diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json
index 42a2840e415..74bed0da673 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json
@@ -27,7 +27,7 @@
"displayName": "Authentication ASIM parser for Syslog sudo",
"category": "ASIM",
"FunctionAlias": "ASimAuthenticationSudo",
- "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'sudo',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n// \n// ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoDisconnect=(disabled:bool=false){\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'session closed for user '\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n// ************************\n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nunion isfuzzy=false \n SudoSignInAuthorized(disabled = disabled), \n SudoAuthFailure1(disabled = disabled), \n SudoDisconnect(disabled = disabled)",
+ "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'TTY=' and \n SyslogMessage has 'USER=' and\n SyslogMessage has 'COMMAND='\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename TargetUsername = USER\n | extend\n EventVendor = 'Linux',\n EventProduct = 'sudo',\n EventCount = int(1),\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventResult = 'Success',\n EventStartTime = TimeGenerated,\n EventEndTime = TimeGenerated,\n EventType = 'Logon',\n DvcHostname = Computer,\n ActorUsernameType = 'Simple',\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n TargetUsernameType = 'Simple',\n EventResultDetails = 'Other',\n EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n// \n// ************************\n | extend\n User = TargetUsername,\n Dvc = Computer\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n | project-rename \n EventUid = _ItemId,\n TargetUsername = USER\n | extend\n ActorUsername = extract(@'^(.*?):', 1, SyslogMessage),\n ActorUsernameType = 'Simple',\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User authentication failed',\n EventProduct = 'sudo',\n EventResult = 'Failure',\n EventResultDetails = 'No such user or password',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logon',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n | project-away Computer, MG, SourceSystem, TenantId\n };\nlet SudoDisconnect=(disabled:bool=false){\n Syslog \n | where not(disabled)\n | where ProcessName == \"sudo\" and \n SyslogMessage has 'session closed for user '\n | parse SyslogMessage with * \"for user \" TargetUsername:string\n | extend\n DvcHostname = Computer,\n EventCount = int(1),\n EventEndTime = TimeGenerated,\n EventOriginalRestultDetails = 'User session closed',\n EventProduct = 'sudo',\n EventResult = 'Success',\n EventResultDetails = 'Other',\n EventSchema = 'Authentication',\n EventSchemaVersion = '0.1.1',\n EventStartTime = TimeGenerated,\n EventType = 'Logoff',\n EventVendor = 'sudo',\n TargetUsernameType = 'Simple'\n// ************************\n// \n// ************************\n| extend\n Dvc = Computer,\n User = TargetUsername\n// ************************\n// \n// ************************\n | project-away Computer, MG, SourceSystem, TenantId\n };\nunion isfuzzy=false \n SudoSignInAuthorized(disabled = disabled), \n SudoAuthFailure1(disabled = disabled), \n SudoDisconnect(disabled = disabled)",
"version": 1,
"functionParameters": "disabled:bool=False"
}
diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml
index 4a7795eb310..fb159aa1eb0 100644
--- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml
+++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml
@@ -1,7 +1,7 @@
Parser:
Title: Authentication ASIM parser for Syslog sudo
- Version: '0.1.2'
- LastUpdated: 21 Jul 2023
+ Version: '0.1.3'
+ LastUpdated: Jan 28, 2026
Product:
Name: sudo
Normalization:
@@ -31,7 +31,7 @@ ParserQuery: |
| parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')
| project-rename TargetUsername = USER
| extend
- EventVendor = 'sudo',
+ EventVendor = 'Linux',
EventProduct = 'sudo',
EventCount = int(1),
EventSchema = 'Authentication',