Azure · SpeedyFireCyclone · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026 · Apr 3, 2026
@@ -722,7 +722,7 @@ EventOwner,string,Optional,UserManagement,,,,,
 EventOwner,string,Optional,WebSession,,,,,
 EventProduct,string,Mandatory,AlertEvent,Enumerated,Defender XDR|Singularity,,,
 EventProduct,string,Mandatory,AuditEvent,Enumerated,Azure|WAF|Security Events|Exchange 365|Dataminr Pulse|ISE|XDR|Meraki|FalconHost|SentinelOne|Carbon Black Cloud|BloxOne|Core|Azure Key Vault|SQL Audit Logs,,,
-EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF|FalconHost|Carbon Black Cloud|Cortex Data Lake|Workspace|Core|Fortigate,,,
+EventProduct,string,Mandatory,Authentication,Enumerated,Service Cloud|Auth0|CloudTrail|AAD|ASA|Microsoft Defender for IoT|ISE|M365 Defender for Endpoint|Meraki|Security Events|Okta|PostgreSQL|OpenSSH|su|sudo|Vectra XDR|SentinelOne|WAF|FalconHost|Carbon Black Cloud|Cortex Data Lake|Workspace|Core|Fortigate|ESXi,,,
 EventProduct,string,Mandatory,Common,,,,,
 EventProduct,string,Mandatory,DhcpEvent,,BloxOne,,,
 EventProduct,string,Mandatory,Dns,Enumerated,Umbrella|Azure Firewall|DNS Server|Sysmon|Sysmon for Linux|ZIA DNS|NIOS|Cloud DNS|Zeek|Vectra Stream|SentinelOne|FortiGate|BloxOne,,,

@@ -27,9 +27,9 @@
         "displayName": "Authentication ASIM parser",
         "category": "ASIM",
         "FunctionAlias": "ASimAuthentication",
-        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMerakiSyslog  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n  ASimAuthenticationFortinetFortigate  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n  ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n  ASimAuthenticationPaloAltoCortexDataLake  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n  ASimAuthenticationVMwareCarbonBlackCloud  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n  ASimAuthenticationIllumioSaaSCore  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n  ASimAuthenticationNative  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) ))\n",
+        "query": "let DisabledParsers=materialize(_GetWatchlist('ASimDisabledParsers') | where SearchKey in ('Any', 'ExcludeASimAuthentication') | extend SourceSpecificParser=column_ifexists('SourceSpecificParser','') | distinct SourceSpecificParser);\nlet ASimAuthenticationDisabled=toscalar('ExcludeASimAuthentication' in (DisabledParsers) or 'Any' in (DisabledParsers)); \nunion isfuzzy=true\n  vimAuthenticationEmpty,    \n  ASimAuthenticationAADManagedIdentitySignInLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADManagedIdentitySignInLogs'  in (DisabledParsers) )),\n  ASimAuthenticationAADNonInteractiveUserSignInLogs (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADNonInteractiveUserSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAADServicePrincipalSignInLogs   (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAADServicePrincipalSignInLogs'      in (DisabledParsers) )),\n  ASimAuthenticationAWSCloudTrail (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationAWSCloudTrail'      in (DisabledParsers) )),\n  ASimAuthenticationBarracudaWAF  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationBarracudaWAF' in (DisabledParsers) )),\n  ASimAuthenticationCiscoASA      (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoASA' in (DisabledParsers) )), \n  ASimAuthenticationCiscoISE  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoISE' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMeraki  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMeraki' in (DisabledParsers) )),\n  ASimAuthenticationCiscoMerakiSyslog  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCiscoMerakiSyslog' in (DisabledParsers) )),\n  ASimAuthenticationFortinetFortigate  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationFortigate' in (DisabledParsers) )),\n  ASimAuthenticationM365Defender  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationM365Defender'      in (DisabledParsers) )),\n  ASimAuthenticationMD4IoT  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMD4IoT'  in (DisabledParsers) )),\n  ASimAuthenticationMicrosoftWindowsEvent     (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationMicrosoftWindowsEvent'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSSO (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSSO'      in (DisabledParsers) )),\n  ASimAuthenticationOktaV2(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaV2'      in (DisabledParsers) )),\n  ASimAuthenticationOktaSystemLogs(ASimAuthenticationDisabled or ('ExcludeASimAuthenticationOktaSystemLogs'      in (DisabledParsers) )),\n  ASimAuthenticationPostgreSQL  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPostgreSQL'  in (DisabledParsers) )),\n  ASimAuthenticationSigninLogs    (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSigninLogs' in (DisabledParsers) )),\n  ASimAuthenticationSshd  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSshd' in (DisabledParsers) )),\n  ASimAuthenticationSu  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSu' in (DisabledParsers) )),\n  ASimAuthenticationSudo (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSudo' in (DisabledParsers) )),\n  ASimAuthenticationSalesforceSC  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSalesforceSC'  in (DisabledParsers) )),\n  ASimAuthenticationVectraXDRAudit  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVectraXDRAudit' in (DisabledParsers) )),\n  ASimAuthenticationSentinelOne  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationSentinelOne' in (DisabledParsers) )),\n  ASimAuthenticationGoogleWorkspace (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationGoogleWorkspace' in (DisabledParsers) )),\n  ASimAuthenticationPaloAltoCortexDataLake  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationPaloAltoCortexDataLake' in (DisabledParsers) )),\n  ASimAuthenticationVMwareCarbonBlackCloud  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareCarbonBlackCloud' in (DisabledParsers) )),\n  ASimAuthenticationCrowdStrikeFalconHost  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationCrowdStrikeFalcon' in (DisabledParsers) )),\n  ASimAuthenticationIllumioSaaSCore  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationIllumioSaaS' in (DisabledParsers) )),\n  ASimAuthenticationNative  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationNative' in (DisabledParsers) )),\n  ASimAuthenticationVMwareESXi  (ASimAuthenticationDisabled or ('ExcludeASimAuthenticationVMwareESXi' in (DisabledParsers), pack=pack ))\n",
         "version": 1,
-        "functionParameters": "disabled:bool=False"
+        "functionParameters": "pack:bool=False"
       }
     }
   ]

@@ -0,0 +1,36 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    "Workspace": {
+      "type": "string",
+      "metadata": {
+        "description": "The Microsoft Sentinel workspace into which the function will be deployed. Has to be in the selected Resource Group."
+      }
+    },
+    "WorkspaceRegion": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "The region of the selected workspace. The default value will use the Region selection above."
+      }
+    }
+  },
+  "resources": [
+    {
+      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+      "apiVersion": "2020-08-01",
+      "name": "[concat(parameters('Workspace'), '/ASimAuthenticationVMwareESXi')]",
+      "location": "[parameters('WorkspaceRegion')]",
+      "properties": {
+        "etag": "*",
+        "displayName": "Authentication ASIM parser for VMware ESXi",
+        "category": "ASIM",
+        "FunctionAlias": "ASimAuthenticationVMwareESXi",
+        "query": "let parser = (disabled: bool=false, pack: bool=false)\n{\n    let DCUIEvents = (\n        Syslog\n        | where not(disabled)\n        | where ProcessName == \"DCUI\"\n        | where SyslogMessage has_any (\"logged in\", \"logged out\") or SyslogMessage has_all (\"Authentication of user\", \"failed\")\n        | extend\n            TargetUsername = extract(@\"[Uu]ser (\\S+)\", 1, SyslogMessage),\n            EventType = case(SyslogMessage has \"logged out\", \"Logoff\", \"Logon\"),\n            EventResult = case(\n                SyslogMessage has_any (\"logged in\", \"logged out\", \"succeeded\"), \"Success\",\n                SyslogMessage has \"failed\", \"Failure\",\n                \"\"\n            ),\n            EventResultDetails = iff(SyslogMessage has \"time out\", \"Session timeout\", \"\"),\n            EventSubType = \"Interactive\",\n            LogonMethod = \"Username & Password\"\n        | where isnotempty(TargetUsername)\n    );\n    let HostdEvents = (\n        Syslog\n        | where not(disabled)\n        | where ProcessName == \"Hostd\"\n        | where SyslogMessage has_any (\"Accepted password\", \"Rejected password\", \"Cannot login\")\n        | extend\n            TargetUsername = coalesce(\n                extract(@\"for user (\\S+) from\", 1, SyslogMessage),\n                extract(@\"Cannot login user (\\S+)@\", 1, SyslogMessage),\n                extract(@\"Cannot login (\\S+)@\", 1, SyslogMessage)\n            ),\n            SrcIpAddr = coalesce(\n                extract(@\"for user \\S+ from ([\\d.]+)\", 1, SyslogMessage),\n                extract(@\"Cannot login user \\S+@([\\d.]+)\", 1, SyslogMessage),\n                extract(@\"Cannot login \\S+@([\\d.]+)\", 1, SyslogMessage)\n            ),\n            EventResult = case(\n                SyslogMessage has \"Accepted password\", \"Success\",\n                SyslogMessage has_any (\"Rejected password\", \"Cannot login\"), \"Failure\",\n                \"\"\n            ),\n            EventType = \"Logon\",\n            EventSubType = \"Remote\",\n            EventResultDetails = extract(@\"@[\\d.]+: (.+)$\", 1, SyslogMessage),\n            TargetSessionId = extract(@\"session=(\\S+)\", 1, SyslogMessage),\n            OperationId = extract(@\"opID=([^\\s\\]]+)\", 1, SyslogMessage),\n            SessionIdShort = extract(@\"sid=([a-f0-9]+)\", 1, SyslogMessage)\n        | where isnotempty(TargetUsername)\n        // Hostd double-logs each auth failure: once as \"Rejected password\" (PAM) and once as \"Cannot login\" (Event Manager), typically within 35-300ms of each other.\n        // A 1-second deduplication window collapses these into a single event. The window is intentionally conservative relative to observed duplicate gaps (<100ms).\n        | summarize arg_min(TimeGenerated, *) by TargetUsername, SrcIpAddr, EventResult, Computer, bin(TimeGenerated, 1s)\n        | project-away TimeGenerated1\n    );\n    union DCUIEvents, HostdEvents\n    | invoke _ASIM_ResolveDvcFQDN(\"Computer\")\n    | extend\n        EventCount = int(1),\n        EventStartTime = coalesce(EventTime, TimeGenerated),\n        EventEndTime = coalesce(EventTime, TimeGenerated),\n        EventVendor = \"VMware\",\n        EventProduct = \"ESXi\",\n        EventSchema = \"Authentication\",\n        EventSchemaVersion = \"0.1.4\",\n        TargetUsernameType = \"Simple\",\n        DvcIpAddr = iif(HostIP != \"Unknown IP\", tostring(HostIP), dynamic(null)),\n        DvcOs = \"VMkernel\",\n        TargetHostname = DvcHostname\n    | extend\n        AdditionalFields = iif(\n            pack,\n            bag_pack(\n                'OperationId', OperationId,\n                'SessionIdShort', SessionIdShort\n            ),\n            dynamic(null)\n        )\n    | extend\n        User = TargetUsername,\n        Dvc = DvcHostname,\n        IpAddr = SrcIpAddr,\n        Src = SrcIpAddr\n    | project\n        TimeGenerated,\n        _ResourceId,\n        Type,\n        EventCount,\n        EventStartTime,\n        EventEndTime,\n        EventType,\n        EventSubType,\n        EventResult,\n        EventResultDetails,\n        //EventSeverity,\n        EventVendor,\n        EventProduct,\n        //EventProductVersion,\n        EventSchema,\n        EventSchemaVersion,\n        DvcHostname,\n        DvcIpAddr,\n        DvcOs,\n        DvcDomain,\n        DvcDomainType,\n        DvcFQDN,\n        //DvcId,\n        //DvcIdType,\n        SrcIpAddr,\n        //SrcHostname,\n        TargetUsername,\n        TargetUsernameType,\n        //TargetUserType,\n        //TargetUserDomain,\n        TargetHostname,\n        TargetSessionId,\n        LogonMethod,\n        //LogonProtocol,\n        AdditionalFields,\n        User,\n        Dvc,\n        IpAddr,\n        Src\n};\nparser(disabled = disabled, pack = pack)",
+        "version": 1,
+        "functionParameters": "disabled:bool=False,pack:bool=False"
+      }
+    }
+  ]
+}
@@ -0,0 +1,21 @@
+# VMware ESXi ASIM Authentication Normalization Parser
+
+ARM template for ASIM Authentication schema parser for VMware ESXi.
+
+This ASIM parser supports normalizing VMware ESXi Syslog to the ASIM Authentication schema.
+
+
+The Advanced Security Information Model (ASIM) enables you to use and create source-agnostic content, simplifying your analysis of the data in your Microsoft Sentinel workspace.
+
+For more information, see:
+
+- [Normalization and the Advanced Security Information Model (ASIM)](https://aka.ms/AboutASIM)
+- [Deploy all of ASIM](https://aka.ms/DeployASIM)
+- [ASIM Authentication normalization schema reference](https://aka.ms/ASimAuthenticationDoc)
+
+For the changelog, see:
+- [CHANGELOG](https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/CHANGELOG/ASimAuthenticationVMwareESXi.md)
+
+<br>
+
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationVMwareESXi%2FASimAuthenticationVMwareESXi.json) [![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FASimAuthenticationVMwareESXi%2FASimAuthenticationVMwareESXi.json)
@@ -618,6 +618,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedASimAuthenticationVMwareESXi",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/ASimAuthenticationVMwareESXi/ASimAuthenticationVMwareESXi.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",
@@ -1258,6 +1278,26 @@
         }
       }
     },
+    {
+      "type": "Microsoft.Resources/deployments",
+      "apiVersion": "2020-10-01",
+      "name": "linkedvimAuthenticationVMwareESXi",
+      "properties": {
+        "mode": "Incremental",
+        "templateLink": {
+          "uri": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/ASimAuthentication/ARM/vimAuthenticationVMwareESXi/vimAuthenticationVMwareESXi.json",
+          "contentVersion": "1.0.0.0"
+        },
+        "parameters": {
+          "Workspace": {
+            "value": "[parameters('Workspace')]"
+          },
+          "WorkspaceRegion": {
+            "value": "[parameters('WorkspaceRegion')]"
+          }
+        }
+      }
+    },
     {
       "type": "Microsoft.Resources/deployments",
       "apiVersion": "2020-10-01",