What Changed
Significant enhancements to ASIM Authentication parser for Palo Alto Cortex Data Lake addressing performance, schema compliance, and data fidelity issues.
Parser Impact
Field Mapping Corrections:
- Fixed EventStartTime to coalesce with TimeGenerated when start field is empty
- Corrected TargetDvc → TargetDvcId alignment with ASIM schema
- Enhanced TargetUsername logic to prioritize PanOSAuthenticatedUserName over DestinationUserName
Performance Improvements:
- Replaced broad project-away with explicit project statement limiting output columns
- Added explicit Type = “CommonSecurityLog” for table identification
Schema Compliance:
- Added TargetDvcIdType field with proper “Other” classification
- Fixed TargetDomainType logic to reference TargetUsername instead of DestinationUserName
- Updated schema version to 0.2.0 reflecting significant improvements
Data Fidelity: Previously empty EventStartTime fields when start was null now fallback to TimeGenerated, ensuring consistent timestamp availability for correlation queries.
Affected Files
Parsers/ASimAuthentication/ARM/ASimAuthenticationPaloAltoCortexDataLake/ASimAuthenticationPaloAltoCortexDataLake.json
Parsers/ASimAuthentication/ARM/vimAuthenticationPaloAltoCortexDataLake/vimAuthenticationPaloAltoCortexDataLake.json
Parsers/ASimAuthentication/Parsers/ASimAuthenticationPaloAltoCortexDataLake.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationPaloAltoCortexDataLake.yaml