Skip to content

[Google Threat Intelligence][ASIM] - ASIM Parser 'AlertEvent' for Relevance System Alerts#14420

Open
devendra-chavda wants to merge 15 commits into
Azure:masterfrom
devendra-chavda:GTI_asim_parser
Open

[Google Threat Intelligence][ASIM] - ASIM Parser 'AlertEvent' for Relevance System Alerts#14420
devendra-chavda wants to merge 15 commits into
Azure:masterfrom
devendra-chavda:GTI_asim_parser

Conversation

@devendra-chavda

Copy link
Copy Markdown
Contributor

Change(s):
Added ASIM Alert Event Parser for Google Threat Intelligence

Reason for Change(s):
Initial version for ASIM Alert Event Parser

Testing Completed:
Yes

Checked that the validations are passing and have addressed any issues that are present:
Yes

@devendra-chavda devendra-chavda requested review from a team as code owners June 5, 2026 11:02
@v-atulyadav v-atulyadav added ASIM SafeToRun This is used only for ASim parsers Fork PR Pipeline run. labels Jun 5, 2026
@v-atulyadav v-atulyadav requested a review from Copilot June 5, 2026 11:05

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Adds initial ASIM AlertEvent parsers for Google Threat Intelligence (GTI) Relevance System Alerts and wires them into the ASIM/IM AlertEvent aggregators and changelogs.

Changes:

  • Added GTI AlertEvent parser (ASimAlertEventGoogleThreatIntelligence) and filtering parser (vimAlertEventGoogleThreatIntelligence).
  • Updated AlertEvent aggregators (ASimAlertEvent.yaml, imAlertEvent.yaml) and ASIM tester enumerations to include GTI.
  • Added sample data and ASimTester output artifacts (schema/data tester CSVs) plus changelog entries.

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
Sample Data/ASIM/GoogleThreatIntelligence_AlertEvent_IngestedLogs.csv Adds GTI sample data intended for parser/test validation
Parsers/ASimAlertEvent/Tests/GoogleThreatIntelligence_vimAlertEvent_ASimSchemaTester.csv Adds schema tester output for filtering parser
Parsers/ASimAlertEvent/Tests/GoogleThreatIntelligence_vimAlertEvent_ASimDataTester.csv Adds data tester output for filtering parser
Parsers/ASimAlertEvent/Tests/GoogleThreatIntelligence_ASimAlertEvent_ASimSchemaTester.csv Adds schema tester output for ASIM parser
Parsers/ASimAlertEvent/Tests/GoogleThreatIntelligence_ASimAlertEvent_ASimDataTester.csv Adds data tester output for ASIM parser
Parsers/ASimAlertEvent/Parsers/vimAlertEventGoogleThreatIntelligence.yaml New filtering parser implementation for GTI
Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml Adds GTI filtering parser to IM aggregator; bumps version/date
Parsers/ASimAlertEvent/Parsers/ASimAlertEventGoogleThreatIntelligence.yaml New ASIM parser implementation for GTI
Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml Adds GTI ASIM parser to aggregator; bumps version/date
Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventGoogleThreatIntelligence.md Changelog for new filtering parser
Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md Changelog entry for IM aggregator update
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventGoogleThreatIntelligence.md Changelog for new ASIM parser
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md Changelog entry for ASIM aggregator update
ASIM/dev/ASimTester/ASimTester.csv Updates AlertEvent enumerations to include GTI vendor/product
Comments suppressed due to low confidence (1)

Parsers/ASimAlertEvent/Tests/GoogleThreatIntelligence_ASimAlertEvent_ASimDataTester.csv:1

  • These committed ASimDataTester results indicate the parser output violates the AlertEvent enumerations for EventProduct and EventVendor (100% invalid). Since this PR also updates ASIM/dev/ASimTester/ASimTester.csv to include these enumerations, re-run the ASIM tester and update the expected *ASimDataTester.csv outputs so they reflect passing validation (or, if the enumerations are intentionally different, align the parser constants and the enumerations list accordingly).

Comment thread Parsers/ASimAlertEvent/Parsers/vimAlertEventGoogleThreatIntelligence.yaml Outdated
Comment thread Parsers/ASimAlertEvent/Parsers/vimAlertEventGoogleThreatIntelligence.yaml Outdated
Comment thread Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml Outdated
@v-atulyadav v-atulyadav removed the SafeToRun This is used only for ASim parsers Fork PR Pipeline run. label Jun 5, 2026
@v-atulyadav v-atulyadav added the SafeToRun This is used only for ASim parsers Fork PR Pipeline run. label Jun 8, 2026
@v-atulyadav v-atulyadav added SafeToRun This is used only for ASim parsers Fork PR Pipeline run. and removed SafeToRun This is used only for ASim parsers Fork PR Pipeline run. labels Jun 8, 2026
@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @devendra-chavda,
Please work on the failed validations. Thanks

@yummyblabla

Copy link
Copy Markdown
Collaborator

Hi @devendra-chavda
I have made some changes and we have removed the usage of enumerations in EventVendor and EventProduct. You can safely remove your changes from ASimTester.csv.

KQLValidations is failing because we do not have a reference to the table: RelevanceSystemAlerts_CL
In .script/tests/KqlvalidationsTests/CustomTables, please add RelevanceSystemAlerts_CL with its schema so that we can run kql validations on your parser.

@devendra-chavda

Copy link
Copy Markdown
Contributor Author

Hi @yummyblabla, @v-atulyadav,

I have added schema In .script/tests/KqlvalidationsTests/CustomTables for KQLValidations failures. Let me know any thing also required form our side thanks.

@v-atulyadav v-atulyadav added SafeToRun This is used only for ASim parsers Fork PR Pipeline run. and removed SafeToRun This is used only for ASim parsers Fork PR Pipeline run. labels Jun 12, 2026
@v-atulyadav v-atulyadav removed the SafeToRun This is used only for ASim parsers Fork PR Pipeline run. label Jun 12, 2026
@v-atulyadav v-atulyadav added the SafeToRun This is used only for ASim parsers Fork PR Pipeline run. label Jun 12, 2026
@yummyblabla

Copy link
Copy Markdown
Collaborator

Refer to errors found in the ASim Template Validation check https://github.com/Azure/Azure-Sentinel/actions/runs/27415299316/job/81027179210?pr=14420

For new parsers, you will need to reference your created parser in the unifying parser, ASimAlertEvent.yaml, and imAlertEvent.yaml, and update their versions + changelog

@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @devendra-chavda,
Please review the comments above from @yummyblabla and take the necessary actions. Thanks

@yummyblabla yummyblabla added SafeToRun This is used only for ASim parsers Fork PR Pipeline run. and removed SafeToRun This is used only for ASim parsers Fork PR Pipeline run. labels Jun 16, 2026

@yummyblabla yummyblabla left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After applying fixes, please run the following:

Please run the script "DirectoryOfAzureSentinel.script\kqlFuncYaml2Arm.ps1" in the root folder of the repo to have it generate the necessary ARM templates.

Comment thread Parsers/ASimAlertEvent/Parsers/ASimAlertEventGoogleThreatIntelligence.yaml Outdated
Comment thread Parsers/ASimAlertEvent/Parsers/vimAlertEventGoogleThreatIntelligence.yaml Outdated
Comment thread Parsers/ASimAlertEvent/Parsers/vimAlertEventGoogleThreatIntelligence.yaml Outdated
@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @devendra-chavda,
Please review the comments above from @yummyblabla and take the necessary actions. Also, please resolve any branch conflicts. Thanks

@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @devendra-chavda,
Please review the comments from @yummyblabla above and take the necessary actions. Also, please resolve any branch conflicts and update the PR accordingly. Thanks

@v-atulyadav v-atulyadav removed the SafeToRun This is used only for ASim parsers Fork PR Pipeline run. label Jun 25, 2026
@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @devendra-chavda,
Please review the comments from @yummyblabla above and address them accordingly. Also, resolve any branch conflicts and update the PR. Thanks!

@v-atulyadav

Copy link
Copy Markdown
Collaborator

Hi @devendra-chavda,
Please review the comments from @yummyblabla above, address them accordingly, resolve any branch conflicts, and update the PR. Thanks

@v-atulyadav v-atulyadav added the SafeToRun This is used only for ASim parsers Fork PR Pipeline run. label Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ASIM SafeToRun This is used only for ASim parsers Fork PR Pipeline run.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants