From 5b716ae9b251fb3408790e7a7ed5b68b8e3526fd Mon Sep 17 00:00:00 2001
From: Derrick Lee <derricklee@microsoft.com>
Date: Wed, 28 Jan 2026 16:19:50 -0800
Subject: [PATCH 1/2] EventVendor change

---
 .../ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json  | 2 +-
 .../ARM/ASimAuthenticationSudo/CHANGELOG.md                 | 2 ++
 .../ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml  | 6 +++---
 3 files changed, 6 insertions(+), 4 deletions(-)
 create mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/CHANGELOG.md

diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json
index 42a2840e415..74bed0da673 100644
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json
@@ -27,7 +27,7 @@
         "displayName": "Authentication ASIM parser for Syslog sudo",
         "category": "ASIM",
         "FunctionAlias": "ASimAuthenticationSudo",
-        "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog \n  | where not(disabled)\n  | where ProcessName == \"sudo\" and \n      SyslogMessage has 'TTY=' and \n      SyslogMessage has 'USER=' and\n      SyslogMessage has 'COMMAND='\n  | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n  | project-rename TargetUsername = USER\n  | extend\n      EventVendor                 = 'sudo',\n      EventProduct                = 'sudo',\n      EventCount                  = int(1),\n      EventSchema                 = 'Authentication',\n      EventSchemaVersion          = '0.1.1',\n      EventResult                 = 'Success',\n      EventStartTime              = TimeGenerated,\n      EventEndTime                = TimeGenerated,\n      EventType                   = 'Logon',\n      DvcHostname                 = Computer,\n      ActorUsernameType           = 'Simple',\n      ActorUsername               = extract(@'^(.*?):', 1, SyslogMessage),\n      TargetUsernameType          = 'Simple',\n      EventResultDetails          = 'Other',\n      EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n//      <Aliases>\n// ************************\n  | extend\n      User  = TargetUsername,\n      Dvc   = Computer\n// ************************\n//      </Aliases>\n// ************************\n  | project-away Computer, MG, SourceSystem, TenantId\n  };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n  | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n  | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with  (pair_delimiter=' ', kv_delimiter='=')\n  | project-rename \n      EventUid       = _ItemId,\n      TargetUsername = USER\n  | extend\n      ActorUsername               = extract(@'^(.*?):', 1, SyslogMessage),\n      ActorUsernameType           = 'Simple',\n      DvcHostname                 = Computer,\n      EventCount                  = int(1),\n      EventEndTime                = TimeGenerated,\n      EventOriginalRestultDetails = 'User authentication failed',\n      EventProduct                = 'sudo',\n      EventResult                 = 'Failure',\n      EventResultDetails          = 'No such user or password',\n      EventSchema                 = 'Authentication',\n      EventSchemaVersion          = '0.1.1',\n      EventStartTime              = TimeGenerated,\n      EventType                   = 'Logon',\n      EventVendor                 = 'sudo',\n      TargetUsernameType          = 'Simple'\n  | project-away Computer, MG, SourceSystem, TenantId\n  };\nlet SudoDisconnect=(disabled:bool=false){\n  Syslog \n  | where not(disabled)\n  | where ProcessName == \"sudo\" and \n      SyslogMessage   has 'session closed for user '\n  | parse SyslogMessage with * \"for user \" TargetUsername:string\n  | extend\n      DvcHostname                 = Computer,\n      EventCount                  = int(1),\n      EventEndTime                = TimeGenerated,\n      EventOriginalRestultDetails = 'User session closed',\n      EventProduct                = 'sudo',\n      EventResult                 = 'Success',\n      EventResultDetails          = 'Other',\n      EventSchema                 = 'Authentication',\n      EventSchemaVersion          = '0.1.1',\n      EventStartTime              = TimeGenerated,\n      EventType                   = 'Logoff',\n      EventVendor                 = 'sudo',\n      TargetUsernameType          = 'Simple'\n// ************************\n//      <Aliases>\n// ************************\n| extend\n    Dvc   = Computer,\n    User  = TargetUsername\n// ************************\n//      </Aliases>\n// ************************\n  | project-away Computer, MG, SourceSystem, TenantId\n  };\nunion isfuzzy=false \n  SudoSignInAuthorized(disabled = disabled), \n  SudoAuthFailure1(disabled = disabled), \n  SudoDisconnect(disabled = disabled)",
+        "query": "let SudoSignInAuthorized=(disabled:bool=false){\nSyslog \n  | where not(disabled)\n  | where ProcessName == \"sudo\" and \n      SyslogMessage has 'TTY=' and \n      SyslogMessage has 'USER=' and\n      SyslogMessage has 'COMMAND='\n  | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')\n  | project-rename TargetUsername = USER\n  | extend\n      EventVendor                 = 'Linux',\n      EventProduct                = 'sudo',\n      EventCount                  = int(1),\n      EventSchema                 = 'Authentication',\n      EventSchemaVersion          = '0.1.1',\n      EventResult                 = 'Success',\n      EventStartTime              = TimeGenerated,\n      EventEndTime                = TimeGenerated,\n      EventType                   = 'Logon',\n      DvcHostname                 = Computer,\n      ActorUsernameType           = 'Simple',\n      ActorUsername               = extract(@'^(.*?):', 1, SyslogMessage),\n      TargetUsernameType          = 'Simple',\n      EventResultDetails          = 'Other',\n      EventOriginalRestultDetails = 'Connection authorized'\n// ************************\n//      <Aliases>\n// ************************\n  | extend\n      User  = TargetUsername,\n      Dvc   = Computer\n// ************************\n//      </Aliases>\n// ************************\n  | project-away Computer, MG, SourceSystem, TenantId\n  };\nlet SudoAuthFailure1=(disabled:bool=false){\nSyslog | where not(disabled)\n  | where ProcessName == \"sudo\" and (SyslogMessage has 'user NOT in sudoers' or SyslogMessage has 'incorrect password attempts')\n  | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with  (pair_delimiter=' ', kv_delimiter='=')\n  | project-rename \n      EventUid       = _ItemId,\n      TargetUsername = USER\n  | extend\n      ActorUsername               = extract(@'^(.*?):', 1, SyslogMessage),\n      ActorUsernameType           = 'Simple',\n      DvcHostname                 = Computer,\n      EventCount                  = int(1),\n      EventEndTime                = TimeGenerated,\n      EventOriginalRestultDetails = 'User authentication failed',\n      EventProduct                = 'sudo',\n      EventResult                 = 'Failure',\n      EventResultDetails          = 'No such user or password',\n      EventSchema                 = 'Authentication',\n      EventSchemaVersion          = '0.1.1',\n      EventStartTime              = TimeGenerated,\n      EventType                   = 'Logon',\n      EventVendor                 = 'sudo',\n      TargetUsernameType          = 'Simple'\n  | project-away Computer, MG, SourceSystem, TenantId\n  };\nlet SudoDisconnect=(disabled:bool=false){\n  Syslog \n  | where not(disabled)\n  | where ProcessName == \"sudo\" and \n      SyslogMessage   has 'session closed for user '\n  | parse SyslogMessage with * \"for user \" TargetUsername:string\n  | extend\n      DvcHostname                 = Computer,\n      EventCount                  = int(1),\n      EventEndTime                = TimeGenerated,\n      EventOriginalRestultDetails = 'User session closed',\n      EventProduct                = 'sudo',\n      EventResult                 = 'Success',\n      EventResultDetails          = 'Other',\n      EventSchema                 = 'Authentication',\n      EventSchemaVersion          = '0.1.1',\n      EventStartTime              = TimeGenerated,\n      EventType                   = 'Logoff',\n      EventVendor                 = 'sudo',\n      TargetUsernameType          = 'Simple'\n// ************************\n//      <Aliases>\n// ************************\n| extend\n    Dvc   = Computer,\n    User  = TargetUsername\n// ************************\n//      </Aliases>\n// ************************\n  | project-away Computer, MG, SourceSystem, TenantId\n  };\nunion isfuzzy=false \n  SudoSignInAuthorized(disabled = disabled), \n  SudoAuthFailure1(disabled = disabled), \n  SudoDisconnect(disabled = disabled)",
         "version": 1,
         "functionParameters": "disabled:bool=False"
       }
diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/CHANGELOG.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/CHANGELOG.md
new file mode 100644
index 00000000000..4a187b34302
--- /dev/null
+++ b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/CHANGELOG.md
@@ -0,0 +1,2 @@
+### 0.1.3
+- Fix EventProduct to map to `Linux` for ASim* parser. vim* had correct value.
\ No newline at end of file
diff --git a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml
index 4a7795eb310..fb159aa1eb0 100644
--- a/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml
+++ b/Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml
@@ -1,7 +1,7 @@
 Parser:
   Title: Authentication ASIM parser for Syslog sudo
-  Version: '0.1.2'
-  LastUpdated: 21 Jul 2023
+  Version: '0.1.3'
+  LastUpdated: Jan 28, 2026
 Product:
   Name: sudo
 Normalization:
@@ -31,7 +31,7 @@ ParserQuery: |
     | parse-kv SyslogMessage as (TTY: string, PWD: string, USER: string, COMMAND: string) with (pair_delimiter=' ', kv_delimiter='=')
     | project-rename TargetUsername = USER
     | extend
-        EventVendor                 = 'sudo',
+        EventVendor                 = 'Linux',
         EventProduct                = 'sudo',
         EventCount                  = int(1),
         EventSchema                 = 'Authentication',

From 4c0b55bd9f4f0311833f1b5039cbe4e8c837d3db Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <>
Date: Thu, 29 Jan 2026 00:26:54 +0000
Subject: [PATCH 2/2] [ASIM Parsers] Generate deployable ARM templates from KQL
 function YAML files.

---
 .../ASimAuthentication/ARM/ASimAuthenticationSudo/CHANGELOG.md  | 2 --
 1 file changed, 2 deletions(-)
 delete mode 100644 Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/CHANGELOG.md

diff --git a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/CHANGELOG.md b/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/CHANGELOG.md
deleted file mode 100644
index 4a187b34302..00000000000
--- a/Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/CHANGELOG.md
+++ /dev/null
@@ -1,2 +0,0 @@
-### 0.1.3
-- Fix EventProduct to map to `Linux` for ASim* parser. vim* had correct value.
\ No newline at end of file