ASIM SSH Authentication Parser: Improved Invalid User Event Parsing

What Changed

The ASIM Authentication parser for OpenSSH SSHD was updated to fix parsing of “Invalid user” syslog messages where source IP addresses and port numbers are formatted inconsistently.

Parser Impact

The previous parsing logic failed when “Invalid user” log entries contained IP addresses without explicit port formatting. The fix introduces more robust parsing that handles both formats:

“Invalid user <username> from <ip> port <port>”
“Invalid user <username> from <ip>”

Both ASimAuthenticationSshd and vimAuthenticationSshd parsers received identical parsing improvements to correctly extract SrcIpAddr and SrcPortNumber fields from malformed authentication attempts.

Security Impact (Visibility & Fidelity)

Deployments using these ASIM parsers against OpenSSH logs previously had incomplete source IP extraction for certain “Invalid user” authentication failures. This fix ensures consistent population of source IP fields across all invalid user attempts, improving detection fidelity for brute force and reconnaissance queries.

Affected Files

Parsers/ASimAuthentication/ARM/ASimAuthenticationSshd/ASimAuthenticationSshd.json
Parsers/ASimAuthentication/ARM/vimAuthenticationSshd/vimAuthenticationSshd.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSshd.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSshd.md
Parsers/ASimAuthentication/Parsers/ASimAuthenticationSshd.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationSshd.yaml

What Changed#

Parser Impact#

Security Impact (Visibility & Fidelity)#

Affected Files#

What Changed

Parser Impact

Security Impact (Visibility & Fidelity)

Affected Files