Azure · dicolanl · Oct 8, 2024 · Oct 10, 2024
@@ -1,38 +1,38 @@
 id: 4677df99-9bff-4b87-a7b9-575091361d82
 Function:
   Title: Parser for ZNSegmentAudit
-  Version: '1.0.0'
-  LastUpdated: '2023-08-23'
+  Version: '1.0.1'
+  LastUpdated: '2024-10-08'
 Category: Microsoft Sentinel Parser
 FunctionName: ZNSegmentAudit
 FunctionAlias: ZNSegmentAudit
 FunctionQuery: |
     let AuditTypesTable = datatable(auditType_d: double, AuditType: string) [
         0, "Unspecified",
-        1, "Asset is being added to protection",
-        2, "Asset added to protection",
-        3, "Asset failed adding to protection",
-        4, "Asset is being removed from protection",
-        5, "Removed asset from protection",
-        6, "Failed removing asset from protection",
-        7, "Asset added to learning",
-        8, "Asset removed from learning",
-        9, "Access rule created",
-        10, "Access rule deleted",
-        11, "Access rule expired",
-        12, "Access rule edited",
-        17, "MFA access policy created",
-        18, "MFA access policy deleted",
-        19, "MFA access policy edited",
-        20, "JIT rule created",
-        21, "JIT rule deleted",
-        22, "JIT rule expired",
-        23, "JIT rule revived",
-        24, "JIT rule edited",
+        1, "Asset is being segmented (network)",
+        2, "Asset segmented (network)",
+        3, "Asset failed being segmented (network)",
+        4, "Asset is being unsegmented (network)",
+        5, "Asset unsegmented (network)",
+        6, "Asset failed being unsegmented (network)",
+        7, "Asset added to learning (network)",
+        8, "Asset removed from learning (network)",
+        9, "Inbound allow rule created",
+        10, "Inbound allow rule deleted",
+        11, "Inbound allow rule expired",
+        12, "Inbound allow rule edited",
+        17, "Inbound MFA policy created",
+        18, "Inbound MFA policy edited",
+        19, "Inbound MFA policy deleted",
+        20, "Inbound JIT rule created",
+        21, "Inbound JIT rule deleted",
+        22, "Inbound JIT rule expired",
+        23, "Inbound JIT rule revived",
+        24, "Inbound JIT rule edited",
         25, "API Token created",
         26, "API Token deleted",
         27, "API Token regenerated",
-        28, "Asset learning is extended",
+        28, "Asset segmentation date postponed (network)",
         29, "Outbound block rule created",
         30, "Outbound block rule deleted",
         31, "Outbound block rule expired",
@@ -41,24 +41,129 @@ FunctionQuery: |
         34, "Inbound block rule deleted",
         35, "Inbound block rule expired",
         36, "Inbound block rule edited",
-        37, "Inbound rule pseudo edited",
-        38, "Outbound rule pseudo edited"
+        39, "Asset unsegmented (network) (overriding policy)",
+        40, "Asset is being unsegmented (network) (overriding policy)",
+        41, "Asset removed from learning (network) (overriding policy)",
+        42, "Asset is being segmented (network) (policy)",
+        43, "Asset segmented (network) (policy)",
+        44, "Asset added to learning (network) (policy)",
+        45, "Segmentation policy created",
+        46, "Segmentation policy deleted",
+        47, "Segmentation policy edited",
+        48, "Inbound JIT access rejected",
+        49, "Inbound JIT fallback rule created",
+        50, "Inbound JIT fallback rule deleted",
+        51, "Inbound JIT fallback rule expired",
+        53, "Outbound allow rule created",
+        54, "Outbound allow rule deleted",
+        55, "Outbound allow rule expired",
+        56, "Outbound allow rule edited",
+        58, "Admin portal role changed to admin",
+        59, "Admin portal role changed to viewer",
+        60, "Admin portal role revoked",
+        61, "Outbound JIT rule created",
+        62, "Outbound JIT rule deleted",
+        63, "Outbound JIT rule expired",
+        64, "Outbound MFA policy created",
+        65, "Outbound MFA policy deleted",
+        66, "Outbound MFA policy edited",
+        67, "Outbound JIT access rejected",
+        68, "Asset learning is done (network)",
+        69, "Asset learning (policy) is done (network)",
+        70, "Manual Linux asset created",
+        71, "Manual OT/IoT asset created",
+        72, "Asset learning extended (network)",
+        73, "Admin portal logon",
+        74, "Asset manager added",
+        75, "Asset manager removed",
+        76, "Asset is monitored by Cloud connector",
+        77, "Asset is no longer monitored by Cloud connector",
+        78, "Asset is monitored by Segment server",
+        79, "Asset is back to learning (network)",
+        80, "Manual OT/IoT asset edited",
+        81, "Admin portal role changed to operator",
+        82, "Segment server deployed",
+        83, "AI inbound allow rule rejected",
+        84, "AI inbound block rule rejected",
+        85, "AI outbound allow rule rejected",
+        86, "AI outbound block rule rejected",
+        87, "AI inbound allow rule approved",
+        88, "AI inbound block rule approved",
+        89, "AI outbound allow rule approved",
+        90, "AI outbound block rule approved",
+        91, "AI inbound allow rule approved with changes",
+        92, "AI inbound block rule approved with changes",
+        93, "AI outbound allow rule approved with changes",
+        94, "AI outbound block rule approved with changes",
+        95, "Connect region created",
+        96, "Connect session created",
+        97, "Connect session expired",
+        98, "Connect session revoked",
+        99, "Connect session logged out",
+        100, "User access configuration created",
+        101, "User access configuration edited",
+        102, "User access configuration deleted",
+        103, "Connect server deployed",
+        104, "Connect asset created",
+        105, "Asset segmentation postponed (network) (pending review rules)",
+        106, "Connect region edited",
+        107, "Connect server edited",
+        108, "Asset is being segmented (identity)",
+        109, "Asset segmented (identity)",
+        110, "Asset is being unsegmented (identity)",
+        111, "Asset unsegmented (identity)",
+        112, "Identity rule created",
+        113, "Identity rule deleted",
+        114, "Identity rule expired",
+        115, "Identity rule edited",
+        116, "User segmented (identity)",
+        117, "User unsegmented (identity)",
+        118, "User added to learning (identity)",
+        119, "User removed from learning (identity)",
+        120, "Asset added to RPC monitoring",
+        121, "Asset removed from RPC monitoring",
+        122, "User classification changed",
+        123, "Connect session extended",
+        124, "Asset marked as inactive by repository (deleted)",
+        125, "Asset marked as active by repository",
+        126, "Asset marked as inactive by user",
+        127, "Asset marked as active by user",
+        128, "Break glass configuration activated",
+        129, "Break glass configuration deactivated",
+        130, "Asset marked as inactive by repository (disable)",
+        131, "Asset marked as active by repository (enable)",
+        132, "Break glass configuration activated (asset)",
+        133, "Break glass configuration deactivated (asset)",
+        134, "Asset is being segmented (RPC)",
+        135, "Asset segmented (RPC)",
+        136, "Asset is being unsegmented (RPC)",
+        137, "Asset unsegmented (RPC)",
+        138, "Rules RPC rule created",
+        139, "Rules RPC rule deleted",
+        140, "Rules RPC rule expired",
+        141, "Rules RPC rule edited"
     ];
     let EnforcementSourceTypeTable = datatable (enforcementSource_d: double, EnforcementSource: string) [
         1, "Reactive Policy",
         2, "Automated",
         3, "Access Portal",
         4, "Admin Portal",
         5, "AI",
-        6, "API"
+        6, "API",
+        7, "Setup"
     ];
     let UserRoleTypeTable = datatable (userRole_d: double, UserRole: string) [
         1, "Admin",
         2, "Viewer",
         3, "Regular",
         4, "API - Full Access",
         5, "API - Read Only",
-        6, "Self Service"
+        6, "Self Service",
+        7, "CloudConnectorProvisioning",
+        8, "JAMF Asset",
+        9, "Asset Manager",
+        10, "Operator",
+        11, "Service Now Token"
     ];
     union isfuzzy=true ZNSegmentAuditNativePoller_CL, ZNSegmentAudit_CL
     | project-away TimeGenerated