ASIM AuditEvent Parser: Azure SQL Security Audit Data Normalized for Detection

What Changed

Added two new ASIM AuditEvent parsers for Azure SQL Security Audit logs:

ASimAuditEventSQLSecurityAudit: Full normalization parser
vimAuditEventSQLSecurityAudit: Filtering-enabled parser with parameter support

Both parsers normalize events from SQLSecurityAuditEvents table and AzureDiagnostics table (Category: SQLSecurityAuditEvents) to the ASIM AuditEvent schema v0.1.2.

Parser Impact

The parsers map SQL audit actions to ASIM EventType values:

SQL DML operations (SELECT, INSERT, UPDATE, DELETE) → Read/Create/Set/Delete
DDL operations (CREATE, ALTER, DROP) → Create/Set/Delete
Permission operations (GRANT, DENY, REVOKE) → Set
Session events (LOGIN, LOGOUT) → Execute

Key normalized fields include:

ActorUsername: ServerPrincipalName (SQL principal executing the action)
SrcIpAddr: ClientIp (source of SQL connection)
Object: ObjectName (SQL object being accessed)
TargetAppName: LogicalServerName/DatabaseName format
EventResult: Success/Failure based on SQL audit outcome

The pack parameter enables detailed SQL context in AdditionalFields (Statement, SchemaName, DurationMs, AffectedRows, etc.).

Detection Surface Unlocked

This enables source-agnostic detection of:

Privilege escalation attempts via SQL permission changes
Suspicious data access patterns across SQL databases
Failed authentication events to SQL servers
Schema modification tracking for compliance
Cross-database query analysis using normalized field names

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/AzureDiagnostics.json
.script/tests/KqlvalidationsTests/CustomTables/SQLSecurityAuditEvents.json
ASIM/dev/ASimTester/ASimTester.csv
Parsers/ASimAuditEvent/ARM/ASimAuditEvent/ASimAuditEvent.json
Parsers/ASimAuditEvent/ARM/ASimAuditEventSQLSecurityAudit/ASimAuditEventSQLSecurityAudit.json
Parsers/ASimAuditEvent/ARM/ASimAuditEventSQLSecurityAudit/README.md
Parsers/ASimAuditEvent/ARM/FullDeploymentAuditEvent.json
Parsers/ASimAuditEvent/ARM/imAuditEvent/imAuditEvent.json
Parsers/ASimAuditEvent/ARM/vimAuditEventSQLSecurityAudit/README.md
Parsers/ASimAuditEvent/ARM/vimAuditEventSQLSecurityAudit/vimAuditEventSQLSecurityAudit.json
Parsers/ASimAuditEvent/CHANGELOG/ASimAuditEvent.md
Parsers/ASimAuditEvent/CHANGELOG/ASimAuditEventSQLSecurityAudit.md
Parsers/ASimAuditEvent/CHANGELOG/imAuditEvent.md
Parsers/ASimAuditEvent/CHANGELOG/vimAuditEventSQLSecurityAudit.md
Parsers/ASimAuditEvent/Parsers/ASimAuditEvent.yaml
Parsers/ASimAuditEvent/Parsers/ASimAuditEventSQLSecurityAudit.yaml
Parsers/ASimAuditEvent/Parsers/imAuditEvent.yaml
Parsers/ASimAuditEvent/Parsers/vimAuditEventSQLSecurityAudit.yaml

What Changed#

Parser Impact#

Detection Surface Unlocked#

Affected Files#

What Changed

Parser Impact

Detection Surface Unlocked

Affected Files