ASIM Process Event Parsers: Parameter Standardization Fixes Filtering Logic Inconsistencies

What Changed

ASIM Process Event parsers updated parameter names to align with official Microsoft Sentinel documentation. The correction affects 9 parser functions and their ARM deployment templates across multiple data sources including Linux Sysmon, MD4IoT, and Microsoft Security Events.

Parser Impact

Parameter name standardization from legacy names to documented standard:

• targetusername → targetusername_has
• actorusername → actorusername_has
• dvcname_has_any → dvchostname_has_any

No change to normalized field names or core filter logic — safe for existing detections using these parsers. This is a parameter interface consistency fix, not a data fidelity change. Queries calling these parsers with the old parameter names may need updating to match the corrected interface.

The fix ensures all ASIM Process Event parsers (imProcessCreate, imProcessEvent, imProcessTerminate) and their vendor-specific implementations follow the same parameter naming convention as documented at https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-process-event#filtering-parser-parameters.

Affected Files

Parsers/ASimProcessEvent/ARM/imProcessCreate/imProcessCreate.json
Parsers/ASimProcessEvent/ARM/imProcessEvent/imProcessEvent.json
Parsers/ASimProcessEvent/ARM/imProcessTerminate/imProcessTerminate.json
Parsers/ASimProcessEvent/ARM/vimProcessCreateLinuxSysmon/vimProcessCreateLinuxSysmon.json
Parsers/ASimProcessEvent/ARM/vimProcessCreateMD4IoT/vimProcessCreateMD4IoT.json
Parsers/ASimProcessEvent/ARM/vimProcessEventMD4IoT/vimProcessEventMD4IoT.json
Parsers/ASimProcessEvent/ARM/vimProcessTerminateLinuxSysmon/vimProcessTerminateLinuxSysmon.json
Parsers/ASimProcessEvent/ARM/vimProcessTerminateMD4IoT/vimProcessTerminateMD4IoT.json
Parsers/ASimProcessEvent/ARM/vimProcessTerminateMicrosoftSecurityEvents/vimProcessTerminateMicrosoftSecurityEvents.json
Parsers/ASimProcessEvent/Parsers/imProcessCreate.yaml
Parsers/ASimProcessEvent/Parsers/imProcessEvent.yaml
Parsers/ASimProcessEvent/Parsers/imProcessTerminate.yaml
Parsers/ASimProcessEvent/Parsers/vimProcessCreateLinuxSysmon.yaml
Parsers/ASimProcessEvent/Parsers/vimProcessCreateMD4IoT.yaml
Parsers/ASimProcessEvent/Parsers/vimProcessEventMD4IoT.yaml
Parsers/ASimProcessEvent/Parsers/vimProcessTerminateLinuxSysmon.yaml
Parsers/ASimProcessEvent/Parsers/vimProcessTerminateMD4IoT.yaml
Parsers/ASimProcessEvent/Parsers/vimProcessTerminateMicrosoftSecurityEvents.yaml