProduct = 'Claude Enterprise',\n TargetAgentId = coalesce(claude_project_id, claude_chat_id),\n EventEndTime = TimeGenerated\n | evaluate bag_unpack(actor)\n | project-rename\n ActorUserId = user_id,\n SrcIpAddr = ip_address\n | extend\n ActorUsername = coalesce(email_address, unauthenticated_email_address),\n ActorUsernameType = iff(isnotempty(coalesce(email_address, unauthenticated_email_address)), 'UPN', '')\n | extend AdditionalFields = iff (\n pack,\n bag_pack(\n 'request_id', request_id,\n 'request_method', request_method,\n 'status_code', status_code,\n 'url', url,\n 'claude_chat_id', claude_chat_id,\n 'claude_file_id', claude_file_id,\n 'claude_project_id', claude_project_id,\n 'user_agent', user_agent\n ),\n dynamic({})\n )\n | project\n TimeGenerated,\n Type,\n EventStartTime,\n EventEndTime,\n EventUid,\n EventOriginalUid,\n EventType,\n EventSchema,\n EventSchemaVersion,\n EventCount,\n EventVendor,\n EventProduct,\n TargetAgentId,\n ActorUserId,\n SrcIpAddr,\n ActorUsername,\n ActorUsernameType,\n AdditionalFields,\n EventResult = 'Success',\n Dvc = SrcIpAddr\n};\nParser\n(\n disabled = disabled,\n pack = pack\n) ",
30+
"query": "let Parser = (\n disabled: bool=false,\n pack: bool=false\n)\n{\n BV_ClaudeCompliance_ComplianceActivities_CL\n | where not(disabled)\n | where type_CF != 'compliance_api_accessed' //filter out API requests for logs\n | project-rename\n EventStartTime = created_at,\n EventUid = _ItemId,\n EventOriginalUid = id_CF,\n EventType = type_CF\n | extend\n EventSchema = 'AgentEvent',\n EventSchemaVersion = '0.1.0',\n EventCount = toint(1),\n EventVendor = 'Anthropic',\n EventProduct = 'Claude Enterprise',\n TargetAgentId = coalesce(claude_project_id, claude_chat_id, claude_file_id),\n EventEndTime = TimeGenerated\n | evaluate bag_unpack(actor)\n | project-rename\n ActorUserId = user_id,\n SrcIpAddr = ip_address\n | extend\n ActorUsername = coalesce(email_address, unauthenticated_email_address),\n ActorUsernameType = iff(isnotempty(coalesce(email_address, unauthenticated_email_address)), 'UPN', '')\n | extend AdditionalFields = iff (\n pack,\n bag_pack(\n 'request_id', request_id,\n 'request_method', request_method,\n 'status_code', status_code,\n 'url', url,\n 'claude_chat_id', claude_chat_id,\n 'claude_file_id', claude_file_id,\n 'claude_project_id', claude_project_id,\n 'user_agent', user_agent,\n 'status_code', status_code\n ),\n dynamic({})\n )\n | project\n TimeGenerated,\n Type,\n EventStartTime,\n EventEndTime,\n EventUid,\n EventOriginalUid,\n EventType,\n EventSchema,\n EventSchemaVersion,\n EventCount,\n EventVendor,\n EventProduct,\n TargetAgentId,\n ActorUserId,\n SrcIpAddr,\n ActorUsername,\n ActorUsernameType,\n AdditionalFields,\n EventResult = case(\n status_code >= 200 and status_code < 300, 'Success',\n status_code >= 400 and status_code < 500, 'Failure',\n status_code >= 500, 'Failure',\n isempty(status_code), '',\n ''\n ),\n Dvc = SrcIpAddr\n};\nParser\n(\n disabled = disabled,\n pack = pack\n) ",
3131
"version": 1,
3232
"functionParameters": "disabled:bool=False,pack:bool=False"
3333
}

Parsers/ASimAgentEvent/ARM/vimAgentEventAnthropicClaudeCompliance/vimAgentEventAnthropicClaudeCompliance.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
"displayName": "Agent Event ASIM parser for Anthropic Claude Compliance",
2828
"category": "ASIM",
2929
"FunctionAlias": "vimAgentEventAnthropicClaudeCompliance",
30-
"query": "let Parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n agentid_has_any: dynamic=dynamic([]),\n agentname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n disabled: bool=false,\n pack: bool=false\n)\n{\n BV_ClaudeCompliance_ComplianceActivities_CL\n | where not(disabled)\n | where (\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n // AgentID filtering done later in the parser\n // AgentName detail not available in this parser.\n // Username filtering done later in the parser\n )\n | where type_CF != 'compliance_api_accessed' //filter out API requests for logs\n | project-rename\n EventStartTime = created_at,\n EventUid = _ItemId,\n EventOriginalUid = id_CF,\n EventType = type_CF\n | extend\n EventSchema = 'AgentEvent',\n EventSchemaVersion = '0.1.0',\n EventCount = toint(1),\n EventVendor = 'Anthropic',\n EventProduct = 'Claude Enterprise',\n TargetAgentId = coalesce(claude_project_id, claude_chat_id),\n EventEndTime = TimeGenerated\n | where ((array_length(agentid_has_any) == 0) or (TargetAgentId has_any (agentid_has_any)))\n | evaluate bag_unpack(actor)\n | project-rename\n ActorUserId = user_id,\n SrcIpAddr = ip_address\n | extend\n ActorUsername = coalesce(email_address, unauthenticated_email_address),\n ActorUsernameType = iff(isnotempty(coalesce(email_address, unauthenticated_email_address)), 'UPN', '')\n | where ((array_length(username_has_any) == 0) or (ActorUsername has_any (username_has_any)))\n | extend AdditionalFields = iff (\n pack,\n bag_pack(\n 'request_id', request_id,\n 'request_method', request_method,\n 'status_code', status_code,\n 'url', url,\n 'claude_chat_id', claude_chat_id,\n 'claude_file_id', claude_file_id,\n 'claude_project_id', claude_project_id,\n 'user_agent', user_agent\n ),\n dynamic({})\n )\n | project\n TimeGenerated,\n Type,\n EventStartTime,\n EventEndTime,\n EventUid,\n EventOriginalUid,\n EventType,\n EventSchema,\n EventSchemaVersion,\n EventCount,\n EventVendor,\n EventProduct,\n TargetAgentId,\n ActorUserId,\n SrcIpAddr,\n ActorUsername,\n ActorUsernameType,\n AdditionalFields,\n EventResult = 'Success',\n Dvc = SrcIpAddr\n};\nParser(\n starttime = starttime,\n endtime = endtime,\n agentid_has_any = agentid_has_any,\n agentname_has_any = agentname_has_any,\n username_has_any = username_has_any,\n disabled = disabled,\n pack = pack\n)",
30+
"query": "let Parser = (\n starttime: datetime=datetime(null),\n endtime: datetime=datetime(null),\n agentid_has_any: dynamic=dynamic([]),\n agentname_has_any: dynamic=dynamic([]),\n username_has_any: dynamic=dynamic([]),\n disabled: bool=false,\n pack: bool=false\n)\n{\n BV_ClaudeCompliance_ComplianceActivities_CL\n | where not(disabled)\n | where (\n (isnull(starttime) or TimeGenerated >= starttime)\n and (isnull(endtime) or TimeGenerated <= endtime)\n // AgentID filtering done later in the parser\n // AgentName detail not available in this parser.\n // Username filtering done later in the parser\n )\n | where type_CF != 'compliance_api_accessed' //filter out API requests for logs\n | project-rename\n EventStartTime = created_at,\n EventUid = _ItemId,\n EventOriginalUid = id_CF,\n EventType = type_CF\n | extend\n EventSchema = 'AgentEvent',\n EventSchemaVersion = '0.1.0',\n EventCount = toint(1),\n EventVendor = 'Anthropic',\n EventProduct = 'Claude Enterprise',\n TargetAgentId = coalesce(claude_project_id, claude_chat_id, claude_file_id),\n EventEndTime = TimeGenerated\n | where ((array_length(agentid_has_any) == 0) or (TargetAgentId has_any (agentid_has_any)))\n | evaluate bag_unpack(actor)\n | project-rename\n ActorUserId = user_id,\n SrcIpAddr = ip_address\n | extend\n ActorUsername = coalesce(email_address, unauthenticated_email_address),\n ActorUsernameType = iff(isnotempty(coalesce(email_address, unauthenticated_email_address)), 'UPN', '')\n | where ((array_length(username_has_any) == 0) or (ActorUsername has_any (username_has_any)))\n | extend AdditionalFields = iff (\n pack,\n bag_pack(\n 'request_id', request_id,\n 'request_method', request_method,\n 'status_code', status_code,\n 'url', url,\n 'claude_chat_id', claude_chat_id,\n 'claude_file_id', claude_file_id,\n 'claude_project_id', claude_project_id,\n 'user_agent', user_agent,\n 'status_code', status_code\n ),\n dynamic({})\n )\n | project\n TimeGenerated,\n Type,\n EventStartTime,\n EventEndTime,\n EventUid,\n EventOriginalUid,\n EventType,\n EventSchema,\n EventSchemaVersion,\n EventCount,\n EventVendor,\n EventProduct,\n TargetAgentId,\n ActorUserId,\n SrcIpAddr,\n ActorUsername,\n ActorUsernameType,\n AdditionalFields,\n EventResult = case(\n status_code >= 200 and status_code < 300, 'Success',\n status_code >= 400 and status_code < 500, 'Failure',\n status_code >= 500, 'Failure',\n isempty(status_code), '',\n ''\n ),\n Dvc = SrcIpAddr\n};\nParser(\n starttime = starttime,\n endtime = endtime,\n agentid_has_any = agentid_has_any,\n agentname_has_any = agentname_has_any,\n username_has_any = username_has_any,\n disabled = disabled,\n pack = pack\n)",
3131
"version": 1,
3232
"functionParameters": "starttime:datetime=datetime(null),endtime:datetime=datetime(null),agentid_has_any:dynamic=dynamic([]),agentname_has_any:dynamic=dynamic([]),username_has_any:dynamic=dynamic([]),disabled:bool=False,pack:bool=False"
3333
}

Parsers/ASimAgentEvent/Parsers/ASimAgentEventAnthropicClaudeCompliance.yaml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ ParserQuery: |
4343
EventCount = toint(1),
4444
EventVendor = 'Anthropic',
4545
EventProduct = 'Claude Enterprise',
46-
TargetAgentId = coalesce(claude_project_id, claude_chat_id),
46+
TargetAgentId = coalesce(claude_project_id, claude_chat_id, claude_file_id),
4747
EventEndTime = TimeGenerated
4848
| evaluate bag_unpack(actor)
4949
| project-rename
@@ -62,7 +62,8 @@ ParserQuery: |
6262
'claude_chat_id', claude_chat_id,
6363
'claude_file_id', claude_file_id,
6464
'claude_project_id', claude_project_id,
65-
'user_agent', user_agent
65+
'user_agent', user_agent,
66+
'status_code', status_code
6667
),
6768
dynamic({})
6869
)
@@ -85,7 +86,13 @@ ParserQuery: |
8586
ActorUsername,
8687
ActorUsernameType,
8788
AdditionalFields,
88-
EventResult = 'Success',
89+
EventResult = case(
90+
status_code >= 200 and status_code < 300, 'Success',
91+
status_code >= 400 and status_code < 500, 'Failure',
92+
status_code >= 500, 'Failure',
93+
isempty(status_code), '',
94+
''
95+
),
8996
Dvc = SrcIpAddr
9097
};
9198
Parser

Parsers/ASimAgentEvent/Parsers/vimAgentEventAnthropicClaudeCompliance.yaml

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ ParserQuery: |
7070
EventCount = toint(1),
7171
EventVendor = 'Anthropic',
7272
EventProduct = 'Claude Enterprise',
73-
TargetAgentId = coalesce(claude_project_id, claude_chat_id),
73+
TargetAgentId = coalesce(claude_project_id, claude_chat_id, claude_file_id),
7474
EventEndTime = TimeGenerated
7575
| where ((array_length(agentid_has_any) == 0) or (TargetAgentId has_any (agentid_has_any)))
7676
| evaluate bag_unpack(actor)
@@ -91,7 +91,8 @@ ParserQuery: |
9191
'claude_chat_id', claude_chat_id,
9292
'claude_file_id', claude_file_id,
9393
'claude_project_id', claude_project_id,
94-
'user_agent', user_agent
94+
'user_agent', user_agent,
95+
'status_code', status_code
9596
),
9697
dynamic({})
9798
)
@@ -114,7 +115,13 @@ ParserQuery: |
114115
ActorUsername,
115116
ActorUsernameType,
116117
AdditionalFields,
117-
EventResult = 'Success',
118+
EventResult = case(
119+
status_code >= 200 and status_code < 300, 'Success',
120+
status_code >= 400 and status_code < 500, 'Failure',
121+
status_code >= 500, 'Failure',
122+
isempty(status_code), '',
123+
''
124+
),
118125
Dvc = SrcIpAddr
119126
};
120127
Parser(

0 commit comments

Comments
 (0)