ASIM Authentication Parser: Linux Su Command Enhanced with Failed Authentication Support

What Changed

Major functionality expansion for ASIM Authentication parser covering Linux su (switch user) command events.

Parser Impact

Failed Authentication Coverage: Added support for “FAILED SU” events, closing significant detection gap:

• Previously only captured successful su events and logoffs
• Now detects failed privilege escalation attempts (EventType = “Logon”, EventResult = “Failure”)

Event Classification Fix: Corrected successful su events from EventType = “Elevation” to EventType = “Logon” aligning with ASIM Authentication schema standards for user switching operations.

Enhanced Field Mapping:

• Added TargetAppName = “su” for application-specific filtering
• Added SrcIpAddr mapping to DvcIpAddr for source correlation
• Improved prefilter logic to handle EventResult-based filtering

Schema Compliance: Updated EventSchemaVersion to 0.1.3 and explicit Type = “Syslog” for table identification.

Security Impact: Organizations can now detect both successful and failed privilege escalation attempts via su command — previously failed attempts were invisible, creating a blind spot for lateral movement detection.

Affected Files

Parsers/ASimAuthentication/ARM/ASimAuthenticationSu/ASimAuthenticationSu.json
Parsers/ASimAuthentication/ARM/vimAuthenticationSu/vimAuthenticationSu.json
Parsers/ASimAuthentication/Parsers/ASimAuthenticationSu.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationSu.yaml