ASIM Sudo Authentication Parser: Schema Version 0.1.4 Compliance and Field Mapping Enhancements

What Changed

The ASIM sudo authentication parsers (both ASimAuthenticationSudo and vimAuthenticationSudo) received major updates to align with Authentication schema version 0.1.4, including comprehensive field mapping improvements and code refactoring.

Parser Impact

Key enhancements include:

• Schema version updated from 0.1.1 to 0.1.4
• Added SeverityLevel normalization to EventSeverity using lookup table
• Improved field mappings: HostIP → SrcIpAddr, ProcessName → TargetAppName/ActingAppName
• Added ProcessID → ActingAppId mapping
• Corrected EventProduct from “sudo” to “Linux”
• Added alias fields: Src, Dvc, IpAddr for better query compatibility
• Removed unnormalized columns and code duplication

Security Impact (Visibility & Fidelity)

The updates ensure consistent data normalization across sudo authentication events, improving:

• Cross-parser query compatibility through standardized field mappings
• Severity-based alerting and filtering capabilities via EventSeverity normalization
• Enhanced correlation potential with proper source IP and application mappings
• Better performance through reduced code duplication and improved filtering

Organizations using ASIM-based detection rules for privilege escalation monitoring will benefit from more complete and consistent field population across sudo authentication events.

Affected Files

Parsers/ASimAuthentication/ARM/ASimAuthenticationSudo/ASimAuthenticationSudo.json
Parsers/ASimAuthentication/ARM/vimAuthenticationSudo/vimAuthenticationSudo.json
Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationSudo.md
Parsers/ASimAuthentication/CHANGELOG/vimAuthenticationSudo.md
Parsers/ASimAuthentication/Parsers/ASimAuthenticationSudo.yaml
Parsers/ASimAuthentication/Parsers/vimAuthenticationSudo.yaml