[Google Threat Intelligence][ASIM] - ASIM Parser 'AlertEvent' for Relevance System Alerts#14420
[Google Threat Intelligence][ASIM] - ASIM Parser 'AlertEvent' for Relevance System Alerts#14420devendra-chavda wants to merge 15 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds initial ASIM AlertEvent parsers for Google Threat Intelligence (GTI) Relevance System Alerts and wires them into the ASIM/IM AlertEvent aggregators and changelogs.
Changes:
- Added GTI AlertEvent parser (
ASimAlertEventGoogleThreatIntelligence) and filtering parser (vimAlertEventGoogleThreatIntelligence). - Updated AlertEvent aggregators (
ASimAlertEvent.yaml,imAlertEvent.yaml) and ASIM tester enumerations to include GTI. - Added sample data and ASimTester output artifacts (schema/data tester CSVs) plus changelog entries.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| Sample Data/ASIM/GoogleThreatIntelligence_AlertEvent_IngestedLogs.csv | Adds GTI sample data intended for parser/test validation |
| Parsers/ASimAlertEvent/Tests/GoogleThreatIntelligence_vimAlertEvent_ASimSchemaTester.csv | Adds schema tester output for filtering parser |
| Parsers/ASimAlertEvent/Tests/GoogleThreatIntelligence_vimAlertEvent_ASimDataTester.csv | Adds data tester output for filtering parser |
| Parsers/ASimAlertEvent/Tests/GoogleThreatIntelligence_ASimAlertEvent_ASimSchemaTester.csv | Adds schema tester output for ASIM parser |
| Parsers/ASimAlertEvent/Tests/GoogleThreatIntelligence_ASimAlertEvent_ASimDataTester.csv | Adds data tester output for ASIM parser |
| Parsers/ASimAlertEvent/Parsers/vimAlertEventGoogleThreatIntelligence.yaml | New filtering parser implementation for GTI |
| Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml | Adds GTI filtering parser to IM aggregator; bumps version/date |
| Parsers/ASimAlertEvent/Parsers/ASimAlertEventGoogleThreatIntelligence.yaml | New ASIM parser implementation for GTI |
| Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml | Adds GTI ASIM parser to aggregator; bumps version/date |
| Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventGoogleThreatIntelligence.md | Changelog for new filtering parser |
| Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md | Changelog entry for IM aggregator update |
| Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventGoogleThreatIntelligence.md | Changelog for new ASIM parser |
| Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md | Changelog entry for ASIM aggregator update |
| ASIM/dev/ASimTester/ASimTester.csv | Updates AlertEvent enumerations to include GTI vendor/product |
Comments suppressed due to low confidence (1)
Parsers/ASimAlertEvent/Tests/GoogleThreatIntelligence_ASimAlertEvent_ASimDataTester.csv:1
- These committed ASimDataTester results indicate the parser output violates the AlertEvent enumerations for
EventProductandEventVendor(100% invalid). Since this PR also updatesASIM/dev/ASimTester/ASimTester.csvto include these enumerations, re-run the ASIM tester and update the expected*ASimDataTester.csvoutputs so they reflect passing validation (or, if the enumerations are intentionally different, align the parser constants and the enumerations list accordingly).
|
Hi @devendra-chavda, |
|
Hi @devendra-chavda KQLValidations is failing because we do not have a reference to the table: RelevanceSystemAlerts_CL |
|
Hi @yummyblabla, @v-atulyadav, I have added schema In .script/tests/KqlvalidationsTests/CustomTables for KQLValidations failures. Let me know any thing also required form our side thanks. |
|
Refer to errors found in the ASim Template Validation check https://github.com/Azure/Azure-Sentinel/actions/runs/27415299316/job/81027179210?pr=14420 For new parsers, you will need to reference your created parser in the unifying parser, ASimAlertEvent.yaml, and imAlertEvent.yaml, and update their versions + changelog |
|
Hi @devendra-chavda, |
yummyblabla
left a comment
There was a problem hiding this comment.
After applying fixes, please run the following:
Please run the script "DirectoryOfAzureSentinel.script\kqlFuncYaml2Arm.ps1" in the root folder of the repo to have it generate the necessary ARM templates.
|
Hi @devendra-chavda, |
|
Hi @devendra-chavda, |
|
Hi @devendra-chavda, |
|
Hi @devendra-chavda, |
Change(s):
Added ASIM Alert Event Parser for Google Threat Intelligence
Reason for Change(s):
Initial version for ASIM Alert Event Parser
Testing Completed:
Yes
Checked that the validations are passing and have addressed any issues that are present:
Yes